{ "topic": "section-5-only", "generated_at": "2026-03-27T00:38:02.694Z", "total_provisions": 1549, "provisions": [ { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Compliance Program Membership", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner, expressly or by implication, the extent to which it is a member of, adheres to, or participates in any privacy, security, or other compliance program sponsored by the government or any third party.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.10_collectify_ll", "company_name": "Collectify LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3142-collectify-ll", "docket_number": "C-4272" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC, for five years, all documents relating to compliance with this order, including covered advertisements and any documents questioning compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.10_collectify_ll", "company_name": "Collectify LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3142-collectify-ll", "docket_number": "C-4272" }, { "provision_number": "III", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all relevant current and future personnel and obtain signed, dated acknowledgments of receipt from each.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_collectify_ll", "company_name": "Collectify LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3142-collectify-ll", "docket_number": "C-4272" }, { "provision_number": "IV", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, sale, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nAll notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_collectify_ll", "company_name": "Collectify LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3142-collectify-ll", "docket_number": "C-4272" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 60 days of service of this order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after service of this order, and at such other times as the Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_collectify_ll", "company_name": "Collectify LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3142-collectify-ll", "docket_number": "C-4272" }, { "provision_number": "VI", "title": "Order Duration", "category": "duration", "summary": "This order terminates on November 9, 2029, or twenty years from the most recent date a complaint alleging a violation of the order is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on November 9, 2029, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and Page 3 of 4 C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_collectify_ll", "company_name": "Collectify LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3142-collectify-ll", "docket_number": "C-4272" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Program Membership or Participation", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, the extent to which it is a member of, certified by, endorsed by, or otherwise participates in any privacy, security, or other compliance program sponsored by government or any third party.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.10_expatedge_partners_ll", "company_name": "ExpatEdge Partners, LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923138-expatedge-partners-ll", "docket_number": "C-4269" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC, for five years, all documents relating to compliance with this order, including advertisements and any documents calling into question compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.10_expatedge_partners_ll", "company_name": "ExpatEdge Partners, LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923138-expatedge-partners-ll", "docket_number": "C-4269" }, { "provision_number": "III", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nreceipt of the order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_expatedge_partners_ll", "company_name": "ExpatEdge Partners, LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923138-expatedge-partners-ll", "docket_number": "C-4269" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, including dissolution, merger, sale, bankruptcy filing, or change of name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nAll notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_expatedge_partners_ll", "company_name": "ExpatEdge Partners, LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923138-expatedge-partners-ll", "docket_number": "C-4269" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 60 days of service of the order and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after service of this order, and at such other times as the Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_expatedge_partners_ll", "company_name": "ExpatEdge Partners, LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923138-expatedge-partners-ll", "docket_number": "C-4269" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on November 9, 2029, or twenty years from the most recent date the FTC files a complaint alleging any violation of the order in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on November 9, 2029, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and Page 3 of 4 C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_expatedge_partners_ll", "company_name": "ExpatEdge Partners, LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923138-expatedge-partners-ll", "docket_number": "C-4269" }, { "provision_number": "I", "title": "Prohibition Against Misrepresenting Participation in Privacy or Compliance Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, expressly or by implication, its membership in, adherence to, certification by, or participation in any government- or third-party-sponsored privacy, security, or compliance program.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.10_onyx_graphics", "company_name": "Onyx Graphics, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923139-onyx-graphics-inc", "docket_number": "C-4270" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC, for five years, all documents relating to compliance with this order, including advertisements and any documents questioning compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that calls into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.10_onyx_graphics", "company_name": "Onyx Graphics, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923139-onyx-graphics-inc", "docket_number": "C-4270" }, { "provision_number": "III", "title": "Acknowledgment and Delivery of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all relevant current and future personnel and obtain signed acknowledgments of receipt within 30 days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_onyx_graphics", "company_name": "Onyx Graphics, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923139-onyx-graphics-inc", "docket_number": "C-4270" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, sale, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nAll notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_onyx_graphics", "company_name": "Onyx Graphics, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923139-onyx-graphics-inc", "docket_number": "C-4270" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 60 days of service of this order and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after service of this order, and at such other times as the Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_onyx_graphics", "company_name": "Onyx Graphics, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923139-onyx-graphics-inc", "docket_number": "C-4270" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on November 9, 2029, or 20 years from the most recent date a complaint alleging a violation of the order is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on November 9, 2029, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and Page 3 of 4 C. this order if such complaint is filed after the order has terminated pursuant to this Part.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_onyx_graphics", "company_name": "Onyx Graphics, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923139-onyx-graphics-inc", "docket_number": "C-4270" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Compliance Program Membership", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner its membership in, adherence to, or participation in any privacy, security, or other compliance program sponsored by the government or any third party.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.10_progressive_gaitways_ll", "company_name": "Progressive Gaitways LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923141-progressive-gaitways-ll", "docket_number": "C-4271" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years all documents relating to compliance with this order, including advertisements and any documents questioning compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that calls into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.10_progressive_gaitways_ll", "company_name": "Progressive Gaitways LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923141-progressive-gaitways-ll", "docket_number": "C-4271" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, and obtain a signed acknowledgment from each.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_progressive_gaitways_ll", "company_name": "Progressive Gaitways LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923141-progressive-gaitways-ll", "docket_number": "C-4271" }, { "provision_number": "IV", "title": "Compliance Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, including dissolution, merger, sale, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_progressive_gaitways_ll", "company_name": "Progressive Gaitways LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923141-progressive-gaitways-ll", "docket_number": "C-4271" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 60 days of service of this order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after service of this order, and at such other times as the Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_progressive_gaitways_ll", "company_name": "Progressive Gaitways LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923141-progressive-gaitways-ll", "docket_number": "C-4271" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on November 9, 2029, or twenty years from the most recent date the FTC files a complaint alleging any violation of the order in federal court, whichever is later.", "verbatim_text": "This order will terminate on November 9, 2029, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and Page 3 of 4 C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_progressive_gaitways_ll", "company_name": "Progressive Gaitways LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923141-progressive-gaitways-ll", "docket_number": "C-4271" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy/Compliance Program Membership", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, the extent to which it is a member of, certified by, or participates in any privacy, security, or other compliance program sponsored by the government or any third party.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.10_world_innovators", "company_name": "World Innovators, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923137-world-innovators-inc-matter", "docket_number": "C-4282" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC, for five years, all documents relating to compliance with this order, including advertisements and any documents calling into question compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that calls into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.10_world_innovators", "company_name": "World Innovators, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923137-world-innovators-inc-matter", "docket_number": "C-4282" }, { "provision_number": "III", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all relevant current and future personnel and obtain a signed, dated acknowledgment of receipt from each person.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_world_innovators", "company_name": "World Innovators, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923137-world-innovators-inc-matter", "docket_number": "C-4282" }, { "provision_number": "IV", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, bankruptcy, or name/address changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_world_innovators", "company_name": "World Innovators, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923137-world-innovators-inc-matter", "docket_number": "C-4282" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 60 days of service of this order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after service of this order, and at such other times as the Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.10_world_innovators", "company_name": "World Innovators, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923137-world-innovators-inc-matter", "docket_number": "C-4282" }, { "provision_number": "VI", "title": "Order Duration", "category": "duration", "summary": "This order will terminate on January 12, 2030, or twenty years from the most recent date the Commission files a complaint alleging any violation of the order in federal court, whichever is later.", "verbatim_text": "This order will terminate on January 12, 2030, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and Page 3 of 4 C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.10_world_innovators", "company_name": "World Innovators, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923137-world-innovators-inc-matter", "docket_number": "C-4282" }, { "provision_number": "I", "title": "Prohibition on Dissemination of Videos or Photographs Without Consent", "category": "prohibition", "summary": "Respondent is permanently prohibited from disseminating, through a website or online service, videos or photographs exposing an individual's intimate parts unless the individual has received a clear disclosure and provided affirmative express written consent.", "verbatim_text": "IT IS ORDERED that Respondent and Respondent’s officers, agents, servants, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this order, whether acting directly or indirectly, in connection with the marketing, promoting, or offering for sale of any good or service, is permanently restrained and enjoined from disseminating, through a website or online service, a video or photograph of an individual with his or her intimate parts exposed without: A. clearly and prominently disclosing directly to that individual, and not as part of a “privacy policy,” “terms of use,” or similar document posted on a website or online service, that Respondent will disseminate the video or photograph for commercial gain and through a website or online service; and\n\nB. obtaining affirmative express consent in writing from the individual for such dissemination.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "docket_number": "C-4564" }, { "provision_number": "II", "title": "Prohibition on Misrepresentations", "category": "prohibition", "summary": "Respondent is permanently prohibited from misrepresenting any material fact through a website or online service, including misrepresentations about data collection/use/disclosure/deletion, Respondent's own identity, and the identity of content providers or advertisers.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, and Respondent’s officers, agents, servants, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this order, whether acting directly or indirectly, in connection with the marketing, promoting, or offering for sale any good or service, is permanently restrained and enjoined from misrepresenting through a website or online service, expressly or by implication, any material fact, including but not limited to: A. Respondent’s collection, use, disclosure, or deletion of personal information;\n\nB. Respondent’s identity; and\n\nC. the identity of those providing content or sponsoring advertising displayed on or through a website or online service.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "docket_number": "C-4564" }, { "provision_number": "III", "title": "Disposition of Personal Information", "category": "affirmative_obligation", "summary": "Respondent is permanently prohibited from using or disclosing personal information obtained in connection with the Covered Websites prior to entry of this Order, and must destroy all such personal information within 30 days of entry of this Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent is permanently restrained and enjoined from directly or indirectly: A. disclosing, using, transferring, or benefitting from personal information obtained prior to entry of this Order in connection with or displayed on any of the Covered Websites; and\n\nB. failing to destroy such personal information in all forms in Respondent’s possession, custody, or control within 30 days after entry of this Order. Provided, however, that such personal information need not be disposed of, and may be disclosed, to the extent requested by a government agency or required by law, regulation, or court order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "docket_number": "C-4564" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC upon request specific records related to consent, representations about data practices, consumer complaints, law enforcement communications, and any documents questioning compliance.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying a print or electronic copy of: 3 A. affirmative express written consent obtained from each individual whose intimate parts are exposed in a photograph or video shared by Respondent on a website or through an online service;\n\nB. all representations about Respondent’s collection, use, disclosure, or sharing of personal information in connection with marketing, promoting, or offering for sale any good or service that involves the collecting or posting of personal information on a website or online service, including but not limited to the terms of use, frequently-asked questions, and privacy policies of such website or online service, for a period of five (5) years from the date of preparation or dissemination, whichever is later;\n\nC. all consumer complaints and content removal requests received by or on behalf of Respondent relating to Respondent’s collection, use, disclosure, or sharing of personal information, for a period of five (5) years from the date received;\n\nD. all responses to the complaints and requests set forth in Part IV.C, for a period of five (5) years from the date sent;\n\nE. copies of all subpoenas and other communications with law enforcement entities or personnel relating to Respondent’s collection, use, disclosure, or sharing of personal information in connection with operating a website or online service, for a period of five (5) years from the date received or sent; and\n\nF. all documents prepared by or on behalf of Respondent that contradict, qualify, or call into question Respondent’s compliance with this order, for a period of five (5) years from the date received or created.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "docket_number": "C-4564" }, { "provision_number": "V", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this Order to all current and future employees, agents, and representatives with relevant responsibilities, and must obtain signed and dated acknowledgment receipts within 30 days of delivery.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent shall deliver a copy of this order to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days\n\nthirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. Respondent must secure a signed and\n\nafter the person assumes such position or responsibilities. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "docket_number": "C-4564" }, { "provision_number": "VI", "title": "Business Change Notification", "category": "compliance_reporting", "summary": "For ten (10) years after the date of issuance of this order, Respondent must notify the Commission of any discontinuance of current business or employment or affiliation with any new business or employment, including contact details and a description of the new role.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, for a period of ten (10) years after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment. The notice shall include Respondent’s new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to the 4 Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue N.W., Washington, D.C. 20580. The subject line must begin: In the Matter of Craig Brittain, FTC File No. 132 3120.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "docket_number": "C-4564" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the Commission within 60 days of service of this order, and must submit additional written reports within 10 days of receiving written notice from a Commission representative.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of his compliance with this order. Within ten (10) days of\n\nforth in detail the manner and form of his compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, Respondent shall submit an additional true and accurate written report.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "docket_number": "C-4564" }, { "provision_number": "VIII", "title": "Order Duration", "category": "duration", "summary": "This order terminates on December 28, 2035, or twenty (20) years from the most recent date the United States or the Commission files a complaint alleging any violation of the order, whichever comes later, subject to specified exceptions.", "verbatim_text": "This order will terminate on December 28, 2035, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any Respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such Respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "docket_number": "C-4564" }, { "provision_number": "1", "title": "Amendment to Section VI – Revised Compliance Monitoring Provision", "category": "monitoring", "summary": "Section VI of the original March 13, 2015 Final Order is amended so that John Fanning must notify the Commission for five years (running from the date of the original Final Order's issuance) whenever he discontinues his current business or employment, or affiliates with any new business or employment involving electronic commerce, social media, or the online collection or use of consumer data linked to a specific consumer, computer, or device. Notices must include the new business address, telephone number, a description of the business or employment, and his duties and responsibilities, and must be delivered by email or overnight courier to the specified FTC address.", "verbatim_text": "IT IS FURTHER ORDERED that John Fanning, for a period of five (5) years after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment that involves electronic commerce, social media, or the online collection or use of consumer data that can be reasonably linked to a specific consumer, computer, or other device. The notice shall include\n\nlinked to a specific consumer, computer, or other device. The notice shall include respondent’s new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. Unless\n\nnature of the business or employment and his duties and responsibilities. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580. The subject line must begin: In re Jerk, LLC.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.18_jerk_dba_jerk.com", "company_name": "Jerk, LLC", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3141-jerk-llc-dba-jerkcom-matter", "docket_number": "9361" }, { "provision_number": "2", "title": "Preservation of All Other Provisions of the Original Final Order", "category": "affirmative_obligation", "summary": "All portions of the Commission's original Final Order issued on March 13, 2015, other than Section VI (which is replaced by the revised compliance monitoring provision above), remain in effect without any modification.", "verbatim_text": "2. All portions of the Commission’s Final Order in this proceeding, issued on March 13, 2015, other than Section VI, shall remain in effect without modification.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Other" ], "case_id": "01.18_jerk_dba_jerk.com", "company_name": "Jerk, LLC", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3141-jerk-llc-dba-jerkcom-matter", "docket_number": "9361" }, { "provision_number": "I", "title": "Prohibited Misleading Representations", "category": "prohibition", "summary": "Respondent and all persons acting in concert with it must not make any misrepresentation, express or implied, about any feature of covered software in connection with its advertising, promotion, sale, or distribution.", "verbatim_text": "IT IS ORDERED that Respondent, its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, promotion, offering for sale, sale, or distribution of covered software shall not make a misrepresentation, in any manner, expressly or by implication, about any feature of the covered software.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "II", "title": "Affirmative Express Consent Provision", "category": "affirmative_obligation", "summary": "No later than 120 days after service of the Order, Respondent must not preinstall any covered software unless affirmative express consent is obtained from the consumer, revocation instructions are provided, and a reasonable opt-out or removal mechanism is available.", "verbatim_text": "IT IS FURTHER ORDERED that, commencing no later than 120 days after the date of service of this Order, Respondent, its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, shall not preinstall or cause to be preinstalled any covered software unless Respondent or the software provider: A. will obtain the consumer’s affirmative express consent;\n\nB. provides instructions for how the consumer may revoke consent to the covered software’s operation, which can include uninstalling the covered software; and\n\nC. provides a reasonable and effective means for consumers to opt out, disable or remove all of the covered software’s operations, which can include uninstalling the covered software.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Prohibition" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "III", "title": "Mandated Software Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive software security program — documented in writing — containing administrative, technical, and physical safeguards addressing software security risks and protecting the security and integrity of covered information.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must, no later than the date of service of this Order, establish and implement, and thereafter maintain a comprehensive software security program that is reasonably designed to (1) address software security risks related to the development and management of new and existing application software, and (2) protect the security, confidentiality, and integrity of covered information. The content, implementation and maintenance of the software security program must be fully documented in writing. The software security program must contain administrative, technical, and physical safeguards appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, the nature of the application software, the security policies and practices of the software provider, and the sensitivity of the covered information, including:\n\nA. the designation of an employee or employees to coordinate and be responsible for the software security program;\n\nB. the identification of internal and external risks to the security, confidentiality, or integrity of covered information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation, including: (1) employee training and management; (2) application software design, including the processing, storage, transmission and disposal of covered information by the application software; and (3) the prevention, detection, and response to attacks, intrusions, or other vulnerabilities;\n\nC. the design and implementation of reasonable safeguards to control these risks, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain software or service providers capable of maintaining security practices consistent with this Order, and requiring software and service providers, by contract, to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of the software security program in light of the results of the testing and monitoring required by sub-provision C, any changes to Respondent’s operations or business arrangements, or any other circumstances that Respondent knows or has reason to know may have an impact on the effectiveness of the software security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "IV", "title": "Software Security Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party assessments of its software security program from a qualified independent professional, covering defined reporting periods, with specific content requirements and submission deadlines to the Commission.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. A professional qualified to prepare such Assessments must be a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with professional experience with secure Internet-accessible, consumer-grade devices; an individual qualified as a Certified Information Systems Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA) with professional experience with secure Internet- accessible consumer-grade devices; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nB. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment, and (2) each 2-year period thereafter for 20 years after issuance of the Order for the biennial Assessments.\n\nC. Each Assessment must: 1. set forth the specific administrative, technical, and physical safeguards that Respondent has implemented and maintained during the reporting period; 2. explain how such safeguards are appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, the nature of the application software, the security policies and practices of the application software provider, and the sensitivity of the covered information; 3. explain how the safeguards that have been implemented meet or exceed the protections required by the Provision of this Order titled Mandated Software Security Program; and 4. certify that the Mandated Software Security Program is operating with sufficient effectiveness to provide reasonable assurance that the security of the application software preinstalled on covered products and the security, confidentiality, and integrity of covered information is protected, and that the Mandated Software Security Program has so operated throughout the reporting period.\n\nD. Each Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. Respondent must submit the initial Assessment to the Commission within 10 days after the Assessment has been completed. Respondent must retain all subsequent biennial Assessments, at least until the Order terminates. Respondent must submit any biennial Assessments to the Commission within 10 days of a request from a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "V", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt of this Order within 10 days, and for 5 years must deliver a copy of the Order to all principals, officers, directors, and employees or agents with relevant managerial responsibilities, as well as to any successor business entities.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 5 years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, and directors; (2) all employees, agents, and representatives with managerial responsibilities related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "VI", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn annual compliance report one year after issuance, provide sworn notices within 14 days of changes in contact information or corporate structure, notify the Commission within 14 days of any bankruptcy filing, and route all submissions per specified instructions.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s business entities by all of their names; (c) describe the activities of each business, including the goods and services offered; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the costs incurred and changes made by the Respondent to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____,” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Lenovo (United States) Inc.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "VII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for 20 years after Order issuance and retain each for at least 5 years (unless otherwise specified), including accounting records, personnel records, consumer complaints, representations subject to the Order, assessment materials, and all records necessary to demonstrate full compliance.", "verbatim_text": "A. accounting records showing the revenues from all covered products sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. personnel records showing, for each person who must receive a copy of this Order pursuant to Part V.B., that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. copies or records of all U.S. consumer complaints relating to covered software or the security of application software, whether received directly or indirectly, such as through a third party, and any response;\n\nD. a copy of each representation subject to this Order;\n\nE. for 5 years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment; and\n\nF. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "VIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requiring additional reports and records within 10 days of a written request, communicating directly with Respondent, interviewing affiliated individuals (with counsel present), and using all other lawful means including undercover methods.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondent must submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "IX", "title": "Order Effective Dates", "category": "duration", "summary": "This Order is effective upon publication on the FTC's website and will terminate on December 20, 2037, or 20 years from the most recent date a complaint alleging any violation of this Order is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on December 20, 2037, or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than 20 years; B. this Order’s application to any Respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "docket_number": "C-4636" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, the extent to which it is a member of, adheres to, or participates in any privacy or security program sponsored by a government or self-regulatory organization, including EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield, and APEC Cross-Border Privacy Rules.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework, the Swiss-U.S. Privacy Shield framework, and the APEC Cross-Border Privacy Rules.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_click_labs", "company_name": "Click Labs, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3090-click-labs-inc-matter", "docket_number": "C-4705" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order itself, deliver copies to principals, officers, managers, and relevant employees, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any Page 2 of 5 change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_click_labs", "company_name": "Click Labs, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3090-click-labs-inc-matter", "docket_number": "C-4705" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report within 60 days, and thereafter submit sworn notices within 14 days of any change in contact information, corporate structure, or bankruptcy filing.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by Page 3 of 5 overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Click Labs, Inc., FTC File No. 192 3090, Docket No. C-4705.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_click_labs", "company_name": "Click Labs, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3090-click-labs-inc-matter", "docket_number": "C-4705" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for twenty years after the Order's issuance date, retaining each record for at least five years.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for twenty (20) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_click_labs", "company_name": "Click Labs, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3090-click-labs-inc-matter", "docket_number": "C-4705" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondent's compliance by requesting additional reports, inspecting records, conducting interviews, and using undercover means without prior notice.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory Page 4 of 5 process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_click_labs", "company_name": "Click Labs, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3090-click-labs-inc-matter", "docket_number": "C-4705" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates on January 23, 2040, or twenty years from the most recent date the Commission files a complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on January 23, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_click_labs", "company_name": "Click Labs, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3090-click-labs-inc-matter", "docket_number": "C-4705" }, { "provision_number": "I", "title": "Prohibition against Misrepresentations about Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the extent to which it participates in, complies with, or is certified by any privacy or security program, including the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss- U.S. Privacy Shield framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_dcr_workforce", "company_name": "DCR Workforce, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3188-dcr-workforce-inc-matter", "docket_number": "C-4698" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order, deliver copies to relevant personnel and any successor entities, and obtain signed acknowledgments from all recipients.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Page 2 of 5 Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_dcr_workforce", "company_name": "DCR Workforce, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3188-dcr-workforce-inc-matter", "docket_number": "C-4698" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must file an initial sworn compliance report within 60 days, submit sworn notices within 14 days of specified changes or bankruptcy filings, and follow required format and submission procedures for all Commission filings.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2)the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, Page 3 of 5 N.W., Washington, D.C. 20580. The subject line must begin: In re DCR Workforce, Inc., FTC File No. 182 3188, Docket No. C-4698.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_dcr_workforce", "company_name": "DCR Workforce, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3188-dcr-workforce-inc-matter", "docket_number": "C-4698" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for twenty years after the Order's issuance and retain each record for five years, covering financial records, personnel records, compliance documentation, and copies of all representations subject to the Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for twenty (20) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_dcr_workforce", "company_name": "DCR Workforce, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3188-dcr-workforce-inc-matter", "docket_number": "C-4698" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting reports and records, communicating directly with and interviewing Respondent's affiliates, and using all other lawful investigative means including undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_dcr_workforce", "company_name": "DCR Workforce, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3188-dcr-workforce-inc-matter", "docket_number": "C-4698" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates January 13, 2040, or twenty years from the most recent date the Commission files a federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate January 13, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_dcr_workforce", "company_name": "DCR Workforce, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3188-dcr-workforce-inc-matter", "docket_number": "C-4698" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner its membership in, adherence to, or certification under any government or self-regulatory privacy or security program, including EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield, and APEC Cross-Border Privacy Rules.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework, the Swiss-U.S. Privacy Shield framework, and the APEC Cross-Border Privacy Rules.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_global_data_vault", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "docket_number": "C-4706" }, { "provision_number": "II", "title": "Requirement to Meet Continuing Obligations Under Privacy Shield", "category": "affirmative_obligation", "summary": "Respondent must either affirm to the Department of Commerce that it will continue to apply Privacy Shield principles (or protect data by another EU-authorized means) or return/delete the personal information, within ten days of the order's effective date.", "verbatim_text": "A. affirm to the Department of Commerce, within ten (10) days after the effective date of this Order and on an annual basis thereafter for as long as it retains such information, that it will 1. continue to apply the EU-U.S. Privacy Shield framework principles to the Page 2 of 6 personal information it received while it participated in the Privacy Shield; or 2. protect the information by another means authorized under EU law, including by using a binding corporate rule or a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission;\n\nB. return or delete the information within ten (10) days after the effective date of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_global_data_vault", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "docket_number": "C-4706" }, { "provision_number": "III", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit its own acknowledgment of receipt to the FTC within 10 days, deliver copies of the Order to relevant personnel and future business entities for 10 years, and collect signed acknowledgments from each recipient within 30 days of delivery.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For ten (10) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_global_data_vault", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "docket_number": "C-4706" }, { "provision_number": "IV", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must file an initial sworn compliance report within 60 days, submit sworn notices within 14 days of certain changes in contact or corporate structure, notify the FTC within 14 days of any bankruptcy filing, and follow specific submission format and address requirements.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of Page 3 of 6 each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Global Data Vault, LLC, FTC File No. 1923093, Docket No. C-4706.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_global_data_vault", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "docket_number": "C-4706" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specific categories of records for ten years (creating) and five years (retaining), including accounting records, personnel records, compliance documentation, and copies of all representations subject to the Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for ten (10) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent making any Page 4 of 6 representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_global_data_vault", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "docket_number": "C-4706" }, { "provision_number": "VI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondent's compliance by requesting additional reports and records, communicating directly with and interviewing Respondent's affiliates, and using other lawful investigative means including undercover contacts.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_global_data_vault", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "docket_number": "C-4706" }, { "provision_number": "VII", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates on January 23, 2040, or twenty years from the most recent date the United States or the Commission files a federal court complaint alleging any Order violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on January 23, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the Page 5 of 6 complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_global_data_vault", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "docket_number": "C-4706" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations about Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent in any way its membership in, compliance with, or participation in any privacy or security program sponsored by a government or self-regulatory organization, including EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield, and APEC Cross-Border Privacy Rules.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework, the Swiss-U.S. Privacy Shield framework, and the APEC Cross-Border Privacy Rules.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_incentive_services", "company_name": "Incentive Services, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3078-incentive-services-inc-matter", "docket_number": "C-4703" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order, deliver copies to relevant personnel and business entities, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct Page 2 of 5 related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_incentive_services", "company_name": "Incentive Services, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3078-incentive-services-inc-matter", "docket_number": "C-4703" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report 60 days after issuance, and timely sworn notices of changes in contact information, corporate structure, or bankruptcy proceedings.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to Page 3 of 5 the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Incentive Services, Inc., FTC File No. 1923078.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_incentive_services", "company_name": "Incentive Services, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3078-incentive-services-inc-matter", "docket_number": "C-4703" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specific records for 20 years after issuance, with each record retained for at least 5 years, covering financials, personnel, compliance documentation, and representations subject to the Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for twenty (20) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_incentive_services", "company_name": "Incentive Services, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3078-incentive-services-inc-matter", "docket_number": "C-4703" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting reports and records, interviewing affiliated individuals, and using other lawful investigative means including undercover contacts.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification Page 4 of 5 or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_incentive_services", "company_name": "Incentive Services, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3078-incentive-services-inc-matter", "docket_number": "C-4703" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is final and effective upon publication on ftc.gov and terminates on January 23, 2040, or 20 years from the most recent date a complaint alleging a violation is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate January 23, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_incentive_services", "company_name": "Incentive Services, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3078-incentive-services-inc-matter", "docket_number": "C-4703" }, { "provision_number": "I", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Each Covered Business must establish, implement, and maintain a comprehensive information security program protecting the security, confidentiality, and integrity of Personal Information, including specific technical, operational, and administrative safeguards.", "verbatim_text": "IT IS FURTHER ORDERED that each Covered Business shall not transfer, sell, share, collect, maintain, or store Personal Information unless it establishes and implements, and thereafter maintains, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Personal Information. To satisfy this requirement, each Covered Business must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Provide the written program and any evaluations thereof or updates thereto to its board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer responsible for its Information Security Program at least once every twelve (12) months and promptly after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;\n\nD. Assess and document, at least once every twelve (12) months and promptly following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control the internal and external risks to the security, confidentiality, or integrity of Personal Information identified in response to sub-Provision I.D. Each safeguard shall be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information. Corporate Respondent’s safeguards shall also include: 1. Policies, procedures, and technical measures to systematically inventory Personal Information stored on Corporate Respondent’s network and delete Personal Information that is no longer necessary; 3 2. Measures to assess the cybersecurity risk posed by Corporate Respondent’s code to Personal Information stored on Corporate Respondent’s network, including, at least once every twelve (12) months and promptly after a Covered Incident: (a) software code review; and (b) penetration testing of Corporate Respondent’s software; 3. Technical measures to detect unknown file uploads, such as input validation; 4. Technical measures to limit the locations to which third parties can upload files on Corporate Respondent’s network; 5. Segmentation of Corporate Respondent’s network to ensure that one client’s distributors cannot access another client’s data on Corporate Respondent’s network; 6. Technical measures to detect anomalous activity and/or cybersecurity events on Corporate Respondent’s network, including (a) an intrusion prevention or detection system to alert Corporate Respondent of potentially unauthorized queries and/or access to its network; (b) file integrity monitoring tools to determine whether files on Corporate Respondent’s network have been altered; and (c) data loss prevention tools to regularly monitor for unauthorized attempts to exfiltrate Personal Information outside Corporate Respondent’s network boundaries; and 7. Encryption of Social Security numbers, payment card information (including full credit card and debit card numbers, Card Verification Values, and expiration dates), bank account information (including account and routing numbers), and authentication credentials such as user IDs and passwords on Corporate Respondent’s network.\n\nF. Assess, at least once every twelve (12) months and promptly following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and promptly following a Covered Incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of each of Respondents’ network(s) once every four months and promptly after a Covered Incident, and penetration testing of each of the Covered Business’s network(s) at least once every twelve (12) months and promptly after a Covered Incident;\n\nH. Select and retain service providers capable of safeguarding Personal Information they access through or receive from each Covered Business, and contractually require service providers to implement and maintain safeguards for Personal Information; and\n\nI. Evaluate and adjust the Information Security Program in light of any changes to its operations or business arrangements, a Covered Incident, or any other circumstances that Respondents know or have reason to know may have an impact on the effectiveness of 4 the Information Security Program. At a minimum, each Covered Business must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "II", "title": "Information Security Assessments by a Third Party", "category": "assessment", "summary": "Respondents must obtain initial and biennial third-party assessments of their Information Security Program from a qualified, independent assessor, covering specified reporting periods and meeting defined assessment standards.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; and (3) retains all documents relevant to each Assessment for five (5) years after completion of such Assessment and will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or any similar claim.\n\nB. For each Assessment, Respondents shall provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name and affiliation of the person selected to conduct the Assessment, which the Associate Director shall have the authority to approve in his sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each 2-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must: (1) determine whether each Covered Business has implemented and maintained the Information Security Program required by Provision I of this Order, titled Mandated Information Security Program; (2) assess the effectiveness of each Covered Business’s implementation and maintenance of sub-Provisions I.A-I; (3) identify any gaps or weaknesses in the Information Security Program; and (4) identify specific evidence (including, but not limited to documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by a Covered Business’s management. The Assessment shall be signed by the Assessor and shall state that the Assessor conducted an independent review of the Information Security Program, and did not rely solely on assertions or attestations by a Covered Business’s management.\n\nE. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondents must submit the initial Assessment to the 5 Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re InfoTrax Systems, L.C. and Mark Rawlins, FTC File No. 1623130, FTC Docket No. C-4696.” All subsequent biennial Assessments shall be retained by Respondents until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "III", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondents must fully cooperate with the third-party Assessor by disclosing all material facts without misrepresentation and providing all relevant information and materials in their possession.", "verbatim_text": "A. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondents have implemented and maintained the Information Security Program required by Provision I of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions I.A-I; or (3) identification of any gaps or weaknesses in the Information Security Program; and\n\nB. Provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "IV", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondents must annually certify to the Commission, under the signature of a senior corporate manager or officer, that each Covered Business has established and maintained the Order's requirements, is not aware of uncorrected material noncompliance, and includes a description of any Covered Incident.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of each Covered Business responsible for each Covered Business’s Information Security Program that: (1) each Covered Business has established, implemented, and maintained the requirements of this Order; (2) each Covered Business is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of any Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue 6 NW, Washington, DC 20580. The subject line must begin, “In re InfoTrax Systems, L.C. and Mark Rawlins, FTC File No. 1623130, FTC Docket No. C-4696.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "V", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Respondents must submit a report to the Commission within ten days after first notifying any government entity of a Covered Incident, including details about the incident, affected information, affected consumers, remediation steps, and copies of notices sent.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, for any Covered Business, within a reasonable time after the date of discovery of a Covered Incident, but in any event no later than ten (10) days after the date the Covered Business, or any of the Covered Business’s clients, first notifies any U.S. federal, state, or local government entity of the Covered Incident, must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. A description of each type of information that triggered the notification obligation to the U.S. federal, state, or local government entity; D. The number of consumers whose information triggered the notification obligation to the U.S. federal, state, or local government entity; E. The acts that the Covered Business has taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of each materially different notice required by U.S. federal, state, or local law or regulation and sent by the Covered Business or any of its clients to consumers or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re InfoTrax Systems, L.C. and Mark Rawlins, FTC File No. 1623130, FTC Docket No. C-4696.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "VI", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondents must acknowledge receipt of the Order, deliver copies to key personnel and new hires, and obtain signed acknowledgments from all recipients.", "verbatim_text": "A. Each Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For twenty (20) years after the issuance date of this Order, Individual Respondent, for any Covered Business that Individual Respondent, individually or collectively with any other Respondents, is the majority owner or controls directly or indirectly, and Corporate Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision VII of this Order titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which a Respondent delivered a copy of this Order, that Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "VII", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondents must submit a sworn annual compliance report one year after the Order's issuance and provide timely notices of any changes in contact information, business structure, or bankruptcy filings.", "verbatim_text": "A. One year after the issuance date of this Order, each Respondent must submit a compliance report, sworn under penalty of perjury, in which: 1. Each Respondent must: (a) identify the primary physical, postal, and email address, and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales, and the involvement of any other Respondent (which Individual Respondent must describe if he knows or should know due to his own involvement); (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\n2. Additionally, Individual Respondent must: (a) identify all his telephone numbers and all his physical, postal, email and Internet addresses, including all residences; (b) identify all his business activities, including any business for which such Respondent performs services whether as an employee or otherwise and any entity in which such Respondent has any ownership interest; and (c) describe in detail such Respondent’s involvement in each such business activity, including title, role, responsibilities, participation, authority, control, and any ownership.\n\nB. Each Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: 1. Each Respondent must submit notice of any change in: (a) any designated point of contact; or (b) the structure of any Corporate Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\n2. Additionally, Individual Respondent must submit notice of any change in: (a) name, including alias or fictitious name, or residence address; or (b) title or role in any business activity, including (i) any business for which Individual Respondent performs services whether as an employee or otherwise and (ii) any entity in which Individual Respondent has any ownership interest and over which Individual Respondent has direct or indirect control. For each such business activity, also identify its name, physical address, and any Internet address.\n\nC. Each Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re InfoTrax Systems, L.C., and Mark Rawlins, FTC File No. 1623130, FTC Docket No. C-4696.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must create and retain specified records for twenty years after the Order's issuance, with individual records retained for five years, covering financial, personnel, consumer complaints, assessment materials, law enforcement communications, noncompliance evidence, and all compliance submissions.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents must create certain records for twenty (20) years after the issuance date of the Order, and retain each such record for five (5) years, unless otherwise specified below. Specifically, Corporate Respondent and Individual Respondent, for any Covered Business that Individual Respondent, individually or collectively with any other Respondent, is a majority owner or controls directly or indirectly, must create and retain the following records: 9 A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. For five (5) years after the date of preparation of each Assessment required by this Order, all materials and evidence that the Assessor considered, reviewed, relied upon or examined to prepare the Assessment, whether prepared by or on behalf of Respondents, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondents’ compliance with related Provisions of this Order, for the compliance period covered by such Assessment;\n\nE. For five (5) years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondents’ compliance with this Order;\n\nF. For five (5) years from the date created or received, all records, whether prepared by or on behalf of Respondents, that tend to show any lack of compliance by Respondents with this Order; and\n\nG. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor compliance by requiring additional reports and document production, communicating directly with and interviewing Respondents' affiliates, and using any other lawful investigative means including undercover inquiries and compulsory process.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, each Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with each Respondent. Respondents must permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its 10 representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "X", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC's website and terminates twenty years from issuance or from the most recent date of any federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate twenty (20) years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any Provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "docket_number": "C-4696" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, its membership in, adherence to, certification by, or participation in any privacy or security program sponsored by a government or self-regulatory organization, including the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss- U.S. Privacy Shield framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_lotadata", "company_name": "LotaData, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3194-lotadata-inc-matter", "docket_number": "C-4700" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order itself, deliver copies to relevant personnel and business successors, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For five (5) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in Page 2 of 5 structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_lotadata", "company_name": "LotaData, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3194-lotadata-inc-matter", "docket_number": "C-4700" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report within 60 days, then submit sworn notices within 14 days of any changes to contact information, corporate structure, or bankruptcy filings, and must route all submissions to the FTC via specified channels.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Page 3 of 5 Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re LotaData, Inc., FTC File No. 1823194, Docket No. C-4700.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_lotadata", "company_name": "LotaData, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3194-lotadata-inc-matter", "docket_number": "C-4700" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for 10 years after the issuance date and retain each record for 5 years, covering personnel records, compliance documentation, and copies of all representations subject to the Order.", "verbatim_text": "A. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nB. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nC. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_lotadata", "company_name": "LotaData, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3194-lotadata-inc-matter", "docket_number": "C-4700" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance through requests for reports and records, direct communications and interviews with affiliated persons, and other lawful investigative means including undercover contact.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_lotadata", "company_name": "LotaData, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3194-lotadata-inc-matter", "docket_number": "C-4700" }, { "provision_number": "VI", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates on January 13, 2040, or 20 years from the most recent date of a federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on January 13, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_lotadata", "company_name": "LotaData, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3194-lotadata-inc-matter", "docket_number": "C-4700" }, { "provision_number": "I", "title": "Prohibition against Misrepresentations about Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent and all affiliated persons must not misrepresent in any manner the extent to which Respondent is a member of, complies with, or participates in any privacy or security program, including the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss- U.S. Privacy Shield framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_medable", "company_name": "Medable, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3192-medable-inc-matter", "docket_number": "C-4697" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit its own acknowledgment of receipt, deliver copies of the Order to relevant personnel and successor entities, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For five (5) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for, and all agents and representatives who participate in, conduct related to representing in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is Page 2 of 5 certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within sixty (60) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_medable", "company_name": "Medable, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3192-medable-inc-matter", "docket_number": "C-4697" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must file an initial sworn compliance report within 60 days and submit timely notices of changes in contact information, corporate structure, or bankruptcy filings, following specified submission procedures.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the Page 3 of 5 date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Medable, Inc., FTC File No. 1823192.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_medable", "company_name": "Medable, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3192-medable-inc-matter", "docket_number": "C-4697" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for ten (10) years and retain each for five (5) years, covering personnel, compliance documentation, and copies of representations subject to this Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for ten (10) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. personnel records showing, for each person providing services in relation to any aspect of this Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nB. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nC. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_medable", "company_name": "Medable, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3192-medable-inc-matter", "docket_number": "C-4697" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting reports and records, communicating directly with and interviewing Respondent's personnel, and using other lawful investigative means including undercover contacts.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its Page 4 of 5 representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_medable", "company_name": "Medable, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3192-medable-inc-matter", "docket_number": "C-4697" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates twenty (20) years from issuance, or twenty (20) years from the most recent date a complaint alleging a violation is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate twenty (20) years from the date of its issuance, (which date may be stated at the end of this Order, near the Commission’s seal), or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_medable", "company_name": "Medable, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3192-medable-inc-matter", "docket_number": "C-4697" }, { "provision_number": "I", "title": "Prohibition against Misrepresentations about Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, its membership in, adherence to, certification by, or participation in any privacy or security program sponsored by a government or self-regulatory organization, including the EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield, and APEC Cross-Border Privacy Rules.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework, the Swiss-U.S. Privacy Shield framework, and the APEC Cross-Border Privacy Rules.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_tdarx", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "docket_number": "C-4704" }, { "provision_number": "II", "title": "Requirement to Meet Continuing Obligations Under Privacy Shield", "category": "affirmative_obligation", "summary": "Respondent must either affirm to the Department of Commerce that it will continue applying Privacy Shield principles (or protect data by another EU-authorized means) within 10 days and annually thereafter, or return or delete the information within 10 days of the Order's effective date.", "verbatim_text": "A. affirm to the Department of Commerce, within ten (10) days after the effective date of this Order and on an annual basis thereafter for as long as it retains such information, that it will 1. continue to apply the EU-U.S. Privacy Shield framework principles to the personal information it received while it participated in the Privacy Shield; or Page 2 of 6 2. protect the information by another means authorized under EU law, including by using a binding corporate rule or a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission; or\n\nB. return or delete the information within ten (10) days after the effective date of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_tdarx", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "docket_number": "C-4704" }, { "provision_number": "III", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit its own acknowledgment of receipt to the FTC within 10 days, deliver copies of the Order to relevant personnel and business successors for 10 years, and obtain signed acknowledgments from each recipient within 30 days of delivery.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For ten (10) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_tdarx", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "docket_number": "C-4704" }, { "provision_number": "IV", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must file an initial sworn compliance report within 60 days, submit sworn notices of material changes within 14 days, notify the FTC of any bankruptcy filing within 14 days, ensure all sworn submissions comply with 28 U.S.C. § 1746, and route all submissions to the designated FTC email or address.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously Page 3 of 6 submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re TDARX, Inc., FTC File No. 1923084.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_tdarx", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "docket_number": "C-4704" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for 10 years after the Order's issuance date and retain each such record for 5 years, covering accounting records, personnel records, compliance documentation, and copies of representations subject to the Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for ten (10) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the Page 4 of 6 representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_tdarx", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "docket_number": "C-4704" }, { "provision_number": "VI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "Respondent must cooperate with FTC monitoring, including submitting additional compliance reports or records within 10 days of written request, permitting direct communications and interviews, and allowing the Commission to use all lawful investigative means including undercover contacts.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_tdarx", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "docket_number": "C-4704" }, { "provision_number": "VII", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is final and effective upon publication on the FTC's website and will terminate on January 23, 2040, or 20 years from the most recent date the United States or Commission files a federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate January 23, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such Page 5 of 6 complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_tdarx", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "docket_number": "C-4704" }, { "provision_number": "I", "title": "Prohibition against Misrepresentations about Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, the extent to which it participates in, is certified by, or complies with any government or self-regulatory privacy or security program, including the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss- U.S. Privacy Shield framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_thru", "company_name": "Thru, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3196-thru-inc-matter", "docket_number": "C-4702" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order itself, deliver copies to relevant personnel and successors, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Page 2 of 5 Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_thru", "company_name": "Thru, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3196-thru-inc-matter", "docket_number": "C-4702" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report 60 days after issuance, submit sworn notices of material changes within 14 days, notify the Commission of any bankruptcy filing within 14 days, and route all submissions per specified instructions.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2)the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, Page 3 of 5 N.W., Washington, D.C. 20580. The subject line must begin: In re Thru, Inc., FTC File No. 1823196, Docket No. C-4702.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_thru", "company_name": "Thru, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3196-thru-inc-matter", "docket_number": "C-4702" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified business, personnel, compliance, and advertising records for 20 years (creation) and 5 years (retention) after the issuance date.", "verbatim_text": "A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_thru", "company_name": "Thru, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3196-thru-inc-matter", "docket_number": "C-4702" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting reports and records, conducting interviews, and using other lawful investigative means including undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_thru", "company_name": "Thru, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3196-thru-inc-matter", "docket_number": "C-4702" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates on January 13, 2040, or 20 years from the most recent date a complaint alleging any Order violation is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on January 13, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_thru", "company_name": "Thru, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3196-thru-inc-matter", "docket_number": "C-4702" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, the extent to which it participates in, complies with, or is certified by any government or self-regulatory privacy or security program, including the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss- U.S. Privacy Shield framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_trueface.ai", "company_name": "214 Technologies, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "docket_number": "C-4699" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must obtain and submit acknowledgments of receipt of the Order from itself and relevant personnel within specified timeframes.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For five (5) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in Page 2 of 5 structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_trueface.ai", "company_name": "214 Technologies, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "docket_number": "C-4699" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn initial compliance report within 60 days, and timely compliance notices upon changes in contact, structure, or bankruptcy filings.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by Page 3 of 5 overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re 214 Technologies, Inc., FTC File No. 1823193, Docket No. C-4699.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_trueface.ai", "company_name": "214 Technologies, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "docket_number": "C-4699" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for 10 years (creation) and 5 years (retention), covering personnel, compliance, and representations.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for ten (10) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nB. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nC. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_trueface.ai", "company_name": "214 Technologies, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "docket_number": "C-4699" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance through document requests, direct communications, interviews, and other lawful means including undercover inquiries.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_trueface.ai", "company_name": "214 Technologies, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "docket_number": "C-4699" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC website and terminates on January 13, 2040, or 20 years from the most recent date a complaint alleging any violation is filed in federal court, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on January 13, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_trueface.ai", "company_name": "214 Technologies, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "docket_number": "C-4699" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent, expressly or by implication, the extent to which it collects, maintains, uses, or protects the privacy and security of any Covered Information.", "verbatim_text": "A. The extent to which Respondent collects, maintains, uses, discloses, deletes, or permits or denies access to any Covered Information; and\n\nB. The extent to which Respondent otherwise protects the privacy, security, availability, confidentiality, or integrity of any Covered Information.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "II", "title": "Data Retention and Deletion", "category": "affirmative_obligation", "summary": "Within 60 days, Respondent must document and follow a Covered Information retention schedule and provide consumers a Clear and Conspicuous link to request data access or deletion.", "verbatim_text": "A. Document and adhere to a retention schedule for Covered Information. Such schedule shall set forth: (1) the purpose or purposes for which each type of Covered Information is collected; (2) the specific business needs for retaining each type of Covered Information; and (3) a set timeframe for deletion of each type of Covered Information (absent any intervening deletion requests from consumers) that precludes indefinite retention of any Covered Information; and\n\nB. Provide a Clear and Conspicuous link on the homepage and initial login page of Respondent’s websites directing consumers to an online form through which they can request access to or the deletion of their Covered Information. Respondent must respond to and fulfill every request either in accordance with the applicable consumer data access and deletion rights and related procedures prescribed by applicable law in the consumer’s jurisdiction of residence or, if the location of the consumer’s residence is unknown to Respondent, or if there are no applicable laws in the consumer’s jurisdiction that provide for consumer rights to access or delete Covered Information, then in accordance with the consumer data access and deletion rights afforded by law to residents of the state in which Respondent’s principal executive offices are located. If there are no laws that provide consumers with rights to access or delete Covered Information within the state in which Respondent’s principal executive offices are located, then Respondent must fulfill any such requests within 45 days of receiving them. The time period to respond to the request may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. Provided, however, that any Covered Information that Respondent is otherwise required to delete or destroy pursuant to this provision may be retained, and may be disclosed, as requested by a government agency or otherwise required by law, regulation, court order, or other legal obligation, including as required by rules applicable to the safeguarding of evidence in pending litigation, or pursuant to written policies Clearly and Conspicuously posted on Respondent’s websites relating to investigations or disciplinary actions by educational institutions concerning academic integrity.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Data Deletion" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "III", "title": "Multi-Factor Authentication for Users", "category": "affirmative_obligation", "summary": "Within six months, Respondent must offer multi-factor authentication to consumer users and must not use MFA-collected information for any other purpose.", "verbatim_text": "IT IS FURTHER ORDERED that within six months after issuance of this Order, Respondent must provide multi-factor authentication methods as an option or as a requirement for consumer users. This time period may be extended for a reasonable time if such extension is approved in\n\nwriting by a representative of the Commission. Respondent must not use, provide access to, or disclose any information collected for multi-factor authentication for any other purpose, unless such information is obtained separate and apart from enabling multi-factor authentication.\n\nRespondent may use equivalent, widely adopted industry authentication options that are not multi-factor, if the person responsible for the Information Security Program under sub-Provision V.C: (1) approves in writing the use of such equivalent authentication options; and (2) documents a written explanation of how the authentication options are widely adopted and at least equivalent to the security provided by multi-factor authentication.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "IV", "title": "Notice to Individuals Affected by Identified Breaches", "category": "affirmative_obligation", "summary": "Within 60 days, Respondent must email the prescribed breach notice (Attachment A) to each individual whose sensitive information was exposed in an Identified Breach and not yet notified.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within 60 days after issuance of this Order, must provide a notice to each individual whose unencrypted Social Security number, financial account information, date of birth, user account credentials, or Medical Information was exposed in an Identified Breach, to the extent such individual has not already previously been sent notification by Respondent. The notice shall be delivered by email and shall include an exact copy of the notice attached hereto as Attachment A (“Identified Breaches Notice”), with the subject line “Information about Chegg Data Breach.” Respondent must not include with the Identified Breaches Notice any other information, documents, or attachments.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "V", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Within 90 days, Respondent must establish, implement, and maintain a comprehensive information security program covering documentation, risk assessments, safeguards, employee training, access controls, MFA, encryption, vulnerability management, and service provider oversight.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and any business that Respondent controls, directly or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must, within 90 days after issuance of this Order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, availability, confidentiality, and integrity of Covered Information under Respondent’s control. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Provide the written program and any evaluations thereof or material updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Information Security Program at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;\n\nC. Designate a qualified employee to coordinate and be responsible for the Information Security Program;\n\nD. Assess and document, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in the (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Respondent identifies to the security, confidentiality, availability, or integrity of Covered Information identified in response to sub-Provision V.D. Each safeguard must take into account the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, alteration, or disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, destruction, or other compromise of such information. Such safeguards must also include: 1. Training of all of Respondent’s employees, at least once every 12 months, on how to safeguard Covered Information; 2. Documenting in writing the content, implementation, and maintenance of an incident response plan designed to ensure the identification of, investigation of, and response to the unauthorized access to Covered Information. Respondent shall revise and update this incident response plan to adapt to any changes to its assets or networks; 3. Implementing technical measures to log and monitor Respondent’s networks and assets for anomalous activity and active threats. Such measures shall require Respondent to determine baseline system activity and identify and respond to anomalous events and unauthorized attempts to access or exfiltrate Covered Information; 4. Policies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures; 5. Implementing data access controls for all assets (including databases) storing Covered Information and technical measures, policies, and procedures to minimize or prevent online attacks resulting from the misuse of valid credentials, including: (a) restricting inbound and outbound connections; (b) requiring and enforcing strong passwords or other credentials; (c) preventing the reuse of known compromised credentials to access Covered Information; (d) implementing automatic password resets for known compromised credentials; and (e) limiting employee access to what is needed to perform that employee’s job function; 6. Requiring multi-factor authentication methods for all employees, contractors, and affiliates in order to access any assets (including databases) storing Covered Information. Such multi-factor authentication methods for all employees, contractors, and affiliates should not include telephone or SMS-based 6 authentication methods and must be resistant to phishing attacks. Respondent may use equivalent, widely adopted industry authentication options that are not multi-factor, if the person responsible for the Information Security Program under sub-Provision V.C: (1) approves in writing the use of such equivalent authentication options; and (2) documents a written explanation of how the authentication options are widely adopted and at least equivalent to the security provided by multi-factor authentication; 7. Developing and implementing configuration standards to harden system components against known threats and vulnerabilities. New system components shall not be granted access to Respondent’s network, resources, or Covered Information until they meet Respondent’s configuration standards; 8. Encryption of, at a minimum, all Social Security numbers, passport numbers, financial account information, tax information, dates of birth associated with a user’s account, Medical Information associated with a user’s account, and user account credentials on Respondent’s computer networks, including but not limited to cloud storage; 9. Policies and procedures to ensure that all information technology (“IT”) assets on Respondent’s network with access to Covered Information are securely installed and inventoried at least once every 12 months; 10. Implementing vulnerability and patch management measures, policies, and procedures that require confirmation that any directives to apply patches or remediate vulnerabilities are received and completed and that include timelines for addressing vulnerabilities that account for the severity and exploitability of the risk implicated; and 11. Enforcing policies and procedures to ensure the timely investigation of data security events and the timely remediation of critical and high-risk security vulnerabilities.\n\nF. Assess, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the security, confidentiality, or integrity of Covered Information, and modify the Information Security Program based on the results;\n\nG. Assess, prior to the acquisition of any entity that maintains, processes, or transmits Covered Information (“Acquired Entity”), the effectiveness of that entity’s safeguards to protect such information. Either during the acquisition due diligence process or following such acquisition, Respondent must independently test the effectiveness of the Acquired Entity’s safeguards to protect Covered Information. Respondent shall not integrate any application or information system into its network(s) until (1) all material risks to the security, confidentiality, and integrity of Covered Information identified in such a test are remediated; and (2) such application or information system meets the requirements of this Provision. Provided, however, that Respondent shall have 90 days 7 after integrating any application or information system of an acquired entity into its networks to implement the requirements of sub-Provision V.E.6 with respect to such application or system.\n\nH. Test and monitor the effectiveness of the safeguards at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident and modify the Information Security Program based on the results. Such testing and monitoring must include vulnerability testing of Respondent’s networks once every six months and promptly (not to exceed 30 days) after a Covered Incident, and penetration testing of Respondent’s networks at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;\n\nI. Select and retain service providers capable of safeguarding Covered Information they access through or receive from Respondent, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information; and\n\nJ. Evaluate and adjust the Information Security Program in light of any changes to Respondent’s operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in sub- Provision V.D of this Order, or any other circumstances that Respondent knows or has reason to know may have an impact on the effectiveness of the Information Security Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Information Security Program at least once every 12 months and modify the Information Security Program based on the results.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "VI", "title": "Information Security Assessments By A Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial independent third-party assessments of its Information Security Program, submit the initial assessment to the FTC within 10 days of completion, and retain subsequent assessments for FTC review on request.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third- party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; (3) retains all documents relevant to each Assessment for 5 years after completion of such Assessment; and (4) will provide such documents to the Commission within ten days of receipt of a written request from a representative of the Commission. The Assessor may not withhold any documents from the Commission on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim.\n\nB. For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in her or his sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each two-year period thereafter for 20 years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must, for the entire assessment period: 1. Determine whether Respondent has implemented and maintained the Information Security Program required by Provision V of this Order; 2. Assess the effectiveness of Respondent’s implementation and maintenance of sub-Provisions V.A-J of this Order; 3. Identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; 4. Address the status of gaps or weaknesses in, or instances of material non- compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and 5. Identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is: (a) appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondent’s management and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Respondent revises, updates, or adds one or more safeguards required under Provision V of this Order during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. Each Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit an unredacted copy of the initial Assessment to the Commission within 10 days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Chegg, Inc.” Respondent must retain an unredacted copy of each subsequent biennial Assessment as well as a proposed 9 redacted copy of each subsequent biennial Assessment suitable for public disclosure and provide to the Associate Director for Enforcement within 10 days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "VII", "title": "Cooperation With Third-Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondent must fully cooperate with third-party Assessors by providing all relevant information, network and IT asset visibility, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;\n\nB. Provide or otherwise make available to the Assessor information about Respondent’s network(s) and all of Respondent’s IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s) and IT assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondent has implemented and maintained the Information Security Program required by Provision V of this Order; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions V.A-J of this Order; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "VIII", "title": "Annual Certifications", "category": "compliance_reporting", "summary": "Beginning one year after Order issuance and annually thereafter, a senior corporate manager or officer must certify to the FTC that Respondent has established and maintained Order requirements and is unaware of uncorrected material noncompliance.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from the a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Information Security Program that: (1) Respondent has established, implemented, and maintained the requirements of this Order; and (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission. The certification must be based on the personal knowledge of a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Information Security Program, or subject matter experts upon whom the senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Information Security Program reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Chegg”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "IX", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Within ten days of notifying any U.S. government entity of a Covered Incident, Respondent must submit a detailed report to the FTC including dates, descriptions, affected consumer counts, remediation actions, and copies of consumer notices.", "verbatim_text": "IT IS FURTHER ORDERED that, within ten days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondent shall submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. A description of each type of information that was affected by the Covered Incident; D. The number of consumers whose information was affected by the Covered Incident; E. The acts that Respondent has taken to date to remediate the Covered Incident and protect Covered Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of each materially different notice sent by Respondent to consumers or to any U.S. federal, state, or local government entity.\n\nG. Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Chegg, Inc.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "X", "title": "Order Acknowledgements", "category": "acknowledgment", "summary": "Respondent must submit its own sworn acknowledgment of the Order within 10 days, deliver copies to relevant personnel, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 5 years after issuance of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, and directors; (2) all employees having managerial responsibilities for cybersecurity, privacy, and the collection, use, or disclosure of Covered Information and all agents and representatives who participate in cybersecurity, privacy, and the collection, use, or disclosure of Covered Information; and (3) any business entity resulting from any change in structure as set forth in Provision XI. Delivery must occur within 10 days of issuance of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "XI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial sworn compliance report one year after issuance, provide sworn notices of material changes within 14 days for 12 years, and notify the FTC of any bankruptcy filing within 14 days.", "verbatim_text": "A. One year after issuance of this Order, Respondent must submit a compliance report, sworn under penalty of perjury. Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. For 12 years after issuance of this Order, Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit to the Commission notice of the filing of any bankruptcy 12 petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Chegg, Inc.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "XII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain for 5 years (over a 12-year creation period) records including accounting data, personnel records, consumer complaints, all compliance documentation, and copies of privacy/security-related marketing materials.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Records of all consumer complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response;\n\nD. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nE. A copy of each widely disseminated, unique advertisement or other marketing material that references or otherwise relates to: (a) Respondent’s privacy and data security practices; or (b) Respondent’s websites or online services offered by Respondent that, if any, are directed at students in grades kindergarten through seventh grade.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "XIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondent's compliance by requesting additional reports, conducting depositions and document inspections, communicating directly with Respondent, interviewing affiliated personnel, and using other lawful means including undercover methods.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.\n\nB. For matters concerning this Order, the Commission is authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview any employee or other person affiliated with Respondent who has agreed to such an interview. The person interviewed may have counsel present.\n\nC. The Commission may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "XIV", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates 20 years from issuance or 20 years from the most recent federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such 14 complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "docket_number": "C-4782" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Corporate Respondent must not misrepresent how it collects, uses, discloses, or protects Covered Information, or misrepresent the extent of any Covered Incident or unauthorized disclosure.", "verbatim_text": "A. The extent to which Corporate Respondent collects, uses, discloses, maintains, Deletes, or permits or denies access to any Covered Information;\n\nB. The extent to which Corporate Respondent otherwise protects the privacy, security, availability, confidentiality, or integrity of any Covered Information; or\n\nC. The extent of any Covered Incident or unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of Covered Information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "II", "title": "Mandated Deletion and Data Minimization", "category": "affirmative_obligation", "summary": "Corporate Respondent must delete all Covered Information not being used for customer services within 60 days, report the deletion to the Commission, and refrain from collecting or maintaining unnecessary Covered Information going forward.", "verbatim_text": "A. Within 60 days after the issuance date of this Order, Delete or destroy all Covered Information that is not being used or retained in connection with providing products or services to Corporate Respondent’s customers, and provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, confirming that all such data has been Deleted or destroyed specifically enumerating which types of information were Deleted or destroyed; and\n\nB. Refrain from collecting or maintaining any Covered Information not necessary for the specific purpose(s) provided in the retention schedule required under Provision III entitled Data Retention Limits.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Data Deletion" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "III", "title": "Data Retention Limits", "category": "affirmative_obligation", "summary": "Corporate Respondent must document, adhere to, and publicly post a retention schedule for Covered Information within 60 days, report it to the Commission, and update the schedule before collecting any new types of consumer information.", "verbatim_text": "A. Within 60 days of issuance of this Order, document, adhere to, and make publicly available on its website(s) or app(s), a retention schedule for Covered Information, setting forth: (1) the purpose or purposes for which each type of Covered Information is collected; (2) the specific business needs for retaining each type of Covered Information; and (3) a set timeframe for Deletion of each type of Covered Information that precludes indefinite retention of any Covered Information; and\n\nB. Within 60 days after the issuance date of this Order, Corporate Respondent shall provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, describing the retention schedule for Covered Information made publicly available on its website(s) or app(s); and\n\nC. Prior to collecting any new type of information related to consumers that was not being collected as of the issuance date of this Order, and is not described in retention schedules published in accordance with sub-Provision A of this Provision entitled Data Retention Limits, Corporate Respondent must update its retention schedule setting forth: (1) the purpose or purposes for which the new information is collected; (2) the specific business needs for retaining the new information; and (3) a set timeframe for Deletion of the new information that precludes indefinite retention.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "IV", "title": "Mandated Information Security Program for Covered Businesses", "category": "affirmative_obligation", "summary": "Corporate Respondent and all Covered Businesses must establish, implement, and maintain a comprehensive information security program within 60 days, meeting detailed minimum requirements including written documentation, risk assessments, safeguards, training, access controls, monitoring, and vendor management.", "verbatim_text": "IT IS FURTHER ORDERED that Corporate Respondent and any business that Corporate Respondent controls, directly or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must each, within 60 days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Covered Information. To satisfy this requirement, each Covered Business must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Provide the written Information Security Program and any evaluations thereof or updates thereto to any Covered Business’ board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of the Covered Business responsible for the business’ Information Security Program at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;\n\nD. Assess and document, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in the (1) unauthorized collection, maintenance, alteration, use, disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Covered Businesses identify to the security, confidentiality, or integrity of Covered Information identified in response to sub-Provision D of the Provision entitled Mandated Information Security Program for Covered Businesses. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information. Such safeguards must also include: 1. A written information security policy and accompanying written standards and procedures that describe, at a minimum: (a) how each Covered Business implements each of the safeguards identified in this sub-Provision; and (b) how each Covered Business assesses and enforces compliance with these safeguards and any other controls it identifies in the policy and accompanying standards and procedures; 2. Standards, procedures, and policy provisions mandating security education that address internal or external risks each Covered Business identifies under sub- Provision D of this Provision, and that includes, at a minimum: (a) training for each Covered Business’ employees about each Covered Business’ security policy, standards, and procedures, including the requirements of this Order and the process for submitting complaints and concerns, to be conducted when an employee begins employment or takes on a new role, and on at least an annual basis thereafter; and (b) training in secure software development principles, including secure engineering and defensive programming concepts, for developers, engineers, system administrators, and other employees that design, Page 5 of 17 implement, and operate a Covered Business’ products or services or that are otherwise responsible for the security of Covered Information; 3. Technical measures, standards, procedures, and policy provisions to prevent the storage of unsecured access keys or other unsecured credentials on a Covered Business’ network or in any cloud-based services; 4. Policy provisions and, to the extent possible, technical measures requiring employees, contractors, or third parties to secure any accounts with access to a Covered Business’ information technology infrastructure by: (a) using strong, unique passwords; and (b) using multi-factor authentication whenever available; 5. Requiring multi-factor authentication methods for all employees, contractors, and affiliates in order to access any assets (including databases) storing Covered Information. Such multi-factor authentication methods for all employees, contractors, and affiliates shall not include telephone or SMS-based authentication methods and must be resistant to phishing attacks. A Covered Business may use widely-adopted industry authentication options that provide at least equivalent security as the multi-factor authentication options required by this sub-provision, if approved in writing by the Commission; 6. Requiring multi-factor authentication methods be provided as an option for consumers. Any information collected from consumers at the time they select to use multi-factor authentication may only be used for authentication purposes and no other purpose; 7. Technical measures, standards, procedures, and policy provisions to: (a) log and monitor access to repositories of Covered Information in the control of a Covered Business; (b) limit access to Covered Information by, at a minimum, limiting employee and service provider access to what is needed to perform that employee’s or service provider’s job function; (c) grant and audit varying levels of access based on an employee’s need to know; and (d) periodically monitor and terminate employee and contractor accounts following inappropriate usage or termination of employment; 8. Technical measures, standards, procedures, and policy provisions to control data access for all assets (including databases) containing Covered Information or resources containing proprietary (i.e., non-open source) source code repositories, including, at a minimum: (a) restrictions of inbound connections to those originating from approved IP addresses; (b) requiring connections to be authenticated and encrypted; and (c) periodic audits of account permissions; 9. Technical measures, standards, procedures, and policy provisions to: (a) monitor and log transfers or exfiltration of Covered Information outside each Covered Business’ network boundaries; (b) monitor and log data security events and other anomalous activity; and (c) verify the effectiveness of monitoring and logging; Page 6 of 17 10. Technical measures to safeguard against unauthorized access, including: (a) an intrusion prevention or detection system; (b) file integrity monitoring tools; (c) data loss prevention tools; (d) properly configured firewalls; and (e) properly configured physical or logical segmentation of networks, systems, and databases; 11. Technical measures, standards, procedures, and policy provisions to assess the risk posed by source code to Covered Information stored on any Covered Business’ network or other assets, including, at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident involving a vulnerability related to Respondent’s source code: (a) software code review; and (b) penetration testing of each Covered Business’ software; and 12. Technical measures, procedures, and policy provisions to systematically inventory Covered Information in each Covered Business’ control and Delete Covered Information that is no longer necessary;\n\nF. Assess, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Covered Information, and modify the Information Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards in place at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, and modify the Information Security Program based on the results. Such testing and monitoring must include: (1) vulnerability testing of each Covered Business’ network and applications once every 4 months and promptly (not to exceed 30 days) after a Covered Incident; and (2) penetration testing of each Covered Business’ network(s) and applications at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;\n\nH. Select and retain service providers capable of safeguarding Covered Information they access through or receive from each Covered Business, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information; and\n\nI. Evaluate and adjust the Information Security Program in light of any changes to a Covered Business’ operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in sub- Provision D of the Provision entitled Mandated Information Security Program for Covered Businesses, or any other circumstances that a Covered Business or its officers, agents, or employees know or have reason to know may have an impact on the effectiveness of the Information Security Program or any of its individual safeguards. At a minimum, each Covered Business must evaluate the Information Security Program at least once every 12 months and modify the Information Security Program based on the results.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "V", "title": "Third Party Information Security Assessments for Covered Businesses", "category": "assessment", "summary": "Corporate Respondent must obtain initial and biennial independent third-party assessments of its Information Security Program, using a qualified assessor approved by the FTC, covering defined reporting periods for 20 years, with completed assessments submitted to the Commission.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; and (3) retains all documents relevant to each Assessment for 5 years after completion of such Assessment and will provide such documents to the Commission within 10 days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessor on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim.\n\nB. For each Assessment, Corporate Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in their sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the Mandated Information Security Program for Covered Businesses required by Provision IV of this Order has been put in place for the initial Assessment; and (2) each two-year period thereafter for 20 years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must, for the entire assessment period: 1. Determine whether Corporate Respondent has implemented and maintained the Information Security Program required by the Provision entitled Mandated Information Security Program for Covered Businesses; 2. Assess the effectiveness of Corporate Respondent’s implementation and maintenance of sub-Provisions A-I of the Provision entitled Mandated Information Security Program for Covered Businesses; 3. Identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; 4. Address the status of gaps or weaknesses in, or instances of material non- compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and 5. Identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise Page 8 of 17 of the business’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Corporate Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Corporate Respondent’s management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent Corporate Respondent revises, updates, or adds one or more safeguards required under the Provision entitled Mandated Information Security Program for Covered Businesses in the middle of an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. Each Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Corporate Respondent must submit an unredacted copy of the initial Assessment and a proposed redacted copy suitable for public disclosure of the initial Assessment to the Commission within 10 days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Drizly, LLC and James Cory Rellas, FTC File No. 2023185.” Corporate Respondent must retain an unredacted copy of each subsequent biennial Assessment as well as a proposed redacted copy of each subsequent biennial Assessment suitable for public disclosure until the Order is terminated and must provide each such Assessment to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "VI", "title": "Cooperation with Third-Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondents must fully cooperate with the third-party assessor by providing all relevant information, granting network and IT asset visibility, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;\n\nB. Provide or otherwise make available to the Assessor information about Corporate Respondent’s networks and all of Corporate Respondent’s information technology assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the networks and information technology assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Corporate Respondent has implemented and maintained the Mandated Information Security Program for Covered Businesses; (2) assessment of the effectiveness of the Corporate Respondent’s implementation and maintenance of sub-Provisions A-I of the required Mandated Information Security Program for Covered Businesses; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Mandated Information Security Program for Covered Businesses.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "VII", "title": "Mandated Information Security Program for Certain Businesses of the Individual Respondent", "category": "affirmative_obligation", "summary": "For 10 years after issuance, Individual Respondent must ensure that any Relevant Business for which he is a majority owner or senior officer with information security responsibility establishes and maintains a comprehensive information security program meeting detailed minimum requirements within 180 days.", "verbatim_text": "IT IS FURTHER ORDERED that, for 10 years after issuance of this Order, Individual Respondent, for any Relevant Business that he is: 1) majority owner; or 2) employed or functions as a Chief Executive Officer or other senior officer with direct or indirect responsibility for information security, must within 180 days ensure that the business has established and implemented, and thereafter maintains, a comprehensive information security program (“Business ISP”) that protects the security, confidentiality, and integrity of Covered Information. To satisfy this requirement, Individual Respondent must ensure that each Relevant Business, at a minimum:\n\nA. Documents in writing the content, implementation, and maintenance of the Business ISP;\n\nB. Provides the written Business ISP and any evaluations thereof or updates thereto to any Relevant Business’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of the Relevant Business responsible for the Business ISP at least once every 12 months;\n\nC. Designates a qualified employee or employees to coordinate and be responsible for the Business ISP;\n\nD. Assesses and documents, at least once every 12 months, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in the (1) unauthorized collection, maintenance, alteration, use, disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, destruction, or other compromise of such information;\n\nE. Designs, implements, maintains, and documents safeguards that control for the internal and external risks to the security, confidentiality, or integrity of Covered Information identified in response to sub-Provision D of this provision entitled Mandated Information Security Program for Certain Businesses of the Individual Respondent. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nF. Assesses, at least once every 12 months, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Covered Information, and modify the Business ISP based on the results;\n\nG. Tests and monitors the effectiveness of the safeguards in place at least once every 12 months, and modifies the Business ISP based on the results. Such testing and monitoring must include: (1) vulnerability testing of the Relevant Business’s network and applications once every 4 months; and (2) penetration testing of the Relevant Business’s network(s) and applications at least once every 12 months;\n\nH. Selects and retains service providers capable of safeguarding Covered Information they access through or receive from the Relevant Business, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information; and\n\nI. Evaluates and adjusts the Business ISP in light of any changes to the Relevant Business’s operations or business arrangements, new or more efficient technological or operational methods to control for the risks identified in sub-Provision D of this provision entitled Mandated Information Security Program for Certain Businesses of the Individual Respondent, or any other circumstances that Individual Respondent or the Relevant Business know or have reason to know may have an impact on the effectiveness of the Business ISP or any of its individual safeguards. At a minimum, each Relevant Business must evaluate the Business ISP at least once every 12 months and modify the Business ISP based on the results.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "VIII", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Corporate Respondent must submit an annual certification to the Commission from its CEO (or designated senior officer) confirming compliance with the Order, absence of uncorrected material noncompliance, and describing all verified Covered Incidents during the certified period.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from Corporate Respondent’s Chief Executive Officer, James Cory Rellas, or if Mr. Rellas no longer serves as Corporate Respondent’s Chief Executive Officer, President, or such other officer (regardless of title) that is designated in Corporate Respondent’s Bylaws or resolution of the Board of Directors as having the duties of the principal executive officer of Corporate Respondent, then a senior corporate manager, or, if no such senior corporate manager exists, a senior officer responsible for Corporate Respondent’s Information Security Program that: (1) each Covered Business has established, implemented, and maintained the requirements of this Order; (2) each Covered Business is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of all Covered Incidents that Corporate Respondent verified or confirmed during the certified period. The certification must be based on the personal knowledge of Mr. Rellas, the senior corporate manager, senior officer, or subject matter experts upon whom Mr. Rellas, the senior corporate manager, or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Drizly, LLC and James Cory Rellas, FTC File No. 2023185.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "IX", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Within 10 days of notifying any U.S. government entity of a Covered Incident, each Covered Business must submit a detailed report to the Commission including the date, facts, types and number of consumers affected, remediation steps, and copies of consumer notices.", "verbatim_text": "IT IS FURTHER ORDERED that, within 10 days of any notification to a United States federal, state, or local entity of a Covered Incident, each Covered Business must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known; C. A description of each type of information that was affected by the Covered Incident; D. The number of consumers whose information was affected by the Covered Incident; E. The acts that each Covered Business has taken to date to remediate the Covered Incident and protect Covered Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of each materially different notice sent by each Covered Business to consumers or to any U.S. federal, state, or local government entity regarding the Covered Incident.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Drizly, LLC and James Cory Rellas, FTC File No. 2023185.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "X", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Each Respondent must acknowledge receipt of the Order within 10 days, deliver copies of the Order to all relevant principals, officers, and employees within 10 days (and to future personnel before they assume responsibilities), and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Each Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 10 years after the issuance date of this Order, Individual Respondent for any business that such Respondent, individually or collectively with any other Respondent is the majority owner or controls, directly or indirectly, and Corporate Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives with managerial responsibilities for a Covered Business’ data security, collection of consumer information, and decision- making about the use of consumer information; (3) the employee(s) having primary responsibility for a Relevant Business’ data security, collection of consumer information, and decision-making about the use of consumer information; and (4) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondents delivered a copy of this Order, Respondents must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "XI", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Each Respondent must submit an initial compliance report one year after issuance, provide timely notices of any material changes (within 14 days), and notify the Commission of any bankruptcy filings within 14 days, with all submissions made under penalty of perjury.", "verbatim_text": "A. One year after the issuance date of this Order, each Respondent must submit a compliance report, sworn under penalty of perjury, in which: 1. Each Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of that Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales, and the involvement of any other Respondent (which Individual Respondent must describe if they know or should know due to their own involvement); (d) describe in detail whether and how that Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\n2. Additionally, Individual Respondent must: (a) identify all their telephone numbers and all their physical, postal, email and Internet addresses, including all residences; (b) identify all their business activities, including any business for which such Respondent performs services whether as an employee or otherwise and any entity in which such Respondent has any ownership interest; (c) describe in detail such Respondent’s involvement in each such business activity, including Page 13 of 17 title, role, responsibilities, participation, authority, control, and any ownership; and (d) explain whether or not any business identified in sub-part (b) is a Relevant Business.\n\nB. Each Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: 1. Each Respondent must submit notice of any change in: (a) any designated point of contact; or (b) the structure of Corporate Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order. 2. Additionally, Individual Respondent must submit notice of any change in: (a) name, including alias or fictitious name, or residence address; or (b) title or role in any business activity, including (i) any business for which Respondent performs services whether as an employee or otherwise and (ii) any entity in which Respondent has any ownership interest and over which Respondent has direct or indirect control. For each such business, also identify its name, physical address, any Internet address, and whether or not it is a Relevant Business.\n\nC. Each Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Drizly, LLC and James Cory Rellas, FTC File No. 2023185.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "XII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must create records for 20 years and retain them for 5 years (unless otherwise specified), covering accounting records, personnel records, consumer complaints, advertising materials, privacy representations, Assessment materials, law enforcement communications, noncompliance records, and all records necessary to demonstrate full compliance.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name, addresses, telephone numbers, job title or position, dates of service, and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints related to information security, privacy, or identity theft whether received directly or indirectly by Corporate Respondent, such as through a third party, and any response;\n\nD. A copy of each unique advertisement or other marketing material of Corporate Respondent containing a representation subject to this Order;\n\nE. A copy of each widely disseminated and materially different representation by Corporate Respondent that describes the extent to which Corporate Respondent maintains or protects the privacy, security, availability, confidentiality, or integrity of any Covered Information, including any representation concerning a change in any website or other service controlled by Corporate Respondent that relates to privacy, security, availability, confidentiality, or integrity of Covered Information;\n\nF. For 5 years after the date of preparation of each Assessment required by this Order, all materials and evidence that the Assessor considered, reviewed, relied upon or examined to prepare the Assessment, whether prepared by or on behalf of Respondents, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondents’ compliance with related Provisions of this Order, for the compliance period covered by such Assessment;\n\nG. For 5 years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondents’ compliance with this Order;\n\nH. For 5 years from the date created or received, all records, whether prepared by or on behalf of Respondents, that tend to show any lack of compliance by Respondents with this Order; and\n\nI. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "XIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondents' compliance by requesting additional reports and records within 10 days, communicating directly with and interviewing affiliated persons, and using any other lawful means including undercover methods.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondents must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondents. Respondents must permit representatives of the Commission to interview anyone affiliated with Respondents who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "XIV", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "This Order is effective upon publication on the FTC's website and terminates 20 years from its issuance date, or 20 years from the most recent date the Commission files a complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance, (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Page 16 of 17 Provided, further, that if such complaint is dismissed or a federal court rules that the Respondents did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "docket_number": "C-4780" }, { "provision_number": "I", "title": "Prohibition against Misrepresentations about Privacy and Security", "category": "prohibition", "summary": "Respondent must not misrepresent, expressly or by implication, its privacy and security measures, program memberships, user privacy choices, deletion/retention practices, or the extent to which it protects Personal Information.", "verbatim_text": "IT IS ORDERED that Respondent, Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication: Page 2 of 13 A. Respondent’s privacy and security measures to prevent unauthorized access to Personal Information;\n\nB. The extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization;\n\nC. Respondent’s privacy and security measures to honor the privacy choices exercised by users;\n\nD. Respondent’s information deletion and retention practices; and\n\nE. The extent to which Respondent otherwise protects the privacy, security, availability, confidentiality, or integrity of Personal Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "II", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program within 60 days of order issuance, meeting a detailed set of minimum requirements covering documentation, risk assessment, safeguards, testing, and vendor management.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, and any business that Respondent controls directly, or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Personal Information, must, within sixty (60) days of issuance of this order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the privacy, security, confidentiality, and integrity of such Personal Information. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Provide the written program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Information Security Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;\n\nD. Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, internal and external risks to the privacy, security, confidentiality, or integrity of Personal Information that could result in the (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Personal Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Respondent identifies to the privacy, security, confidentiality, or integrity of Personal Information identified in response to sub-Provision II.D. Each safeguard Page 3 of 13 must be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Personal Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information. Such safeguards must also include: 1. Technical measures to monitor all of Respondent’s networks and all systems and assets within those networks to identify data security events, including unauthorized attempts to exfiltrate Personal Information from those networks; 2. Policies and procedures to ensure that all code for web applications is reviewed for the existence of common vulnerabilities; 3. Policies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures; 4. Encryption of all Social Security numbers on Respondent’s computer networks; 5. Data access controls for all databases storing Personal Information, including by, at a minimum, (a) restricting inbound connections to approved IP addresses, (b) requiring authentication to access them, and (c) limiting employee access to what is needed to perform that employee’s job function; 6. Policies and procedures to ensure that all devices on Respondent’s network with access to Personal Information are securely installed and inventoried at least once every twelve (12) months, including policies and procedures to timely remediate critical and high-risk security vulnerabilities and apply up-to-date security patches; 7. Replacing authentication measures based on the use of security questions and answers to access accounts with multi-factor authentication methods that use a secure authentication protocol, such as cryptographic software or devices, mobile authenticator applications, or allowing the use of security keys; and 8. Training of all of Respondent’s employees, at least once every twelve (12) months, on how to safeguard Personal Information;\n\nF. Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the privacy, security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and promptly (not to exceed 30 days) following a Covered Incident, and modify the Information Security Program based on the results. Such testing and monitoring must include vulnerability testing of Respondent’s network(s) once every four months and promptly (not to exceed 30 days) after a Covered Incident, and penetration testing of Page 4 of 13 Respondent’s network(s) at least once every twelve (12) months and promptly (not to exceed 30 days) after a Covered Incident;\n\nH. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Respondent, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the privacy, security, confidentiality, or integrity of Personal Information;\n\nI. Consult with, and seek appropriate guidance from, independent, third-party experts on data protection and privacy in the course of establishing, implementing, maintaining, and updating the Information Security Program; and\n\nJ. Evaluate and adjust the Information Security Program in light of any changes to Respondent’s operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in Provision II.D of this Order, or any other circumstances that Respondent knows or has reason to know may have an impact on the effectiveness of the Information Security Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "III", "title": "Independent Program Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party assessments of its Information Security Program, using qualified independent assessors approved by the FTC, covering specified reporting periods and content requirements, and submit results to the Commission.", "verbatim_text": "A. The Assessments must be obtained from one or more qualified, objective, independent third-party professionals (“Assessors”), who: (1) use procedures and standards generally accepted in the profession; (2) conduct an independent review of the Information Security Program; (3) retain all documents relevant to each Assessment for five (5) years after completion of such Assessment, and (4) will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim. Respondent may obtain separate assessments for (1) privacy and (2) information security from multiple Assessors, so long as each of the Assessors meet the qualifications set forth above.\n\nB. For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in her or his sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each 2-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessmen ts.\n\nD. Each Assessment must, for the entire assessment period: (1) determine whether Respondent has implemented and maintained the Information Security Program required by Provision II of this Order, titled Mandated Information Security Program; (2) assess the effectiveness of Respondent’s implementation and maintenance of sub-Provisions II.A-J; (3) identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; (4) address the status of gaps or weaknesses in, or instances of material non-compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and (5) ident ify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondent’s management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Respondent revises, updates, or adds one or more safeguards required under Provision II of this Order during an Assessment period, the Assessment must as sess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit an unredacted copy of the initial Assessment and a proposed redacted copy suitable for public disclosure of the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Cafe Press, FTC Do cket No. C-47 68.” Respondent must retain an unredacted copy of each subsequent biennial Assessment as well as a proposed redacted copy of each sub sequent biennial Assessment suitable for public disclosur e until the order is terminated and provided to the Associate Director for Enfor cement within ten (10)days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "IV", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondent must fully cooperate with the third-party Assessor by providing all relevant information, network and IT asset visibility, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.\n\nB. Provide or otherwise make available to the Assessor information about Respondent’s network(s) and all of Respondent’s IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s) and IT assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondent has implemented and maintained the Information Security Program required by Provision II of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions II.A-J; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "V", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondent must annually provide the FTC with a sworn certification from a senior corporate manager or officer confirming compliance with the Order, disclosing any material noncompliance, and describing all Covered Incidents during the period.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Information Security Program that: (1) Respondent has established, implemented, and maintained the requirements of this Order; (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3)includes a brief description of all Covered Incidents during the certified period. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. Thes ubject line must begin, “In re CafePress, FTC Docket No. C-4768.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "VI", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Respondent must submit a report to the FTC within 30 days of discovering a Covered Incident, including details about the incident's date, causes, affected information types, number of consumers affected, remediation steps, and copies of consumer notices.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within thirty (30) days after Respondent’s discovery of a Covered Incident, must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; Page 7 of 13 B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. A description of each type of information that triggered any notification obligation to the U.S. federal, state, or local government entity; D. The number of consumers whose information triggered any notification obligation to the U.S. federal, state, or local government entity; E. The acts that Respondent has taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of any materially different notice sent by Respondent to consumers or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re CafePress, FTC Docket N o. C-4768 .”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "VII", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Respondent must pay $500,000 to the Commission within 8 days of the effective date of the Order via electronic fund transfer.", "verbatim_text": "A. Respondent must pay to the Commission $500,000 which Respondent stipulates their undersigned counsel holds in escrow for no purpose other than payment to the Commission.\n\nB. Such payment must be made within 8 days of the effective date of this Order by electronic fund transfer in accordance with instructions provided by a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "VIII", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Respondent relinquishes all rights to transferred assets, the Complaint facts are deemed true in any subsequent enforcement litigation, paid funds may be used for consumer redress or related relief, and interest and penalties accrue on default.", "verbatim_text": "A. Respondent relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission to enforce its rights to any payment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.\n\nC. The facts alleged in the Complaint establish all elements necessary to sustain an action by or on behalf of the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.\n\nD. All money paid to the Commission pursuant to this Order may be deposited into a fund administered by the Commission or its designee to be used for relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other relief (including consumer information remedies) as it determines to be reasonably related to Respondent’s practices alleged in the Complaint. Any money not used is to be deposited to the U.S. Treasury. Respondent has no right to challenge any activities pursuant to this Provision.\n\nE. In the event of default on any obligation to make payment under this Order, interest, computed as if pursuant to 28 U.S.C. § 1961(a), shall accrue from the date of default to the date of payment. In the event such default continues for 10 days beyond the date that payment is due, the entire amount will immediately become due and payable.\n\nF. Each day of nonpayment is a violation through continuing failure to obey or neglect to obey a final order of the Commission and thus will be deemed a separate offense and violation for which a civil penalty shall accrue.\n\nG. Respondent acknowledges that its Taxpayer Identification Numbers, which Respondent has previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "IX", "title": "Customer Information", "category": "affirmative_obligation", "summary": "Respondent must provide sufficient customer information to enable the Commission to administer consumer redress to shopkeepers who did not receive payable commissions, and must respond to written information requests within 14 days.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must directly or indirectly provide sufficient customer information to enable the Commission to efficiently administer consumer redress to shopkeepers who did not receive payable commissions because they closed their account. If a\n\nrepresentative of the Commission requests in writing any information related to redress, Respondent must provide it, in the form prescribed by the Commission representative, within 14 days.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "X", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of the Order within 10 days, deliver copies to all key personnel and future personnel before they assume responsibilities, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 10 years after the issuance date of this Order, Respondent must deliver a copy of this Page 9 of 13 Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives with managerial or professional responsibilities for conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "XI", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an annual compliance report sworn under penalty of perjury one year after issuance, and provide timely notices of changes in contact information, corporate structure, or bankruptcy filings; all submissions must follow specified format and delivery instructions.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which: 1. Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in: (a) any designated point of contact; or (b) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of Page 10 of 13 perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re CafePress, LLC, FTC Docket No. C-4768.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "XII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for 20 years after order issuance and retain each for 5 years, covering accounting, personnel, consumer complaints, advertising, privacy representations, assessment materials, law enforcement communications, and noncompliance records.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for 20 years after the issuance date of the Order, and retain each such record for 5 years. Specifically, Respondent, in connection with any conduct related to the subject matter of the Order, must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each unique advertisement or other marketing material making a representation subject to this Order;\n\nE. A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security and confidentiality of any Personal Information, including any representation concerning a change in any website or other service controlled by Respondent that relates to the privacy, security, and confidentiality of Personal Information.\n\nF. For 5 years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment.\n\nG. For 5 years from the date received, copies of all subpoenas and other communications with law enforcement, if such subpoena or other communication relate to Respondent’s compliance with this Order.\n\nH. For 5 years from the date created or received, all records, whether prepared by or on behalf of Respondent, that demonstrate non-compliance or tend to show any lack of compliance by Respondent with this Order.\n\nI. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "XIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC has broad authority to monitor Respondent's compliance, including requesting additional reports within 10 days, directly communicating with and interviewing Respondent's personnel, and using undercover means without prior notice.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "XIV", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates 20 years from issuance or 20 years from the most recent federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such Page 12 of 13 complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "docket_number": "C-4768" }, { "provision_number": "I", "title": "Prohibition Against Billing Without Express, Informed Consent", "category": "prohibition", "summary": "Respondent is prohibited from billing an Account Holder for any Charge without first obtaining Express, Informed Consent. If Respondent obtains consent for future charges, it must provide a simple mechanism to revoke that consent at any time.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, and employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, are restrained and enjoined for the term of this Order from billing an Account Holder for any Charge without having obtained Express, Informed Consent for the Charge. If Respondent seeks and obtains Express, Informed Consent to billing\n\nConsent for the Charge. If Respondent seeks and obtains Express, Informed Consent to billing potential future Charges (other than future royalty payments owed by the user based on revenue the user derives from use of an Application), Respondent must provide the Account Holder with a simple mechanism to revoke consent at any time. Such mechanism must not be difficult, costly, confusing, or time consuming, and must be at least as simple as the mechanism the consumer used to initiate the Charge(s).", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Prohibition" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "II", "title": "Prohibition Against Denying Account Access for Disputing Charges", "category": "prohibition", "summary": "Respondent is permanently prohibited from denying, temporarily or permanently, a consumer's access to or use of their account — including any paid-for goods or services — for reasons that include the consumer's dispute of a Charge.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promoting, offering for sale, or selling of any goods or services, are permanently restrained and enjoined from denying, temporarily or permanently, a consumer’s access to or use of his or her account, including any paid-for goods or services, for reasons that include the consumer’s dispute of a Charge.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Prohibition" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "III", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Respondent must pay $245,000,000 to the Commission within 8 days of the effective date of this Order by electronic fund transfer.", "verbatim_text": "A. Respondent must pay to the Commission $245,000,000, which its undersigned counsel holds in escrow for no purpose other than payment to the Commission.\n\nB. Such payment must be made within 8 days of the effective date of this Order by electronic fund transfer in accordance with instructions provided by a representative of the Commission.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "IV", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Respondent relinquishes all rights to assets transferred under this Order; complaint facts are taken as true in subsequent litigation; money paid may be used for consumer redress; interest accrues on default; daily nonpayment constitutes a separate violation; and Respondent's Taxpayer ID may be used for collecting delinquent amounts.", "verbatim_text": "A. Respondent relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission to enforce its rights to any payment pursuant to this Order, such as a nondischargeability complaint in any 4 bankruptcy case.\n\nC. The facts alleged in the Complaint establish all elements necessary to sustain an action by or on behalf of the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.\n\nD. All money paid to the Commission pursuant to this Order may be deposited into a fund administered by the Commission or its designee to be used for relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other relief (including consumer information remedies) as it determines to be reasonably related to Respondent’s practices alleged in the Complaint. Any money not used is to be deposited to the U.S. Treasury. Respondent has no right to challenge any activities pursuant to this Provision.\n\nE. In the event of default on any obligation to make payment under this Order, interest, computed as if pursuant to 28 U.S.C. § 1961(a), shall accrue from the date of default to the date of payment. In the event such default continues for 10 days beyond the date that payment is due, the entire amount will immediately become due and payable.\n\nF. Each day of nonpayment is a violation through continuing failure to obey or neglect to obey a final order of the Commission and thus will be deemed a separate offense and violation for which a civil penalty shall accrue.\n\nG. Respondent acknowledges that its Taxpayer Identification Number (Social Security or Employer Identification Number), which Respondent has previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Consumer Redress" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "V", "title": "Customer Information", "category": "affirmative_obligation", "summary": "Respondent must provide sufficient customer information to enable the Commission to administer consumer redress, and must respond to any written Commission request for redress-related information within 14 days.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must directly or indirectly provide sufficient customer information to enable the Commission to efficiently administer consumer redress to Account Holders to whom Respondent billed a Charge without Express, Informed Consent, and Account Holders whom Respondent denied access to paid-for goods or services for disputing\n\nany Charge. If a representative of the Commission requests in writing any information related to redress, Respondent must provide it, in the form prescribed by the Commission representative, within 14 days.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Consumer Redress" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "VI", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt of the Order within 10 days, deliver copies to key personnel within 10 days, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur within 10 days of when they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Order Administration" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "VII", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report one year after issuance, provide sworn compliance notices within 14 days of certain structural or contact changes for 10 years, and notify the Commission within 14 days of any bankruptcy filing.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which: 1. Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, purchase flows, billing practices; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all material changes Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. For 10 years after the issuance date of this Order, Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: 1. Respondent must submit notice of any change in: (a) any designated point of contact; or (b) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Epic Games, Inc., [C or D docket number].", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for 10 years (with 5-year retention), including accounting records, personnel records, consumer complaints, research/testing records, law enforcement communications, custodial records, and all compliance-related records.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for 10 years and retain each such record for 5 years. Specifically, Respondent, for any business that Respondent is a majority owner or controls directly or indirectly, must create and retain the following records: A. accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. copies or records of all consumer complaints and refund requests concerning the subject matter of the Order, whether received directly or through any domestic government regulatory authority;\n\nD. records of any market, behavioral, or psychological research, or user or customer testing performed by or at the direction of Respondent, including any A/B or multivariate testing, copy testing, surveys, focus groups, customer interviews, clickstream analysis, eye or mouse tracking studies, heat maps, or session replays or recordings;\n\nE. for 5 years from the date received, copies of all subpoenas and other communications with domestic law enforcement, if such communication relate to Respondent’s compliance with this Order;\n\nF. for 5 years from the date created or received, all custodial records for individuals with managerial responsibility for digital purchasing and user interface; and\n\nG. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondent's compliance by requiring additional reports and records within 10 days of written request, communicating directly with and interviewing Respondent's personnel, and using all other lawful means including undercover investigation.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "X", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "This Order is effective upon publication on the FTC's website and terminates 20 years from the date of issuance, or 20 years from the most recent date a complaint alleging a violation of this Order is filed in federal court, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; and B. This Order if such complaint is filed after the Order has terminated pursuant to this Provision.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Order Administration" ], "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "docket_number": "C-4790" }, { "provision_number": "I", "title": "Prohibited Misrepresentations", "category": "prohibition", "summary": "Respondent and all persons acting with it must not make any express or implied misrepresentations about the accuracy, efficacy, comparative bias performance, or liveness detection of its Facial Recognition Technology.", "verbatim_text": "IT IS ORDERED that Respondent, and Respondent’s officers, agents, employees, and attorneys and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with advertising, promotion, offering for sale, sale or distribution of Facial Recognition Technology, must not make any misrepresentation, expressly or by implication: a. About the accuracy or efficacy of its Facial Recognition Technology;\n\nb. About the comparative performance of its Facial Recognition Technology with respect to individuals of different genders, ethnicities, and skin tones, or reducing or eliminating differential performance based on such factors; or\n\nc. About the accuracy or efficacy of its Facial Recognition Technology with respect to detecting spoofing or otherwise determining Liveness.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Prohibition" ], "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "docket_number": "C-4809" }, { "provision_number": "II", "title": "Prohibition on Unsubstantiated Accuracy and Bias Claims", "category": "prohibition", "summary": "Respondent must not make any representation about the effectiveness, accuracy, lack of bias, or spoofing detection of its Facial Recognition Technology unless it possesses and relies upon competent and reliable testing that substantiates the claim at the time it is made.", "verbatim_text": "A. Possess and rely upon competent and reliable testing of the Facial Recognition Technology. For the purposes of this Order, competent and reliable testing shall mean testing that is based on the expertise of professionals in the relevant area, and that (1) has been conducted and evaluated in an objective manner by qualified persons and (2) is generally accepted by experts in the profession to yield accurate and reliable results; and\n\nB. Document all such testing including: the dates and results of all tests; the method and methodology used; the source and number of images used; the source and number of different people in the images; whether such testing includes Liveness tests; any technique(s) used to modify the images to create different angles, different lighting conditions or other modifications; demographic information collected on images used in testing if applicable; information about the skin tone collected on images used in testing if applicable; and any information that supports, explains, qualifies, calls into question or contradicts the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Prohibition" ], "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "docket_number": "C-4809" }, { "provision_number": "III", "title": "Acknowledgements of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt to the FTC, deliver copies of the Order to principals, officers, employees, and agents, and collect signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after the issuance date of this Order, Respondent for any business that such Respondent is the majority owner or controls directly or indirectly must deliver a copy of 3 this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Order Administration" ], "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "docket_number": "C-4809" }, { "provision_number": "IV", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must file a sworn annual compliance report one year after issuance, and submit timely notices within 14 days of changes to contact information, corporate structure, or bankruptcy filings; all submissions must be sworn under penalty of perjury and sent to the designated FTC address.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nD. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re IntelliVision Technologies Corp.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "docket_number": "C-4809" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for 15 years after issuance (retaining each for 5 years), covering financials, personnel, consumer complaints, compliance documentation, marketing materials, testing records, law enforcement communications, and evidence of non-compliance.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for 15 years after the issuance date of the Order, and retain each such record for 5 years. Specifically, Respondent must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints and refund requests related to any representation covered by this Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission;\n\nE. A copy of each unique advertisement or other marketing material making a representation subject to this Order;\n\nF. Records and documentation of all testing performed or retained pursuant to Part II of this Order. Provided however, that if Respondent possesses and relies on competent and reliable third-party testing, in whole or in part, to comply with Part II of this Order and Respondent is unable through reasonable means to obtain and retain all of the documentation required under Part II.B, Respondent shall retain all reasonably available information;\n\nG. For 5 years from the date of the last dissemination of any representation covered by this Order: 1. all materials that were relied upon in making the representation; and 5 2. all tests, studies, analysis, demonstrations, other research or other such evidence in Respondent’s possession, custody, or control that contradicts, qualifies, or otherwise calls into question the representation, or the basis relied upon for the representation, including complaints and other communications with consumers or with governmental or consumer protection organizations;\n\nH. For 5 years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondent’s compliance with this Order; and\n\nI. For 5 years from the date created or received, all records, whether prepared by or on behalf of Respondent, that demonstrate non-compliance or tend to show any lack of compliance by Respondent with this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "docket_number": "C-4809" }, { "provision_number": "VI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondent's compliance by requesting additional reports and records within 10 days, communicating directly with and interviewing affiliated personnel, and using all other lawful means including undercover inquiries.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "docket_number": "C-4809" }, { "provision_number": "VII", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC website and terminates 20 years from its issuance date, or 20 years from the most recent date the Commission files a complaint alleging a violation — whichever is later — subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: 6 A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Order Administration" ], "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "docket_number": "C-4809" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the extent to which it collects, uses, maintains, discloses, or deletes Covered Information, or the extent to which Location Data is Deidentified.", "verbatim_text": "IT IS ORDERED that Respondent, and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, promotion, offering for sale, sale, or distribution any product or service, must not misrepresent in any manner, expressly or by implication: A. The extent to which Respondent collects, uses, maintains, discloses, or deletes any Covered Information; and\n\nB. The extent to which Location Data that Respondent collects, uses, maintains, or discloses is Deidentified.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "II", "title": "Prohibition on Collection and Retention of Covered Information from Advertising Auctions", "category": "prohibition", "summary": "Respondent must not collect, purchase, acquire, or retain Covered Information accessed while participating in online advertising auctions for any purpose other than participating in those auctions.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, whether acting directly or indirectly, must not collect, purchase, or otherwise acquire or retain Covered Information that Respondent accesses while participating in online advertising auctions for any other purpose than participating in such auctions.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "III", "title": "Prohibition on the Use, Sale, or Disclosure of Sensitive Location Data", "category": "prohibition", "summary": "Respondent must not sell, license, share, disclose, transfer, or otherwise use in any products or services Sensitive Location Data associated with identified Sensitive Locations, with an exception for converting such data into non-Sensitive Location Data.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, whether acting directly or indirectly, must not sell, license, share, disclose, transfer, or otherwise use in any products or services Sensitive Location Data 5 associated with the Sensitive Locations that Respondent has identified within 180 days of this Order as part of the Sensitive Location Data Program established and maintained pursuant to Provision IV below.\n\nProvided, however, that the prohibitions in this Provision III do not apply if Respondent uses Sensitive Location Data to Convert such data into data that (a) is not Sensitive Location Data or (b) is not Location Data.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "IV", "title": "Sensitive Location Data Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a Sensitive Location Data Program within 180 days, including developing a comprehensive list of Sensitive Locations and implementing policies to prevent prohibited use of Sensitive Location Data.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within 180 days of the issuance of this Order, must establish and implement, and thereafter maintain, a Sensitive Location Data Program (a) that develops a comprehensive list of Sensitive Locations using methods, sources, products or services developed by Respondent or offered by third parties and (b) that is designed to prevent the use, sale, licensing, transfer, or disclosure of Sensitive Location Data as provided in Provision III above. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the components of the Sensitive Location Data Program as well as the plan for implementing and maintaining the Sensitive Location Data Program;\n\nB. Identify a senior officer, such as a Chief Privacy Officer or Chief Compliance Officer, to be responsible for the Sensitive Location Data Program. The senior officer will be approved by and report directly to the board of directors or a committee thereof or, if no such board or equivalent body exists, to the principal executive officer of Respondent;\n\nC. Provide the written program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent body exists, to the principal executive officer of Respondent at least every twelve months;\n\nD. Develop and implement procedures to identify Sensitive Locations using methods, sources, products or services developed by Respondent or offered by third parties designed to be used by Respondent in preventing the sale, license, transfer, use, or other sharing or disclosure of Sensitive Location Data as provided in Provision III above. If a building or place is identified as including both a Sensitive Location and a non-Sensitive Location, Respondent may associate Location Data with the non-Sensitive Location only;\n\nE. Assess, update, and document, at least once every six months, the accuracy and completeness of Respondent’s list of Sensitive Locations. Such assessments must include: 1. Verifying that Respondent’s list includes Sensitive Locations known to Respondent; 2. Identifying and assessing methods, sources, products, and services developed by Respondent or offered by third parties that identify Sensitive Locations; 3. Updating its list of Sensitive Locations by selecting and using the methods, sources, products, or services developed by Respondent or offered by third parties that are accurate and comprehensive in identifying Sensitive Locations; and 6 4. Documenting each step of this assessment, including the reasons Respondent selected the methods, sources, products, or services used in updating Respondent’s list of Sensitive Locations.\n\nF. Implement policies, procedures, and technical measures designed to prevent Respondent from using, selling, licensing, transferring, or otherwise sharing or disclosing Sensitive Location Data as provided in Provision III and monitor and test the effectiveness of these policies, procedures, and technical measures at least once every six months. Such testing must be designed to verify that Respondent is not using, selling, licensing, transferring, or otherwise sharing or disclosing Sensitive Location Data except as provided in Provision III above.\n\nG. Initiate the process of deleting or rendering non-sensitive Sensitive Location Data associated with locations included in the list developed pursuant to Provision IV.D within 7 days of adding the location to the list of Sensitive Locations, except where retention is needed to fulfill an allowed purpose as provided in Provision III above; and\n\nH. Evaluate and adjust the Sensitive Location Data Program in light of any changes to Respondent’s operations or business arrangements, or any other circumstance that Respondent knows or has reason to know may have an impact on the Sensitive Location Data Program’s effectiveness. At a minimum, Respondent must evaluate the Sensitive Location Data Program every twelve months and implement modifications based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "V", "title": "Prohibition on the Sale, Licensing, or Disclosure of Private Residence Data", "category": "prohibition", "summary": "Respondent must not sell, license, or disclose Location Data that may determine the identity or location of an individual's private residence.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must not sell, license, or disclose Location Data that may determine the identity or the location of an individual’s private residence (e.g., single family homes, apartments, condominiums, townhomes).", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "VI", "title": "Supplier Assessment Program", "category": "affirmative_obligation", "summary": "Respondent must implement a Supplier Assessment Program within 90 days to ensure consumers have consented to the collection and use of Location Data obtained from suppliers.", "verbatim_text": "IT IS FURTHER ORDERED that that Respondent, within 90 days of the effective date of this Order, must implement a program designed to ensure that consumers have provided consent for the collection and use of Location Data obtained by Respondent, including by implementing and maintaining a Supplier Assessment Program. In connection with the Supplier Assessment Program, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Supplier Assessment Program;\n\nB. Conduct an initial assessment within 30 days of a Supplier entering into data-sharing agreements with Respondent (or, for parties with existing data-sharing agreements, within 60 days of the effective date of this Order), and thereafter annually, designed to confirm that consumers provide Affirmative Express Consent if feasible, or to confirm that consumers specifically consent to the collection, use, and sharing of their Location Data;\n\nC. Create and maintain records of the Supplier’s responses obtained by Respondent as provided in Provision VI.B above; and\n\nD. Cease using, selling, licensing, transferring, or otherwise sharing or disclosing Location Data for which consumers have not provided consent, as provided in Provision VI.B above.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "VII", "title": "Disclosures to Consumers", "category": "affirmative_obligation", "summary": "Respondent must provide consumers with a clear and conspicuous means to request the identity of any entity to whom their Location Data has been sold, transferred, licensed, or disclosed in the past year.", "verbatim_text": "A. Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must provide a Clear and Conspicuous means for consumers to request the identity of any entity, business, or individual to whom Respondent has sold, transferred, licensed, or otherwise disclosed their Location Data during the one year period preceding the request.\n\nB. Respondent may require consumers to provide Respondent with information reasonably necessary to complete such requests and to verify their identity, but must not use, provide access to, or disclose any information collected for such a request for any other purpose.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "VIII", "title": "Withholding and Withdrawing Consent", "category": "affirmative_obligation", "summary": "Respondent must provide consumers with a simple, easily-located means to withdraw consent for Location Data collection, and must not unreasonably limit consumers' ability to withhold or withdraw consent.", "verbatim_text": "A. Provide a simple, easily-located means for consumers to withdraw any consent provided in accordance with Provision VI.B (including Affirmative Express Consent) provided to Respondent in connection with Location Data that is no more burdensome than the means by which the consumer provided consent. Such means may include a Clear and Conspicuous notice or link to an applicable website, operating system, device, or app permission or setting; and\n\nB. Not unreasonably limit a consumer’s ability to withhold or withdraw any consent provided in accordance with Provision VI.B (including Affirmative Express Consent) in connection with Location Data, such as by degrading the quality or functionality of a product or service as a penalty for withholding or withdrawing such consent, unless the collection and use of Location Data is technically necessary to provide the quality or functionality of the product or service without such degradation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "IX", "title": "Obligations When Consent is Withdrawn", "category": "affirmative_obligation", "summary": "When a consumer withdraws consent, Respondent must delete all associated Location Data within 30 days and immediately cease further collection or use, subject to limited exceptions for security, archived data, and legal holds.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must delete all Location Data 8 associated with a consumer or device within 30 days after Respondent receives notice that the consumer withdraws their consent using the means that Respondent provided under Provision VIII.A and immediately cease further collection or use of Location Data associated with that consumer or device, unless the consumer subsequently provides consent in accordance with Provision VI.B (including Affirmative Express Consent).\n\ni. to prevent, detect, or investigate data security incidents, or to protect against malicious, deceptive, fraudulent, or illegal activity directed at Respondent, for the shortest time reasonably necessary to fulfill this purpose, but Respondent must not use, provide access to, or disclose such Location Data retained for security and anti- fraud purposes, for any other purpose;\n\nii. if it is stored in Respondent’s backups or archives that are not readily accessible (“Archived Location Data”), provided that (a) Respondent does not use, provide access to, or disclose Archived Location Data, (b) Archived Location Data is deleted in accordance with the data retention limits in Provision XI, and (c) Respondent deletes Archived Location Data pursuant to Provision IX if Respondent uses or provides access to Archived Location Data; or\n\niii. if Respondent is required to retain such Location Data to the extent requested by a government agency in a formal preservation letter that identifies the data to be preserved, or required by compulsory process, or otherwise required by law, regulation, or court order, and Respondent does not use such retained Location Data for any other purpose.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "X", "title": "Location Data Deletion Requests", "category": "affirmative_obligation", "summary": "Respondent must provide consumers with a clear and conspicuous means to request deletion of their Location Data and must create a process for Suppliers to notify Respondent of consumer deletion requests.", "verbatim_text": "A. Provide a Clear and Conspicuous means for consumers to request deletion of their device’s Location Data held, stored, or under the control of Respondent. Respondent may require consumers to provide Respondent with any information necessary to complete such requests, but must not use, provide access to, or disclose any information collected for a deletion request for any other purpose, provided, however, that such Location Data may be retained:\n\ni. to prevent, detect, or investigate data security incidents, or to protect against malicious, deceptive, fraudulent, or illegal activity directed at the Respondent, for the shortest time reasonably necessary to fulfill this purpose, but Respondent must not use, provide access to, or disclose such Location Data retained for security and anti-fraud purposes, for any other purpose; or\n\nii. if it is stored in Respondent’s backups or archives that are not readily accessible (“Archived Location Data”), provided that (a) Respondent does not use, provide access to, or disclose Archived Location Data, (b) Archived Location Data is deleted in accordance with the data retention limits in Provision XI, and (c) Respondent deletes Archived Location Data pursuant to Provision X if Respondent uses or provides access to Archived Location Data; or\n\niii. if Respondent is required to retain such Location Data to the extent requested by a government agency in a formal preservation letter that identifies the data to be preserved, or required by compulsory process, or otherwise required by law, regulation, or court order, and Respondent does not use such retained Location Data for any other purpose.\n\nB. Create and maintain a process by which Respondent’s Suppliers may provide Respondent with notice of consumers’ deletion requests.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "XI", "title": "Data Retention Limits", "category": "affirmative_obligation", "summary": "Respondent must document and publicly publish a retention schedule for Covered Information within 60 days, setting forth purposes, business needs, and defined deletion timeframes, and must update the schedule before collecting new types of Covered Information.", "verbatim_text": "A. Within 60 days of effective date of this Order, document, adhere to, and make publicly available through a link on the home page of their website(s), in a manner that is Clear and Conspicuous, a retention schedule for Covered Information, setting forth: (1) the purpose or purposes for which each type of Covered Information is collected or used; (2) the specific business needs for retaining each type of Covered Information; and (3) an established timeframe for deletion of each type of Covered Information limited to the time reasonably necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information;\n\nB. Within 60 days of the effective date of this Order, Respondent shall provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, describing the retention schedule for Covered Information made publicly available on its website(s); and\n\nC. Prior to collecting or using any new type of Covered Information related to consumers that was not being collected as of the issuance date of this Order, and is not described in retention schedules published in accordance with sub-Provision A of this Provision, Respondent must update its retention schedule setting forth: (1) the purpose or purposes for which the new information is collected; (2) the specific business needs for retaining the new information; and (3)a set timeframe for deletion of the new information that precludes indefinite retention.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "XII", "title": "Deletion", "category": "affirmative_obligation", "summary": "Respondent must delete all Historic Location Data, consumer phone numbers, and Data Products within specified timeframes, and must notify customers who received Historic Location Data of the deletion requirement.", "verbatim_text": "A. Within 90 days after the effective date of this Order, delete or destroy all Historic Location Data and consumers’ unhashed and hashed phone numbers, and provide a written statement to the Commission, pursuant to Provision XV, confirming that all such information has been deleted or destroyed;\n\nB. Within 120 days after the effective date of this Order, delete or destroy all Data Products, and provide a written statement to the Commission, pursuant to Provision XV, confirming such deletion or destruction; and\n\nC. Within 90 days after the effective date of this Order, (i) inform Respondent’s customers that received Historic Location Data within 3 years prior to the issuance date of this Order, of the FTC’s requirement in Provisions XII.A and XII.B that the FTC requires such data to be deleted, Deidentified, or rendered non-sensitive, unless such customer has obtained records in accordance with Provision VI.B showing that the relevant consumer consented to the collection, use, and sharing of their Historic Location Data, and (ii) Respondent shall promptly submit, within 10 days of sending to its customers, all such notices to the Commission under penalty of perjury as specified in the Provision of this Order titled “Compliance Report and Notices.”\n\nProvided however, Respondent shall not be required to comply with Provisions XII.A. and XII.B., if: 1. within 90 days of the effective date of this Order, a. Respondent has obtained records in accordance with Provision VI.B showing that consumers consented to the collection, use, and sharing of their Historic Location Data; or b. the Historic Location Data is Deidentified or rendered non-sensitive in accordance with Provision III above, and provided that Historic Location Data is subject to the obligations in Provision IV above; or\n\n2. the Historic Location Data is retained to prevent, detect, or investigate data security incidents, or to protect against malicious, deceptive, fraudulent, or illegal activity directed at the Respondent, for the shortest time reasonably necessary to fulfill this purpose, but Respondent must not use, provide access to, or disclose such Historic Location Data retained for security and anti-fraud purposes, for any other purpose; or\n\n3. if Respondent is required to retain such Historic Location Data to the extent requested by a government agency in a formal preservation letter that identifies the data to be preserved, or required by compulsory process, or otherwise required by law, regulation, or court order and Respondent does not use such retained Historic Location Data for any other purpose.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "XIII", "title": "Mandated Privacy Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive privacy program within 60 days covering risk assessment, safeguards, employee training, and ongoing evaluation for all Covered Information.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, for any business that Respondent controls directly or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must establish and implement, and thereafter maintain, a comprehensive privacy program (the “Program”) that protects the privacy of such Covered Information. Respondent must comply with this provision within 60 days of effective date of this Order. To satisfy this requirement, Respondent must at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Program;\n\nB. Provide the written Program and any evaluations thereof or updates thereto to Respondent’s board of directors or, if no such board or equivalent governing body exists, to a senior officer of the Respondent responsible for the Program at least once every twelve months;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Program;\n\nD. Assess and document, at least every 12 months, internal and external risks to the privacy of Covered Information that could result in the unauthorized collection, maintenance, use, disclosure, alteration, destruction of, or provision of access to Covered Information;\n\nE. Design, implement, maintain, and document safeguards that control for the material internal and external risks Respondent identifies to the privacy of Covered Information identified in response to Provision XIII.D. Each safeguard must be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized collection, maintenance, use, disclosure, alteration, or destruction of, or provision of access to Covered Information.\n\nF. On at least an annual basis, provide privacy training programs for all employees and independent contractors responsible for handling or who have access to Covered Information, updated to address any identified material internal or external risks and safeguards implemented pursuant to this Order;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months, and modify the Program based on the results; and\n\nH. Evaluate and adjust the Program in light of any changes to Respondent’s operations or business arrangements, new or more efficient technological or operational methods to control for the risks identified in Provision XIII.D of this Order, or any other circumstances that Respondent knows or has reason to believe may have an impact on the effectiveness of the Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Program at least once every 12 months and modify the Program based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "XIV", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of the Order within 10 days, deliver copies to all relevant personnel and any new business entities, and obtain signed acknowledgments within 30 days of delivery.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 10 years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "XV", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report one year after issuance, ongoing compliance notices within 14 days of material changes for 10 years, and notice of any bankruptcy filing within 14 days.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. For 10 years after the date of this Order, Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of Respondent, or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency 13 proceeding, or similar proceeding by or against such Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: ” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Mobilewalla, Inc. [the C or D docket number].", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "XVI", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for 10 years after issuance (retaining each for at least 5 years), including accounting records, personnel records, consumer complaints, subpoenas, representations about privacy, and records of Supplier and Sensitive Location Data Program implementation.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints that relate to the collection, use, maintenance, or disclosure of Covered Information, whether received directly or indirectly by Respondent, such as through a third party, and any response;\n\nD. For 5 years from the date received, copies of all subpoenas and other communications with law enforcement or other government agencies, or entities Respondent knows or should know is contracted by or otherwise working with a law enforcement or other government agency with respect to that subpoena or communication, if such communication relates to Respondent’s compliance with this Order, including Respondent’s collection, use, or transfer of Covered Information;\n\nE. A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security and confidentiality of any Covered Information, including any representation concerning a change in any website or other service controlled by Respondent that relates to the privacy, security, and confidentiality of Covered information;\n\nF. Records showing Respondent’s implementation of the Supplier Assessment Program required by Provision VI;\n\nG. Records showing Respondent’s implementation of policies, controls, and technical measures to prevent the collection, or use of Sensitive Location Data prohibited by Provision III; and\n\nH. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "XVII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission may monitor Respondent's compliance through written requests for information and records, direct communication with Respondent, interviews of Respondent's personnel, and all other lawful means including undercover investigations.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "XVIII", "title": "Order Effective Dates", "category": "duration", "summary": "This Order is effective upon publication on the FTC's website and will terminate 20 years from issuance or 20 years from the most recent date a complaint alleging a violation of this Order is filed in federal court, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. 15 Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any Provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "docket_number": "C-4811" }, { "provision_number": "I", "title": "Five-Year Prohibition Against Disclosure of Covered Driver Data to Consumer Reporting Agencies", "category": "prohibition", "summary": "Respondents must not disclose Covered Driver Data to any Consumer Reporting Agency for five years from entry of this Order.", "verbatim_text": "IT IS ORDERED that Respondents, and Respondents’ officers, agents, and employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the collection, use, and disclosure of consumers’ Covered Driver Data, must not disclose Covered Driver Data to any person when that person is acting in the capacity of a Consumer Reporting Agency, for five years from the entry of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "II", "title": "Limitations on Collection, Use, and Disclosure of Covered Driver Data Absent Affirmative Express Consent", "category": "affirmative_obligation", "summary": "Within 180 days, Respondents must obtain Affirmative Express Consent from consumers before collecting, using, or disclosing their Covered Driver Data to a Third Party, with limited enumerated exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that, within 180 days of the effective date of this Order, Respondents and Respondents’ officers, agents, and employees, and all other persons in active 5 concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must obtain the relevant U.S. consumer’s Affirmative Express Consent prior to collecting, using, or disclosing to a Third Party such consumer’s Covered Driver Data. Each separate, unrelated service or feature that collects, uses, or discloses Covered Driver Data requires a separate Affirmative Express Consent.\n\nA. To disclose Covered Driver Data to emergency responders;\n\nB. To respond to a consumer-initiated communication originating from within the Vehicle or an App, where Covered Driver Data may be collected, used, or disclosed only to provide that response;\n\nC. To respond to a Vehicle-initiated communication related to the safe operation of that Vehicle, where Covered Driver Data may be collected, used, or disclosed only to provide that response;\n\nD. To comply with lawful governmental requests, regulatory requirements, and legal orders; or for use to prepare for or defend against product liability, breach of contract, consumer protection, or warranty claims;\n\nE. To conduct research or efforts to improve, repair, enhance safety of, or develop products, services, or technology, provided, however, that (1) only Deidentified Covered Driver Data is disclosed to Third Parties to fulfill this purpose; and (2) marketing is excluded from this purpose;\n\nF. To conduct investigations of potential product quality or safety issues; to determine or effectuate Vehicle field actions, including customer satisfaction campaigns, technical service bulletins, compliance recalls, and safety recalls; to detect or respond to cybersecurity incidents; or to administer and fulfill Vehicle warranties; and\n\nG. To perform diagnostics and prognostics of components of the Vehicle; or to identify and address issues that impair existing functionality, provided, however, that only Deidentified data is disclosed to Third Parties to fulfill this purpose unless identification is necessary to address diagnostic or prognostic issues relating to specific Vehicles.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "III", "title": "Withholding or Withdrawing Affirmative Express Consent", "category": "prohibition", "summary": "Respondents must not limit a consumer's ability to withhold or withdraw Affirmative Express Consent for collection or use of Covered Driver Data, such as by degrading product quality or functionality as a penalty, unless data collection is technically necessary.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents and Respondents’ officers, agents, and employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must not limit a U.S. consumer’s ability to withhold or withdraw Affirmative Express Consent for the collection or use of Covered Driver Data, such as by degrading the quality or functionality of a product or service as a penalty for withholding or withdrawing such Affirmative Express Consent, unless the collection and use of Covered Driver Data is technically necessary to providing the quality or functionality of the product or service without such degradation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "IV", "title": "Data Minimization Requirement", "category": "affirmative_obligation", "summary": "Respondents must collect no more Covered Driver Data than is reasonably necessary for the specific purpose of collection, and may only use, disclose, or retain it for that purpose.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents must refrain from collecting more Covered Driver Data than reasonably necessary to fulfill the specific purpose for which it was collected and must use, disclose, or retain such data only for that purpose, or as otherwise consistent with Provision II, titled Limitations on Collection, Use, and Disclosure of Covered Driver Data Absent Affirmative Express Consent.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "V", "title": "Retention Schedule", "category": "affirmative_obligation", "summary": "Within 180 days, Respondents must document and adhere to a data retention schedule, make it publicly available, report it to the Commission, and update it before collecting new types of Covered Driver Data.", "verbatim_text": "A. Within 180 days of the effective date of this Order, document and adhere to a retention schedule for Covered Driver Data, setting forth: (1) the purpose(s) for which each type of Covered Driver Data is collected; (2) the specific business needs for retaining each type of Covered Driver Data; and (3) the specific timeframe for deleting each type of Covered Driver Data (absent any intervening deletion requests from consumers), limited to the shortest time necessary to fulfill the purpose for which the data was collected, or as otherwise consistent with Provision II, titled Limitations on Collection, Use, and Disclosure of Covered Driver Data Absent Affirmative Express Consent;\n\nB. Within 180 days of the effective date of this Order, document, adhere to, and make publicly available from a link on the Respondents’ Apps or the home page of their website(s), a retention schedule for Covered Driver Data setting forth: (1) the purpose for collecting and retaining each type of Covered Driver Data, and (2) the specific timeframe set for deleting each type of Covered Driver Data;\n\nC. Within 180 days of the entry of this Order, Respondents shall provide a written statement to the Commission, pursuant to Provision XIII, titled Compliance Reports and Notices, describing the retention schedules created pursuant to Provisions V.A. & B. of this Order; and\n\nD. Prior to collecting or using any new type of Covered Driver Data that was not being collected as of the entry of this Order, Respondents must update their retention schedules created pursuant to and in compliance with Provisions V.A. & B. of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "VI", "title": "Deletion of Prior-Retained Covered Driver Data", "category": "affirmative_obligation", "summary": "Within 180 days, Respondents must delete or destroy all previously retained Covered Driver Data except for specified purposes, and confirm deletion in writing to the Commission. Respondents have a 90-day option to seek retroactive consent from affected consumers.", "verbatim_text": "A. Within 180 days of the effective date of this Order, Delete or destroy all prior- retained Covered Driver Data, except when Covered Driver Data is retained for and necessary to fulfill the following purposes: (a) litigation holds; (b) to comply with lawful governmental requests, regulatory requirements, and legal orders, or for use to prepare for or defend against product liability, breach of contract, consumer protection, or warranty claims; (c) to perform diagnostics and prognostics of components of the Vehicle; (d) to conduct research or efforts to improve, repair, enhance safety of, or develop products, services, or technology, provided, however, that (1) only Deidentified Covered Driver Data is disclosed to Third Parties to fulfill this purpose; and (2) marketing is excluded from this purpose; and (e) to conduct investigations of potential product quality or safety issues; to determine or effectuate Vehicle field actions, including customer satisfaction campaigns, technical service bulletins, compliance recalls, and safety recalls; to detect or respond to cybersecurity incidents; or to administer and fulfill Vehicle warranties.\n\nProvided, further, however, Respondents shall have, within 90 days of the effective date of this Order, the option to request Affirmative Express Consent from consumers whose Covered Driver Data was collected and retained prior to the entry of this Order. Respondents will Delete such prior-retained Covered Driver Data where (1) a consumer does not provide or has not already provided in or after July 2024 their Affirmative Express Consent; (2) the consumer does not respond to the request within 30 days after the request is made; or (3) the data has not been Deidentified; and\n\nB. Within 180 days of the effective date of this Order, provide a written statement to the Commission, pursuant to Provision XIII.E., confirming that all such information has been Deleted or destroyed.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "VII", "title": "Consumer Requests to Obtain Copies of and to Delete Covered Driver Data", "category": "affirmative_obligation", "summary": "Respondents must maintain a simple, easily-located means for U.S. consumers to request a copy of or deletion of their Covered Driver Data, and must not use information collected for such requests for any other purpose.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, Respondents’ officers, agents, and employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must maintain a simple, easily- located means for all U.S. consumers to request a copy of their Covered Driver Data and to request that Respondents Delete their Covered Driver Data, provided, however, Respondents may avail themselves of their rights, exceptions, and exemptions existing under federal law or each requesting consumer’s respective state laws. Respondents may require consumers to provide Respondents with information necessary to complete such requests but must not use, provide access to, or disclose any information collected for the request for any other purpose.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Other" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "VIII", "title": "Deletion Request to Data Sharing Partners", "category": "affirmative_obligation", "summary": "Respondents must request that Third Parties with whom they shared Covered Driver Data delete that data, and must not share data with any such Third Party until it confirms receipt of the deletion instructions.", "verbatim_text": "A. Request from Third Parties with whom Respondents shared Covered Driver Data to Delete such data, except when subject to legal or regulatory requirements (including litigation holds); and\n\nB. Not sell or share data with any Third Party with whom Respondents previously shared Covered Driver Data until that Third Party confirms receipt of the instructions requesting it to Delete all Covered Driver Data previously obtained from Respondents.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "IX", "title": "Disabling Location Setting", "category": "affirmative_obligation", "summary": "Respondents must allow consumers to disable Location Data collection from their Vehicles (where technically equipped), such as via an in-vehicle toggle, with limited exceptions for safety, theft, and legal compliance.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents and Respondents’ officers, agents, and employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must allow consumers to disable the collection of Location Data from their Vehicles to the extent the Vehicle is equipped with the necessary technology, which may be accomplished by providing a mechanism (such as a toggle on the Vehicle) in the Vehicle for U.S. consumers to disable the collection of Location Data, provided, however, that even if the collection of Location Data is disabled on the Vehicle,\n\nA. Respond to a consumer-initiated communication originating from within the Vehicle, or an App, where Location Data may be collected, used, or disclosed only to provide that response;\n\nB. Respond to a Vehicle-initiated communication related to either the safe operation of that Vehicle or a theft-related alert, where Location Data may be collected, used, or disclosed only to provide that response; and\n\nC. Comply with lawful governmental requests, regulatory requirements, and legal orders, where Location Data may be collected, used, or disclosed as necessary for legal compliance.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Consumer Notification" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "X", "title": "Declining Enrollment in OnStar", "category": "affirmative_obligation", "summary": "Respondents must allow consumers who decline or unenroll from OnStar to disable remote data collection from their Vehicles, with limited exceptions for safety, over-the-air updates, and consumer-initiated communications.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents and Respondents’ officers, agents, and employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must allow consumers to disable the Respondents’ remote collection of all data from their Vehicles if consumers decline to enroll or unenroll in OnStar, provided, however, that even if the consumer declines to enroll or unenrolls in OnStar, Respondents may:\n\nA. Respond to a consumer-initiated communication originating from within the Vehicle, where data may be collected, used, or disclosed only to provide that response;\n\nB. Respond to a Vehicle-initiated communication related to the safe operation of that Vehicle, where data may be collected, used, or disclosed only to provide that response; and\n\nC. Collect, use, or disclose data to identify and address issues that impair safety or to provide over-the-air updates, and for no other purposes, provided, however, that prior to any collection, use, or disclosure of data for this purpose, Respondents shall provide notice to consumers regarding this collection, use, or disclosure, and provided, further, however, if Covered Driver Data is disclosed for this purpose, Respondents can only disclose Deidentified Covered Driver Data to Third Parties unless identification is necessary to address a safety issue for or provide over-the-air updates to a specific Vehicle.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "XI", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner the extent to which they collect, use, disclose, or delete vehicle-linked consumer information, the purposes for such activities, or consumers' control rights over their Covered Driver Data.", "verbatim_text": "A. The extent to which Respondents collect, use, disclose, or Delete any information collected by Respondents that originate from a Vehicle and is linked or Reasonably Linkable to a U.S. consumer, including Covered Driver Data;\n\nB. The purposes for which Respondents collect, use, or disclose any Covered Driver Data; or\n\nC. The extent to which U.S. consumers may exercise control over Respondents’ collection of, maintenance of, use of, deletion of, disclosure of, or provision of access to their own Covered Driver Data, and the steps a U.S. consumer must take to implement such control.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "XII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Each Respondent must submit a sworn acknowledgment of receipt of the Order within 10 days, deliver copies to relevant personnel on an ongoing basis for 20 years, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Each Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after the issuance date of this Order, each Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which a Respondent delivered a copy of this Order, that Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "XIII", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondents must submit an annual compliance report one year after issuance, provide sworn notices within 14 days of changes in contacts or corporate structure, and notify the Commission of any bankruptcy filings within 14 days.", "verbatim_text": "A. One year after the issuance date of this Order, each Respondent must submit a compliance report, sworn under penalty of perjury, in which each Respondent must: (1) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (2)identify all of that Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business, including the goods and services offered, what Covered Driver Data it collects, how Covered Driver Data is used and disclosed to Third Parties; (4) describe in detail whether and how that Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (5) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Each Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (1) any designated point of contact; or (2)the structure of any Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Each Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re General Motors.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "XIV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must create specified records for 20 years after issuance and retain each for 5 years, covering financial records, personnel records, consumer complaints, law enforcement communications, privacy representations, consent records, and all compliance documentation.", "verbatim_text": "A. Accounting records showing the revenues from all OnStar goods or services sold, and all goods or services related to Covered Driver Data sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies of all consumer complaints that relate to the collection, maintenance, use, and disclosure of, or provision of access to consumers’ Covered Driver Data, including Location Data, whether received directly or indirectly, such as through another party, and any response;\n\nD. For 5 years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondents’ compliance with this Order;\n\nE. A copy of each widely disseminated representation by Respondents that describes the extent to which Respondents maintain or protect the privacy of any Covered Driver Data, including any representation concerning a material change in any website or other service controlled by Respondents that relates to the privacy of Covered Driver Data;\n\nF. Records showing Affirmative Express Consent for any individual consumer on which Respondents have relied to collect, use, or disclose Covered Driver Data, including the specific notice(s) that individual consumers viewed and consented to, and the time and date of consent; and\n\nG. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "XV", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission may monitor compliance by requesting additional reports and records within 10 days of a written request, communicating directly with and interviewing Respondents' personnel, and using all other lawful means including undercover inquiries.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, each Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with each Respondent. Respondents must permit 12 representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "XVI", "title": "Order Effective Dates", "category": "duration", "summary": "This Order is effective upon publication on ftc.gov as a final order and terminates 20 years from issuance or 20 years from the most recent date the FTC files a complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that the Respondents did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "docket_number": "C-4828" }, { "provision_number": "I", "title": "Prohibited Business Activities — Misrepresentation of FCRA Affiliation", "category": "prohibition", "summary": "Defendant is permanently restrained from misrepresenting, or assisting others in misrepresenting, any affiliation with the annual free credit report available under the Fair Credit Reporting Act or any other federal law.", "verbatim_text": "5 IT IS ORDERED that Defendant and Defendant's successors, assigns, 6 officers, agents, and all other persons or entities within the scope of Fed. R Civ. 7 P. 65, whether acting directly or through any sole proprietorship, partnership, 8 limited liability company, corporation, subsidiary, branch, division, or other 9 entity, including all other persons or entities in active concert or participation 10 with them, who receive actual notice of this Supplemental Order by personal . . I1 service or otherwise, in connection with the advertising, promoting,.o ffering for II 12 sale, or sale of consumer reports, .credit scores, credit monitoring programs, or . . It 13 any .otherproituct, program, or s e ~ creela ting to consumer reports, are hereby 14 permanently restriiined and enjoined from misrepresenting, or assisting others in 15 misrepresenting, expressly or by implication, Defendant's afliliation with the 16 annual credit report available to consumers under the Fair Credit Reporting Act, 17. 15U.S;C. $168lj, or any other federal law.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Prohibition" ], "case_id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "docket_number": "CV SAC 05-801 MS" }, { "provision_number": "II", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Defendant must pay $300,000 to the FTC within five days of entry of this Supplemental Order; funds will be used for equitable relief including consumer redress.", "verbatim_text": "20 Defendant is ordered to pay THREE HUNDRED ;THOUSANDDOLLARS : 21 ($300,000.00) to the Commission, within five (5) days of entry of this 22 Supplemental Order, pursuaflt to payment @structionsp rovided by the\n\n24 A. All funds paid pursuant to MsP aragraph shall be deposited intb a fimd , administered by the Comniission or its agent to be used for equitable relief, including but not limited to consumer redress and any attendant expenses for the administration of any redress fund. Inthe event that direct redress to cogsumers is wholly or partially impracticable or fimds . . remain after redress is completed, the Commission may apply any . remaining b d s f or such other equitable relief (including consumer Sormatioa remedies) as it determines to be reasonably related to Defendant's alleged violatigns of the Final Order. Any funds not used for such equitable relief shall be deposited to the United States ~reasuars~ equitable disgorgement. Defendant shall have no right to challenge the Commission's choice of remedies or the manner of distribution.\n\nDefendant acknowledges q da 'grees that all money paid pursuant to this Supplemental Order is irrevocably paid to the Commission for purposes of settlement between the parties, and Defendant relinquishes all rights, title, g di nterest to such money. Defendant shall make no claim or demand for the r e m o f the funds, directly or &directly, through counsel or otherwise, and in the event of banlu-uptcy.o f Defendant1 Defendant . aclcnowledges that the funds are not part of the debtor's estate, nor does 15 .the estate have any claim or interest therein.\n\nC. The monetary relief entered pursuant to this Paragraph is equitable 16 17. monetary relief, solely remedial in nature, and not a h e yp enaltyyp unitive .assessment, or forfeiture. Defendant's payment of the monetaryrelief 18 1 19, shallbe deemed to satisfy completely the monetary relief for the alleged : . . . . 20; is;iolation of .the FindOrder.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "docket_number": "CV SAC 05-801 MS" }, { "provision_number": "III", "title": "Change of Notification Address", "category": "affirmative_obligation", "summary": "The address for all written notifications to the Commission is changed from the address in the Final Order to the FTC's Division of Enforcement address in Washington, D.C.", "verbatim_text": "i IT,XS F.U;RTElER.ORDEREDthat the address for all written notiscations 22 : to the Commission shall be changed firom the address listed in SubparagraphV.C. 23 24 of the F.inal Order to the following address: 25 Associate Director Division of Enforcement 26 Federal Trade Commission 600 Pennsylvania Avenue, N.W., Room NJ-2 122 . 27. Washin on, D.C. 20580 RE: F& v. Consumerinfo.c om, Inc.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Order Administration" ], "case_id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "docket_number": "CV SAC 05-801 MS" }, { "provision_number": "IV", "title": "Record Keeping", "category": "recordkeeping", "summary": "For six years from the date of entry, Defendant must create and retain specified business records including accounting, personnel, customer, complaint, marketing, and compliance records.", "verbatim_text": "2 IT IS FWU'HER ORDERED that, for period of six (6) years fiom the date I 3 of entry of this Supplemental Order, iic~omection with any business where 4 Defendant is the majority owner of the business or directly or indirectly manages 5 or controls the business, Defendant and its agents, employees, officers, 6 corporations, suc'cessors, and.assigns, and those persons in active concert or 7 participation with them who receive actual notice of this Supplemental Order by 8 personal service or otherwise, are hereby reshined and enjoined from failing to '9 create and retain the following records: 10 A. Accounting records that reflect the cost of goods or services sold, 11 revenues generated, and the disbursement of such revenues.\n\n12 B. Personnel records accurately reflecting: the name, address, and telephone 13 number of each person employed in any capacity by such business; that person's 14 job title or position; the date upon which the person commenced work; and the 15 date .and reason for the person's termination, if applicable.\n\n16 C. Customer files containjag the names, addresses, phone numbers, dollar 17 amounts paid, quantity of items or services purchased, and description of items or ' 18 services purchased, to the extent such information is obtained in the ordinary 19 course of business.\n\nD. Complaints .and refund requests .(whether received directly, indirectly or 20 , 21 through any.thkB$asty) and any responses to those complaints' or requests.\n\n22 E. Copies oFall sales scripts, training materials, advertisements, or other . , 23 marketing materials.\n\n24. .I?. All records and documents necessary to demonstrate full cornplla.de with 25 each provision of this Supplemental Orderrincluding but not limited to, copies of 26 acknowledgments of receipt of this Supplemental Order, required by paragraph 27 V. -", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "docket_number": "CV SAC 05-801 MS" }, { "provision_number": "V", "title": "Distribution of Supplemental Order by Defendant", "category": "acknowledgment", "summary": "For three years from entry, Defendant must deliver a copy or accurate summary of the Supplemental Order to principals, officers, directors, relevant managers, and employees, and obtain signed acknowledgments of receipt within 30 days.", "verbatim_text": "2 IT IS F m m WO RDERED that, for a period of three (3) years fiom the 3 date of entry of this Supp1emental Order, Defendant.s hall deliver a copy of this 4 Supplemental Order to allof its principals, officers,. and directors, and to all 5 managers who have responsibility directly or indirectly.f or any matters covered 6 by this Supplemental Order. Defendant also shall deliver an accurate surnm;uy of 7 this Supplemental Order to all of its employees who are engaged in conduct 8 related to the advertising, marketing, sale, or delivery of, or who respond to 9 consumer complaints or inquiries regarding consumer reports, credit scores, or :\n\n10 any credit monitoring program. For current personnel, delivery shall be within 11 five (5) days of service of this Supplemental Order upon Defendant 'For new -. 12 personnel, delivery shall occur priar to their assuming their responsibilities.\n\nDefendant must secure a signed and dated statement acknowledging receipt of 13 , 14 this Supplemental Order, within thirty(30) days of delivery, fiom all persons 15 receiving a copy of this Sucplemental Order pursuant to this Paragraph.V.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Order Administration" ], "case_id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "docket_number": "CV SAC 05-801 MS" }, { "provision_number": "VI", "title": "Retention of Jurisdiction", "category": "monitoring", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of the Supplemental Order.", "verbatim_text": "17 IT IS l?URTECERORDERED that this Court shall retain jurisdiction of this ' 18 'matter for Purposes of construction, modification, and enforcement of this . 19 Supplemental .Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Order Administration" ], "case_id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "docket_number": "CV SAC 05-801 MS" }, { "provision_number": "VII", "title": "Costs and Attorney's Fees", "category": "affirmative_obligation", "summary": "Each party shall bear its own costs and attorney's fees incurred in connection with this action.", "verbatim_text": "21:' XTgS R ORDERED that each party shall bear its own costs and I ; attorney's fees incurred inconnection with this action.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Order Administration" ], "case_id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "docket_number": "CV SAC 05-801 MS" }, { "provision_number": "I", "title": "Prohibited Business Activities", "category": "prohibition", "summary": "Defendant is permanently prohibited from materially misrepresenting verification of privacy/security protection or the frequency of such verification in connection with advertising, marketing, or sale of any product or service.", "verbatim_text": "IT IS ORDERED that Defendant and its officers, agents, servants, employees, attorneys, and all persons in active concert or participation with any one or more of them, whether acting directly or through any sole proprietorship, partnership, limited liability company, corporation, subsidiary, branch, division, or other entity, who receive actual notice of this Order by personal service or otherwise, are hereby permanently restrained and enjoined from, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, materially misrepresenting, in any manner, expressly or by implication: A. the verification that is conducted by any party concerning the protection that a company provides for the privacy and/or security of consumer information or the steps a company has taken to provide such protection; or B. the frequency of such verification.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "II", "title": "Notice to Seal Purchasers", "category": "affirmative_obligation", "summary": "Defendant must provide notice to each company that purchased or received certain ControlScan seals since January 1, 2007, informing them of the FTC settlement and requiring removal of discontinued seals.", "verbatim_text": "IT IS FURTHER ORDERED that, within thirty (30) days after the date of entry of this Order, Defendant shall provide notice, in the form provided in Attachment A, to each company that purchased or received, since January 1, 2007, ControlScan's Business Background Reviewed, Verified Secure, Registered Member, Privacy Protected, or Privacy Reviewed seal\n\nThe notice shall be delivered by first-class mail to the company's last known mailing address and by electronic mail to its last known electronic mail address. Each such notice, whether sent by U.S. mail or electronic mail, shall be sent to the attention of an individual at the company with whom ControlScan has or had a business relationship.\n\nOther than as described in this Section and provided by Attachment A, the notice shall not include any other document, material, or statement. The notice shall be prepared on ControlScan's official corporate letterhead and also shall include prominently ControlScan's official logos for the Business Background Reviewed, Verified Secure, Registered Member, Privacy Protected, and Privacy Reviewed seals. Each envelope in which such notice is mailed shall include ControlScan's name and return address. In addition, the words \"ATTENTION: Important Notice Concerning ControlScan's Seals\" shall appear below the recipient's address on any such notice that is mailed and in the subject line of any notice that is sent by electronic mail.\n\nDefendant shall take reasonable steps to obtain a signature or electronic receipt acknowledging receipt of the notice by an authorized representative of the recipient. If Defendant elects to obtain this acknowledgment by U.S. mail, it shall provide a self-addressed, postage pre-paid envelope with the notice to enable return of the acknowledgment or send the notice via certified mail, return receipt requested.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "III", "title": "Monetary Judgment", "category": "affirmative_obligation", "summary": "A suspended judgment of $750,000 is entered against Defendant (less amounts paid by Richard Stanton), which becomes due if Defendant misrepresented its financial condition. Funds may be used for consumer restitution or other equitable relief.", "verbatim_text": "Judgment is hereby entered in favor of the Commission and against Defendant, as equitable monetary relief, in the amount of $750,000, less any amounts paid by Richard Stanton pursuant to the Decision and Order arising from In the Matter of Richard Stanton, FTC File No. 072-3165. Payment of this amount shall be suspended subject to the conditions set forth in Paragraphs C and D.\n\nIf, upon motion by the Commission, the Court finds that Defendant failed to disclose any material asset, misrepresented the value of any material asset, or made any material misrepresentation or omission in the financial disclosures, the suspension of the judgment entered pursuant to Paragraph A of this Section III shall be lifted, and the judgment amount, less any payments made to the Commission pursuant to this Order, plus interest from the date of entry of this Order computed pursuant to 28 U.S.C. § 1961, shall become immediately due and payable.\n\nIn accordance with 31 U.S.C. § 7701, as amended, Defendant is hereby required, unless it has already done so, to furnish to the Commission its taxpayer employer identification number, which shall be used for purposes of collecting and reporting on any delinquent amount arising out of Defendant's relationship with the government.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "IV", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor compliance by requiring Defendant to submit reports, produce documents, appear for depositions, allow business inspections, and permit employee interviews. The FTC may also use undercover investigations.", "verbatim_text": "Within ten (10) days of receipt of written notice from a representative of the Commission, Defendant shall submit additional written reports, which are true and accurate and sworn to under penalty of perjury; produce documents for inspection and copying; appear for deposition; and provide entry during normal business hours to any business location in Defendant's possession or direct or indirect control to inspect the business operation.\n\nIn addition, the Commission is authorized to use all other lawful means, including, but not limited to: 1. obtaining discovery from any person, without further leave of court, using the procedures prescribed by Fed. R. Civ. P. 30, 31, 33, 34, 36, 45, and 69; and 2. having its representatives pose as consumers and suppliers to Defendant, its employees, or any other entity managed or controlled in whole or in part by Defendant, without the necessity of identification or prior notice.\n\nDefendant shall permit representatives of the Commission to interview any employer, consultant, independent contractor, representative, agent, or employee who has agreed to such an interview, relating in any way to any conduct subject to this Order. The person interviewed may have counsel present.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendant must notify the FTC of structural changes at least 30 days in advance and file compliance reports at 180 days and annually for 5 years, including acknowledgments of receipt and bankruptcy filings within 15 days.", "verbatim_text": "For a period of five (5) years from the date of entry of this Order, Defendant shall notify the Commission of any changes in structure of Defendant or any business entity that Defendant directly or indirectly controls, or has an ownership interest in, that may affect compliance obligations arising under this Order, including, but not limited to: incorporation or other organization; a dissolution, assignment, sale, merger, or other action; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order; or a change in the business name or address, at least thirty (30) days prior to such change, provided that, with respect to any such change in the business entity about which Defendant learns less than thirty (30) days prior to the date such action is to take place, Defendant shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nOne hundred eighty (180) days after the date of entry of this Order and annually thereafter for a period of five (5) years, Defendant shall provide a written report to the FTC which is true and accurate and sworn to under penalty of perjury, setting forth in detail the manner and form in which it has complied and is complying with this Order. This report shall include, but not be limited to: 1. a copy of each acknowledgment of receipt of this Order, obtained pursuant to Section VII titled \"Distribution of Order;\" and 2. any other changes required to be reported under Subsection A of this Section.\n\nDefendant shall notify the Commission of the filing of a bankruptcy petition by Defendant within fifteen (15) days of filing.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "VI", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendant must create and retain for 8 years specific records including accounting records, personnel records, customer files, complaints, marketing materials, and compliance documents.", "verbatim_text": "IT IS FURTHER ORDERED that, for a period of eight (8) years from the date of entry of this Order, Defendant, with respect to its offering or providing seals or related products or services, is hereby restrained and enjoined from failing to create and retain the following records: A. Accounting records that reflect the cost of goods or services sold, revenues generated, and the disbursement of such revenues; B. Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person's job title or position; the date upon which the person commenced work; and the date and reason for the person's termination, if applicable; C. Customer files containing the names, addresses, telephone numbers, dollar amounts paid, quantity of items or services purchased, and description of items or services purchased, to the extent such information is obtained in the ordinary course of business; D. Complaints and refund requests (whether received directly or indirectly, such as through a third party) and any responses to those complaints or requests; E. Copies of all sales scripts, training materials, advertisements, or other marketing materials; and F. All records and documents necessary to demonstrate full compliance with each provision of this Order, including but not limited to, copies of acknowledgments of receipt of this Order required by Sections VII and VIII, titled \"Distribution of Order\" and \"Acknowledgment of Receipt of Order\" and all reports submitted to the FTC pursuant to Section V, titled \"Compliance Reporting.\"", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "VII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "For 5 years, Defendant must deliver copies of the Order to all principals, officers, directors, managers, employees, and agents engaged in related conduct, and to any successor business entities, and obtain signed acknowledgments within 30 days.", "verbatim_text": "IT IS FURTHER ORDERED that, for a period of five (5) years from the date of entry of this Order, Defendant shall deliver copies of this Order as directed below: A. Defendant must deliver a copy of this Order to (1) all of its principals, officers, directors, and managers; (2) all of its employees, agents, and representatives who engage in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure set forth in Subsection A.2 of Section V titled \"Compliance Reporting.\" For current personnel, delivery shall be within five (5) days of service of this Order upon Defendant. For new personnel, delivery shall occur prior to them assuming their responsibilities. For any business entity resulting from any change in structure set forth in Subsection A.2 of Section V titled \"Compliance Reporting,\" delivery shall be at least ten (10) days prior to the change in structure.\n\nDefendant must secure a signed and dated statement acknowledging receipt of the Order, within thirty (30) days of delivery, from all persons receiving a copy of the Order pursuant to this Section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "VIII", "title": "Acknowledgment of Receipt of Order", "category": "acknowledgment", "summary": "Defendant must submit a truthful sworn statement acknowledging receipt of the Order within 5 business days.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant, within five (5) business days of receipt of this Order as entered by the Court, must submit to the Commission a truthful sworn statement acknowledging receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "IX", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction for purposes of construction, modification, and enforcement of the Order.", "verbatim_text": "IT IS FURTHER ORDERED that this Court shall retain jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "X", "title": "Notice of Entry of Order", "category": "acknowledgment", "summary": "Entry of the Order in the court docket constitutes notice to Defendant, and Defendant waives all rights to contest proper service.", "verbatim_text": "IT IS FURTHER ORDERED that entry in the docket of this Order by the Clerk of Court shall constitute notice to Defendant of the terms and conditions of this Order, and that Defendant waives all rights to contest in any future proceeding whether Defendant was properly served with this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "docket_number": "1:10-cv-00532-JEC" }, { "provision_number": "I", "title": "Prohibition on Data Collection Without Consent", "category": "prohibition", "summary": "Respondent is prohibited from collecting information from Data Collection Agents unless specific disclosures are made and express affirmative consent is obtained from consumers.", "verbatim_text": "A. Collecting any information from any Data Collection Agent made available to consumers directly by respondent after the date of service of this order, unless prior to such collection respondent has: 1. Disclosed to the consumer clearly and prominently, and prior to the display of and on a separate screen from, any “end user license agreement,” “privacy policy,” “terms of use” page, or similar document: a) all the types of information that will be collected, including, but not limited to, if applicable, a statement that the information includes consumer transactions (both completed and incomplete) or communications in forms, online accounts, web-based email accounts, or search engine pages, and whether the information includes personal, financial or health information; and b) how the information is to be used, including if it is shared with any Third Party; and 2. Obtained express affirmative consent from the consumer to the collection, use or sharing of the information.\n\nB. Collecting any information from any Data Collection Agent made available to consumers by a Third Party after the date of service of this order, unless prior to such collection respondent has provided the disclosures and obtained the consent described in subpart A(1-2), or has both required the Third Party by contract to do so, and monitored compliance with such contractual provisions.\n\nC. Collecting any information from any Data Collection Agent that was made available to consumers before the date of service of this order, unless it has made the disclosures and obtained the express affirmative consent described in subpart A(1-2) or: 1. It has made the disclosure required by Part II(A)(3); and 2. It does not use information collected from an Affected Consumer by a Data Collection Agent, except in an aggregate and/or anonymous form Page 4 of 11 that does not disclose, report, or otherwise share any individually identifiable information.\n\nD. Using any Collected Information gathered on or after February 1, 2010, unless it has obtained express affirmative consent from the consumer to the use of the Collected Information, or 1. It does not use the Collected Information, except in an aggregate and/or anonymous form that does not disclose, report, or otherwise share any individually identifiable information; and 2. It does not otherwise access any Affected Consumer’s personal information that was collected by a Data Collection Agent.\n\nE. Making any material change from stated practices about collection, use or sharing of such information, unless it has obtained express affirmative consent from the consumer.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "II", "title": "Consumer Notification and Support", "category": "affirmative_obligation", "summary": "Respondent must notify Affected Consumers that Data Collection Agents were installed and transmitted information, and provide instructions and support for disabling/uninstalling the software.", "verbatim_text": "1. On or before thirty (30) days after the date of service of this order and for two (2) years after the date of service of this order, posting of a clear and prominent notice on the websites of Compete, Inc., and its successors and assigns;\n\n2. On or before thirty (30) days after the date of service of this order and for three (3) years after the date of service of this order, informing Affected Consumers who complain or inquire about the privacy or security of a Data Collection Agent; and\n\n3. Beginning only once notification described in both subparts II(A)(1) and (2) above have commenced, and completed on or before sixty (60) days after the date of service of this order, providing clear and prominent notice to consumers via Affected Consumers’ computers on which a Data Collection Agent is operating, through the browser, software upgrade or similar technology, that: a) is visible until the consumer has taken action in response to the notice; b) includes a hyperlink and/or the address for a website of Compete, Inc., and its successors or assigns; and c) includes the name of the company from whom the consumer obtained the Data Collection Agent, or the brand name (as marketed to the consumer) of the software or application containing the Data Collection Agent, and an explanation that Compete provides technology for the specific Data Collection Agent.\n\nB. Provide prompt and free support with clear and prominent contact information to help consumers disable and/or uninstall a Data Collection Agent. For two (2) years after the date of service of this order, this support shall include toll-free, telephonic and electronic mail support.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "III", "title": "Service of Order on Third Parties", "category": "acknowledgment", "summary": "Respondent must serve Third Parties with a copy of this order before entering into or for existing contracts related to Data Collection Agents.", "verbatim_text": "IT IS FURTHER ORDERED that before entering into any contract, agreement, license, sale, or arrangement with any Third Party in connection with any Data Collection Agent made available to consumers by such Third Party, Compete, Inc., and its successors and assigns, shall serve the Third Party with a copy of this order. For any existing contract, agreement, license, sale, or arrangement with any Third Party in connection with any Data Collection Agent made available to consumers by such Third Party, respondent shall serve the Third Party with a copy\n\nsale, or arrangement with any Third Party in connection with any Data Collection Agent made available to consumers by such Third Party, respondent shall serve the Third Party with a copy of this order within 30 days of service of this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "IV", "title": "Prohibition Against Misrepresentations About Data Security and Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it collects, maintains, and protects the security, privacy, confidentiality, or integrity of consumer information.", "verbatim_text": "product in or affecting commerce, shall not make any representation, in any manner, expressly or by implication, about the extent to which respondent collects, maintains and protects the security, privacy, confidentiality, or integrity of any information collected from or about consumers, unless the representation is true, and non-misleading.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "V", "title": "Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards to protect personal information.", "verbatim_text": "commerce; shall no later than the date of service of this order, establish and implement, and thereafter maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity and the nature and scope of respondent's activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. The designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. The identification of material internal and external risks that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of personal information and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, account takeovers, or other systems failures;\n\nC. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures;\n\nD. The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information such service providers receive from respondent or obtain on respondent's behalf, and the requirement, by contract, that such service providers implement and maintain appropriate safeguards; and\n\nE. The evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subpart C, any material changes to respondent's operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "VI", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from qualified professionals for twenty years.", "verbatim_text": "this order, Compete, Inc., and its successors and assigns, shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. Set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. Explain how such safeguards are appropriate to respondent's size and complexity, and the nature and scope of respondent's activities, and the sensitivity of the personal information collected from or about consumers; C. Explain how the safeguards that have been implemented meet or exceed the protections required by Part V of this order; and D. Certify that respondent's security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is\n\nprepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "VII", "title": "Deletion of Collected Information", "category": "affirmative_obligation", "summary": "Respondent must delete or destroy Collected Information in its custody or control that was collected prior to February 1, 2010.", "verbatim_text": "within fourteen (14) days after the date of service of this order, delete or destroy, Collected Information in respondent’s custody or control that was collected prior to February 1, 2010, unless otherwise directed by a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "VIII", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the Commission various records, including advertisements, materials relied upon, contradictory evidence, acknowledgments, notices, and assessment-related materials.", "verbatim_text": "for a period of five (5) years after the last date of dissemination of any representation covered by this order, maintain and upon request make available to the Commission for inspection and copying: A. All advertisements, labeling, packaging and promotional material containing the representation; B. All materials relied upon in disseminating the representation; C. All tests, reports, studies, surveys, demonstrations, or other evidence in its possession or control that contradict, qualify, or call into question the representation, or the basis relied upon for the representation, including complaints and other communications with consumers or with governmental or consumer protection organizations; and D. All acknowledgments of receipt of this order, obtained pursuant to Part IX. E. All notices related to service of the order on Third Parties, pursuant to Part III. F. All materials demonstrating compliance with Part I(B), including all contracts and measures to monitor compliance.\n\nMoreover, for a period of three (3) years after the date of preparation of each Assessment required under Part VI of this order, respondent shall maintain and upon request make available to the Commission for inspection and copying all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, for the compliance period covered by such Assessment.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "IX", "title": "Acknowledgment of Order by Personnel", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to current and future principals, officers, directors, and managers with relevant responsibilities, and secure signed acknowledgments.", "verbatim_text": "deliver a copy of this order to: (1) all current and future principals, officers, and directors; and (2) all current and future managers who have responsibilities with respect to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order, with any electronic signatures complying with the requirements of the E-\n\nSign Act, 15 U.S.C. § 7001 et seq. Respondent shall deliver this order to current personnel within thirty (30) days after the date of service of the order, and to future personnel within thirty\n\nwithin thirty (30) days after the date of service of the order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "X", "title": "Notice of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission of any change in the company that may affect compliance obligations, including dissolution, assignment, sale, merger, bankruptcy, or name/address changes.", "verbatim_text": "notify the Commission at least thirty (30) days prior to any change in respondent that may affect compliance obligations arising under this order, including but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary (including an LLC), parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in respondent’s name or address. Provided, however, that with respect to any proposed change about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\npetition; or a change in respondent’s name or address. Provided, however, that with respect to any proposed change about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "XI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission detailing how it has complied with the order.", "verbatim_text": "within sixty (60) days after service of this order, and at such other times as the FTC may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which respondent has complied with this order. Within ten (10) days of receipt of\n\nand form in which respondent has complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "XII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on February 20, 2033, or twenty years from the most recent date that the United States or FTC files a complaint in federal court alleging violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on February 20, 2033, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part of this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that this order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "docket_number": "C-4384" }, { "provision_number": "II", "title": "Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive information security program to protect personal information, with administrative, technical, and physical safeguards.", "verbatim_text": "IT IS ORDERED that respondent shall, no later than the date of entry of this Order, establish and implement, and thereafter maintain, or continue to maintain a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\n1. The designation of an employee or employees to coordinate and be accountable for the information security program;\n\n2. The identification of material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and the assessment of the sufficiency of any safeguards in place to control the risks. At a minimum, this risk assessment should include consideration of the risks in each relevant area of operations, including but not limited to: (a) employee training and management; (b) information systems, including network and software design, information processing, storage, transmission, and disposal; and (c) prevention, detection, and response to attacks, intrusions, and other system failures;\n\n3. The design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing and monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\n4. The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\n5. The evaluation and adjustment of the information security program in light of the results of the testing and monitoring required by Paragraph 3 of this Section, any material changes to operations or business arrangements, or any other circumstances that Defendant knows or has reason to know may have material impact on the effectiveness of the information security program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "02.14_accretive_health", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "docket_number": "C-4432" }, { "provision_number": "III", "title": "Biennial Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial assessments from a qualified third-party professional certifying the effectiveness of its security program for twenty years.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance of Section II of the Order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) of respondent from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: (a) a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); (b) a person holding Global Information Assurance Certification (GIAC) from the System Administrator, Audit, Network, Security (SANS) Institute; or (c) a similarly qualified person or organization approved by the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The reporting period for the Assessments shall cover (i) the first one hundred and eighty (180) days after service of the Order for the Initial Assessment and (ii) each two (2) year period thereafter for twenty (20) years after service of the Order for the biennial Assessments. Each Assessment shall:\n\nIT IS FURTHER ORDERED that, in connection with its compliance of Section II of the Order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) of respondent from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: (a) a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); (b) a person holding Global Information Assurance Certification (GIAC) from the System Administrator, Audit, Network, Security (SANS) Institute; or (c) a similarly qualified person or organization approved by the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The reporting period for the Assessments shall cover (i) the first one hundred and eighty (180) days after service of the Order for the Initial Assessment and (ii) each two (2) year period thereafter for twenty (20) years after service of the Order for the biennial Assessments. Each Assessment shall:\n\n1. Set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; 2. Explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers; 3. Explain how the safeguards that have been implemented meet or exceed the protections required by Section II of the Order; and 4. Certify that Respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director of Enforcement, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580, within ten (10) days after the Assessment\n\nhas been prepared. All subsequent biennial Assessments shall be retained by Respondent until the Order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, initial and", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.14_accretive_health", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "docket_number": "C-4432" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC all materials related to assessments and compliance with the Order.", "verbatim_text": "1. For a period of three (3) years after the date of preparation of each Assessment required under Section III of the Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to Respondent’s compliance with Section II of this order, for the compliance period covered by such Assessment;\n\n2. Unless covered by IV.1, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of each document relating to compliance with this Order, including but not limited to documents, whether prepared by or on behalf of Respondent, that contradict, qualify, or call into question compliance with the Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.14_accretive_health", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "docket_number": "C-4432" }, { "provision_number": "V", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver copies of the Order to current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future\n\nsubsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part\n\nresponsibilities. For any business entity resulting from any change in structure set forth in Part VI, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days\n\nsecure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.14_accretive_health", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "docket_number": "C-4432" }, { "provision_number": "VI", "title": "Change in Corporate Structure Notification", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least thirty days prior to any corporate changes that may affect compliance obligations.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.14_accretive_health", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "docket_number": "C-4432" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file initial and additional compliance reports with the FTC detailing compliance with the Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within sixty (60) days after the date of service of this Order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this Order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this Order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.14_accretive_health", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "docket_number": "C-4432" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "The Order will terminate on February 5, 2034, or twenty years from the most recent complaint filing, whichever is later, with specific provisions for complaints filed after initial term.", "verbatim_text": "This order will terminate on February 5, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: 5 1. Any part in this Order that terminates in less than twenty (20) years; and 2. this order’s application to any respondent that is not named as a defendant in such complaint; and 3. This order if such complaint is filed after the order has terminated pursuant to this part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.14_accretive_health", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "docket_number": "C-4432" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it or its products maintain and protect security of Covered Device Functionality, security/privacy/confidentiality/integrity of Covered Information, or the extent to which consumers can control security of Covered Information.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, other device, or an affiliate owned or controlled by respondent, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: A. The extent to which respondent or its products or services maintain and protect: 1. The security of Covered Device Functionality;\n\nIT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, other device, or an affiliate owned or controlled by respondent, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: A. The extent to which respondent or its products or services maintain and protect: 1. The security of Covered Device Functionality; 2. The security, privacy, confidentiality, or integrity of any Covered Information; and\n\nIT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, other device, or an affiliate owned or controlled by respondent, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: A. The extent to which respondent or its products or services maintain and protect: 1. The security of Covered Device Functionality; 2. The security, privacy, confidentiality, or integrity of any Covered Information; and B. The extent to which a consumer can control the security of any Covered Information input into, stored on, captured with, accessed, or transmitted by a Covered Device.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive security program with administrative, technical, and physical safeguards to address security risks and protect Covered Device Functionality and Covered Information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, no later than the date of service of this Order, establish and implement, and thereafter maintain, a comprehensive security program that is reasonably designed to (1) address security risks that could result in unauthorized access to or use of Covered Device Functionality, and (2) protect the security, confidentiality, and integrity of Covered Information, whether collected by respondent, or input into, stored on, captured with, accessed, or transmitted through a Covered Device. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the Covered Device Functionality or Covered Information, including:\n\nA. The designation of an employee or employees to coordinate and be accountable for the security program;\n\nB. The identification of material internal and external risks to the security of Covered Devices that could result in unauthorized access to or use of Covered Device Functionality, and assessment of the sufficiency of any safeguards in place to control these risks;\n\nC. The identification of material internal and external risks to the security, confidentiality, and integrity of Covered Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, whether such information is in respondent’s possession or is input into, stored on, captured with, accessed, or transmitted through a Covered 4 Device, and assessment of the sufficiency of any safeguards in place to control these risks;\n\nD. At a minimum, the risk assessments required by Subparts B and C should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) product design, development, and research; (3) secure software design, development, and testing; and (4) review, assessment, and response to third-party security vulnerability reports;\n\nE. The design and implementation of reasonable safeguards to control the risks identified through the risk assessments, including but not limited to reasonable and appropriate software security testing techniques, such as: (1) vulnerability and penetration testing; (2) security architecture reviews; (3) code reviews; and (4) other reasonable and appropriate assessments, audits, reviews, or other tests to identify potential security failures and verify that access to Covered Information is restricted consistent with a user’s security settings;\n\nF. Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nG. The development and use of reasonable steps to select and retain service providers capable of maintaining security practices consistent with this Order, and requiring service providers, by contract, to establish and implement, and thereafter maintain, appropriate safeguards consistent with this Order; and\n\nH. The evaluation and adjustment of the security program in light of the results of the testing and monitoring required by Subpart F, any material changes to the respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from qualified professionals (CSSLP or CISSP) for 20 years, covering 180-day initial period and two-year periods thereafter.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this Order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with experience programming secure Covered Devices or other similar Internet-accessible consumer- grade devices; or as a Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and in programming secure Covered Devices or other similar Internet-accessible consumer-grade devices; or a similarly qualified person or organization; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal 5 Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the Order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the\n\nIT IS FURTHER ORDERED that, in connection with its compliance with Part II of this Order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with experience programming secure Covered Devices or other similar Internet-accessible consumer- grade devices; or as a Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and in programming secure Covered Devices or other similar Internet-accessible consumer-grade devices; or a similarly qualified person or organization; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal 5 Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the Order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the Order for the biennial Assessments. Each Assessment shall:\n\nA. Set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. Explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the Covered Device Functionality or Covered Information;\n\nC. Explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this Order; and\n\nD. Certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security of Covered Device Functionality and the security, confidentiality, and integrity of Covered Information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the Order is\n\nprepared. All subsequent biennial Assessments shall be retained by respondent until the Order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "IV", "title": "Consumer Notification About Camera Security Flaw", "category": "affirmative_obligation", "summary": "Respondent must notify Affected Consumers about a camera flaw that allowed unauthorized access to Live Feed Information and provide instructions to remove the flaw, using multiple notification methods for 2-3 years.", "verbatim_text": "1. On or before ten (10) days after the date of service of this Order and for two (2) years after the date of service of this Order, posting of a notice on its website;\n\n2. On or before ten (10) days after the date of service of this Order and for three (3) years after the date of service of this Order, informing Affected Consumers who complain or inquire about a Camera; and\n\n3. On or before ten (10) days after the date of service of this Order and for three (3) years after the date of service of this Order, informing Affected Consumers who register, or who have registered, their Camera with respondent; and\n\nB. Provide prompt and free support with clear and prominent contact information to help consumers update and/or uninstall a Camera. For two (2) years after the date of service of this Order, this support shall include toll-free, telephonic and electronic mail support.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "V", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to FTC various compliance-related documents, including Assessment materials for five years and other compliance documents for five years from preparation or dissemination.", "verbatim_text": "A. For a period of five (5) years after the date of preparation of each Assessment required under Part III of this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Part III of this Order, for the compliance period covered by such Assessment;\n\nB. Unless covered by V.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this Order, including but not limited to: 1. All advertisements, promotional materials, installation and user guides, and packaging containing any representations covered by this Order, as well as all materials used or relied upon in making or disseminating the representation; and\n\n2. Any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "VI", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the Order to current and future subsidiaries, personnel, and service providers, and obtain signed acknowledgment of receipt within thirty days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this Order to all (1) current and future subsidiaries, (2) current and future principals, officers, directors, and managers, (3) current and future employees, agents, and representatives having responsibilities relating to the subject matter of this Order, and (4) current and future manufacturers and service providers of the Covered Products. Respondent shall deliver this Order to such current subsidiaries, personnel, manufacturers, and service providers within thirty (30) days after service of this Order, and to such future subsidiaries, personnel, manufacturers, and service providers\n\nof this Order, and to such future subsidiaries, personnel, manufacturers, and service providers within thirty (30) days after the person assumes such position or responsibilities. For any\n\nwithin thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part VII, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated\n\nleast ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this Order, within thirty (30) days of delivery, from all persons receiving a copy of the Order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "VII", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any corporate change that may affect compliance obligations, including dissolution, merger, creation of subsidiary, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this Order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a detailed written compliance report with the Commission within sixty days after service of Order, and submit additional reports within ten days of Commission request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent within sixty (60) days after the date of service of this Order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this Order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this Order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "IX", "title": "Order Duration and Termination", "category": "duration", "summary": "The Order will terminate on January 16, 2034, or twenty years from the most recent date the United States or Commission files a complaint in federal court alleging violation of the Order, whichever comes later.", "verbatim_text": "This Order will terminate on January 16, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this Order that terminates in fewer than twenty (20) years; B. This Order’s application to any respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Part.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "docket_number": "C-4426" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it uses, maintains, and protects the privacy, confidentiality, security, or integrity of covered information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent, in or affecting commerce, shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent uses, maintains, and protects the privacy, confidentiality, security, or integrity of covered information collected from or about consumers, including but not limited to: A. Services for which consumers are being enrolled as part of any sign-up process; B. The extent to which respondent will share covered information with, or seek covered information from, third parties; and C. The purpose(s) for which covered information collected from third parties will be used.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "docket_number": "C-4505" }, { "provision_number": "II", "title": "Health Information Disclosure and Consent Requirements", "category": "affirmative_obligation", "summary": "Respondent must clearly and prominently disclose practices regarding health information collection and obtain affirmative express consent from consumers prior to collecting health information from a third party.", "verbatim_text": "A. Separate and apart from any final “end user license agreement,” “privacy policy,” “terms of use” page, or similar document, clearly and prominently disclose to consumers respondent’s practices regarding the collection, use, storage, disclosure or sharing of health information prior to seeking authorization to collect health information from a third party; and\n\nB. Obtain affirmative express consent from consumers prior to collecting health information from a third party.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "docket_number": "C-4505" }, { "provision_number": "III", "title": "Data Use Restrictions and Deletion Requirements", "category": "affirmative_obligation", "summary": "Respondent is restricted from using covered information collected prior to the order date except for health-related bill-payment or bill history services, and must delete or destroy all other covered information within 60 days.", "verbatim_text": "or affiliate owned or controlled by respondent, in or affecting commerce, shall not use, collect or permit any third party to use or collect any covered information pursuant to any authorization obtained prior to the date of service of this order from consumers registering for the Patient Portal, except for the sole purpose of offering any health-related bill-payment or bill history services. Within sixty (60) days after the date of service of the order, respondent shall\n\nservices. Within sixty (60) days after the date of service of the order, respondent shall permanently delete or destroy all covered information in respondent’s possession or control that was collected pursuant to such authorization by or on behalf of respondent from any third party for any purpose except for the offering of any health-related bill-payment or bill history services and shall provide a written statement to the Commission, sworn under penalty of perjury,\n\nand shall provide a written statement to the Commission, sworn under penalty of perjury, confirming that all such information has been deleted or destroyed. Provided that, if respondent is prohibited from deleting or destroying such information by law, regulation, or court order, respondent shall provide a written statement to the Commission, sworn under penalty of perjury, identifying any information that has not been deleted or destroyed and the specific law, regulation, or court order that prohibits respondent from deleting or destroying such information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "docket_number": "C-4505" }, { "provision_number": "IV", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection and copying all documents relating to compliance with this order for a period of five years.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of all documents relating to compliance with this order, including but not limited to: A. statements disseminated to consumers that describe the extent to which respondent maintains and protects the privacy, security and confidentiality of any covered information, including, but not limited to, any statement related to a change in any website or service controlled by respondent that relates to the privacy, security, and confidentiality of covered information, with all materials relied upon in making or disseminating such statements;\n\nIT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of all documents relating to compliance with this order, including but not limited to: A. statements disseminated to consumers that describe the extent to which respondent maintains and protects the privacy, security and confidentiality of any covered information, including, but not limited to, any statement related to a change in any website or service controlled by respondent that relates to the privacy, security, and confidentiality of covered information, with all materials relied upon in making or disseminating such statements; B. all consumer complaints directed at respondent, or forwarded to respondent by a third party, that relate to the conduct prohibited by this order, and any responses to such complaints; and\n\nIT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of all documents relating to compliance with this order, including but not limited to: A. statements disseminated to consumers that describe the extent to which respondent maintains and protects the privacy, security and confidentiality of any covered information, including, but not limited to, any statement related to a change in any website or service controlled by respondent that relates to the privacy, security, and confidentiality of covered information, with all materials relied upon in making or disseminating such statements; B. all consumer complaints directed at respondent, or forwarded to respondent by a third party, that relate to the conduct prohibited by this order, and any responses to such complaints; and 4 C. all forms, websites, and other methods used to obtain affirmative express consent to collect health information from third parties; and any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "docket_number": "C-4505" }, { "provision_number": "V", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future subsidiaries, officers, directors, managers, and employees with relevant responsibilities, and secure signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person or subsidiary assumes such\n\nIT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person or subsidiary assumes such position or responsibilities. For any business entity resulting from any change in structure set\n\nposition or responsibilities. For any business entity resulting from any change in structure set forth in Part VI, delivery shall be at least ten (10) days prior to the change in structure.\n\nRespondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons or subsidiaries receiving a copy of the order pursuant to this Part.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "docket_number": "C-4505" }, { "provision_number": "VI", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least 30 days prior to any corporate changes that may affect compliance obligations, including dissolution, merger, bankruptcy, or changes in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "docket_number": "C-4505" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission detailing the manner and form of its compliance with this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "docket_number": "C-4505" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate 20 years from the date of issuance (January 27, 2035) or 20 years from the most recent date that the United States or the Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on January 27, 2035, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "docket_number": "C-4505" }, { "provision_number": "I", "title": "Prohibited Misleading Representations", "category": "prohibition", "summary": "Defendants must not misrepresent the extent to which they collect, use, maintain, or protect Covered Information, or the purpose of their collection, use, or disclosure of Covered Information.", "verbatim_text": "IT IS ORDERED that Defendants and Defendants’ officers, agents, employees, and attorneys, directly or through any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by Defendants, in or affecting commerce, must not misrepresent in any manner, expressly or by implication: A. The extent to which Defendants collect, use, maintain, or protect the privacy, confidentiality, or security of any Covered Information; or\n\nB. The purpose of their collection, use, or disclosure of Covered Information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "II", "title": "Notice and Affirmative Express Consent", "category": "affirmative_obligation", "summary": "Before collecting any Viewing Data, Defendants must provide prominent disclosures about data collection practices, obtain affirmative express consent, and provide instructions for revoking consent.", "verbatim_text": "A. Prominently disclose to the consumer, separate and apart from any “privacy policy,” “terms of use” page, or other similar document: (1) the types of Viewing Data that will be collected and used, (2) the types of Viewing Data that will be shared with third parties; (3) the identity or specific categories of such third parties; and (4) all purposes for Defendants’ sharing of such information;\n\nB. Obtain the consumer’s affirmative express consent (1) at the time the disclosure in Part II.A is made and (2) upon any material changes to the terms disclosed in Part II.A; and\n\nC. Provide instructions, at any time the consumer’s affirmative express consent is sought under Part II.B, for how the consumer may revoke consent to collection of Viewing Data.\n\nD. For the purposes of this Order, “Prominently” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways: 1. A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood. 2. An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it. 3. In any communication using an interactive electronic medium, such as in connection with an update to device firmware, the disclosure must be unavoidable. 4. The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the triggering representation appears. Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 5 of 17 PageID: 19 5. The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications. 6. The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication. 7. When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, “ordinary consumers” includes reasonable members of that group.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "III", "title": "Data Deletion", "category": "affirmative_obligation", "summary": "Within 120 days of the Order, Defendants must destroy Viewing Data collected prior to March 1, 2016, with limited exceptions for government requests, legal requirements, or user consent.", "verbatim_text": "IT IS FURTHER ORDERED that within 120 days after entry of this Order, Defendants and Defendants’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, must destroy Viewing Data that has been collected prior to March 1, 2016. Provided, however, that such Viewing Data need not be destroyed, and may be disclosed, (A) to the extent requested by a government agency or required by law, regulation, or court order, including without limitation as required by rules applicable to the safeguarding of evidence in pending litigation, or (B) to the extent a user of a television associated with the Viewing Data has affirmatively consented to the collection, use, or disclosure thereof, consistent with Part II of this order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "IV", "title": "Mandated Privacy Program", "category": "affirmative_obligation", "summary": "Defendants must establish, implement, and maintain a comprehensive written privacy program designed to address privacy risks and protect Covered Information, including designated personnel, risk assessments, controls, service provider oversight, and ongoing evaluation.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants must, no later than the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of Covered Information collected directly or indirectly by Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 6 of 17 PageID: 20 Defendants. Such program, the content and implementation of which must be documented in writing, must contain controls and procedures appropriate to Defendants’ size and complexity, the nature and scope of Defendants’ activities, and the sensitivity of the Covered Information, including:\n\nA. The designation of an employee or employees to coordinate and be responsible for the privacy program;\n\nB. The identification of reasonably foreseeable risks, both internal and external, that could result in Defendants’ unauthorized collection, use, or disclosure of Covered Information and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including: (1) employee training and management, including training on the requirements of this Order, and (2) product design, development, and research;\n\nC. The design and implementation of reasonable controls and procedures to address such risks and regular testing or monitoring of the effectiveness of those controls and procedures;\n\nD. The development and use of reasonable steps to select and retain service providers capable of appropriately protecting the privacy of Covered Information they receive from Defendants and requiring service providers, by contract, to implement and maintain appropriate privacy protections for such Covered Information; and\n\nE. The evaluation and adjustment of Defendants’ privacy program in light of the results of the testing and monitoring required by sub-provision C, any changes to Defendants’ operations or business arrangements, or any other circumstances that Defendants know or have reason to know may have an impact on the effectiveness of the privacy program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "V", "title": "Privacy Assessments by a Third Party", "category": "assessment", "summary": "Defendants must obtain initial and biennial third-party privacy assessments by a qualified independent professional approved by the FTC, covering specific content requirements, and must provide or retain assessments per specified timelines.", "verbatim_text": "A. The Assessments must be completed by a qualified, objective, independent third- party professional, who uses procedures and standards generally accepted in the profession. An individual qualified to prepare such Assessments must have a minimum of 3 years of experience in the field of privacy and data protection. All individuals selected to complete such Assessments must be approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission in his or her sole discretion. Any decision not to approve an individual selected to conduct such Assessments must be accompanied by a writing setting forth in detail the reasons for denying such approval.\n\nB. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment, and (2) each 2-year period thereafter for 20 years after the issuance date of the Order for the biennial Assessments.\n\nC. Each Assessment must: 1. Set forth the specific privacy controls that Defendants have implemented and maintained during the reporting period; 2. Explain how such privacy controls are appropriate to Defendants’ size and complexity, the nature and scope of Defendants’ activities, and the sensitivity of the Covered Information; Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 8 of 17 PageID: 22 3. Explain how the privacy controls that have been implemented meet or exceed the protections required by the Provision of this Order titled Mandated Privacy Program; and 4. Certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Covered Information and that the controls have so operated throughout the reporting period.\n\nD. Each Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. Defendants must provide the initial Assessment to Plaintiffs within 10 days after the Assessment has been completed. Defendants must retain all subsequent biennial Assessments, at least until the Order terminates. Defendants must submit any biennial Assessments to Plaintiffs within 10 days of a request from a representative of Plaintiffs.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "VI", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Defendants must pay $1,500,000 to the FTC and $1,000,000 to the New Jersey Division of Consumer Affairs, with $700,000 due immediately and $300,000 suspended for 5 years conditioned on compliance.", "verbatim_text": "A. Defendants must pay to the Commission $1,500,000 within [8] days of the effective date of this Order by electronic fund transfer in accordance with instructions provided by a representative of the Commission.\n\nB. Defendants shall also pay the New Jersey Division of Consumer Affairs $1,000,000.00, which is comprised of $915,940.00 in civil penalties pursuant to N.J. Stat. Ann. § 56:8-13, and $84,060.00 in attorneys’ fees and investigative costs pursuant to N.J. Stat. Ann. § 56:8-11, -19 (“New Jersey Monetary Relief”).\n\nC. Defendants shall pay $700,000 of the New Jersey Monetary Relief to the New Jersey Division of Consumer Affairs within [8] days of the effective date of this Order by credit Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 9 of 17 PageID: 23 card, wire transfer, bank check, money order, certified check, or cashier’s check payable to “New Jersey Division of Consumer Affairs” and shall be forwarded to: Case Management Tracking, Division of Consumer Affairs, 124 Halsey Street – 7th Floor, Newark, New Jersey 07101.\n\nD. The balance of the New Jersey Monetary Relief, totaling $300,000, shall be suspended and automatically vacated at the expiration of five (5) years from the effective date of this order (“Suspended Penalty”), provided: a. Defendants comply in all material respects with Sections I through VI and Sections VIII through XI of this Order; b. Defendants do not engage in acts or practices in violation of the CFA.\n\nE. In the event Defendants fail to comply with Section VI, Paragraph D of this Order, the New Jersey Division of Consumer Affairs (“Division”) shall provide Defendants with written notice of default or noncompliance, seeking payment of any unpaid portion of the New Jersey Monetary Relief, as well as the Suspended Penalty (“Notice of Noncompliance”). In any such Notice of Noncompliance, the Division shall provide Defendants with the specific details of the alleged default or noncompliance, as well as any supporting documents, and shall afford Defendants a fifteen (15) day period from receipt of the Notice of Noncompliance to cure the default or noncompliance. The Division may move on short notice or by Order to Show Cause to have a judgment entered for any unpaid portion of the New Jersey Monetary Relief as well as the Suspended Penalty.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "VII", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Defendants relinquish all rights to transferred assets, acknowledge that Complaint facts may be used in future enforcement proceedings, and confirm their Taxpayer Identification Numbers may be used for delinquency reporting.", "verbatim_text": "A. Defendants relinquish dominion and all legal and equitable right, title, and interest Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 10 of 17 PageID: 24 in all assets transferred pursuant to this Order and may not seek the return of any assets.\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of any of Plaintiffs to enforce their rights to any payment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.\n\nC. The facts alleged in the Complaint establish all elements necessary to sustain an action by or on behalf of any of Plaintiffs pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.\n\nD. Defendants acknowledge that their Taxpayer Identification Numbers, which Defendants have previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Redress" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "VIII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Defendants must submit a sworn acknowledgment of receipt within 10 days, deliver copies of the Order to principals, employees, and agents within specified timeframes, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Defendants, within 10 days of entry of this Order, must submit to Plaintiffs an acknowledgment of receipt of this Order under sworn penalty of perjury.\n\nB. For 5 years after the issuance date of this Order, Defendants must deliver a copy of this Order to: (1) all principals, officers, and directors; (2) all employees, agents, and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 11 of 17 PageID: 25 responsibilities.\n\nC. From each individual or entity to which a Defendant delivered a copy of this Order, that Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "IX", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendants must submit an annual compliance report one year after issuance, provide sworn notices within 14 days of certain changes or bankruptcy filings, and follow specified submission procedures for both the FTC and New Jersey authorities.", "verbatim_text": "A. One year after the issuance date of this Order, Defendants must submit a compliance report, sworn under penalty of perjury, in which it must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of Plaintiffs may use to communicate with Defendants; (b) identify all of Defendants’ businesses by all of their names; (c) describe the activities of each business, including the goods and services offered; (d) describe in detail whether and how Defendants are in compliance with each Provision of this Order, including a discussion of all of the changes Defendants made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order to Plaintiffs, unless previously submitted.\n\nB. Defendants must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of any Corporate Defendants or any entity that Defendants have any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Defendants must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Defendants within 14 days of its Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 12 of 17 PageID: 26 filing.\n\nD. Any submission to Plaintiffs required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The subject line must begin: In re VIZIO, Inc.\n\nF. Unless otherwise directed by an Attorney General and/or Director representative in writing, all submissions to the Attorney General and/or Director pursuant to this Order must be emailed to cmt@dca.lps.state.nj.us or sent by overnight courier (not the U.S. Postal Service) to: Case Management Tracking, Division of Consumer Affairs, 124 Halsey Street – 7th Floor, Newark, New Jersey 07101. The subject line must begin: In re VIZIO, Inc.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "X", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendants must create and retain specified records for 20 years after the Order issuance date, retaining each for at least 5 years, covering accounting, personnel, consumer complaints, representations, assessment materials, and all compliance documents.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 13 of 17 PageID: 27 costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints regarding Defendants’ collection, use, maintenance, or protection of the privacy, confidentiality, or security of any Covered Information, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each representation by Defendants that describes Defendants’ collection, use, maintenance, or protection of the privacy, confidentiality, or security of any Covered Information.\n\nE. For 5 years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Defendants, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Defendants’ compliance with related Provisions of this Order, for the compliance period covered by such Assessment; and\n\nF. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to Plaintiffs.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "XI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "Plaintiffs may monitor Defendants' compliance by requesting additional reports and records, communicating directly with and interviewing Defendants' affiliates, and using other lawful investigative means including undercover contact.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of Plaintiffs, Case 2:17-cv-00758 Document 1-3 Filed 02/06/17 Page 14 of 17 PageID: 28 Defendants must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Plaintiffs are authorized to communicate directly with Defendants. Defendants must permit representatives of Plaintiffs to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. Plaintiffs may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Defendants or any individual or entity affiliated with Defendants, without the necessity of identification or prior notice. Nothing in this Order limits Plaintiffs’ lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1, and the CFA, N.J. Stat. Ann. § 56:8- 3, -4.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "XII", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of the Order.", "verbatim_text": "IT IS FURTHER ORDERED that this Court retain jurisdiction of this matter for purposes of construction, modification and enforcement of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "docket_number": "Case 2:17-cv-00758" }, { "provision_number": "1", "title": "Reopening of Matter", "category": "acknowledgment", "summary": "The Commission orders the matter reopened pursuant to Section 5(b) of the FTC Act and the Commission's Rules of Practice.", "verbatim_text": "IT IS ORDERED that this matter be, and it hereby is, reopened; and", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "02.18_sears_holdings_management_corporation", "company_name": "Sears Holdings Management Corporation", "date_issued": "2018-02-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3099-c-4264-sears-holdings-management-corporation-corporation-matter", "docket_number": "C-4264" }, { "provision_number": "2", "title": "Modification of 'Tracking Application' Definition", "category": "affirmative_obligation", "summary": "The definition of 'Tracking Application' in the original 2009 Order (Docket No. C-4264) is revised to exclude software that monitors, records, or transmits only: (a) its own configuration, (b) information about whether it is functioning as represented, or (c) information about consumers' use of the program or application itself.", "verbatim_text": "IT IS FURTHER ORDERED that the definition of “Tracking Application” be, and it hereby is, revised to read: 4. “Tracking Application” shall mean any software program or application disseminated by or on behalf of respondent, its subsidiaries or affiliated companies, that is capable of being installed on consumers’ computers and used by or on behalf of respondent to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted 23 Comment of Consumers Union et al. at 12. 24 Commenter Chris Hoofnagle appears to express concern about modifying the Order to exclude mobile applications completely. The Commission agrees with this concern, but believes the proposed modifications are a technology-neutral way to ensure that the Order’s requirements apply similarly to websites and mobile applications. The modified Order would still apply to mobile applications that tracked consumers in unexpected ways. 9 from, or transmitted to the computers on which it is installed, unless the information monitored, recorded, or transmitted is limited solely to the following: (a) the configuration of the software program or application itself; (b) information regarding whether the software program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.18_sears_holdings_management_corporation", "company_name": "Sears Holdings Management Corporation", "date_issued": "2018-02-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3099-c-4264-sears-holdings-management-corporation-corporation-matter", "docket_number": "C-4264" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Settling Defendant and all persons acting with it are permanently enjoined from misrepresenting that they have detected security or performance issues on a consumer's Electronic Device, or any other material fact concerning technical support goods or services.", "verbatim_text": "IT IS ORDERED that Settling Defendant, its officers, agents, and employees and all other Persons in active concert or participation with any of them, who receive actual notice of this Order, 2 Case 9:19-cv-80431-RLR Document 5 Entered on FLSD Docket 03/29/2019 Page 3 of 11 whether acting directly or indirectly, in connection with promoting, providing, distributing, selling, or offering for sale a technical support good or service are permanently restrained and enjoined from misrepresenting, expressly or by implication: A. That they have detected security or performance issues on a consumer’s Electronic Device, including viruses, infections, malware or symptoms of malware; or\n\nB. Any other fact material to consumers concerning such goods or services, such as their value or total costs, any material restrictions, limitations, or conditions, or any material aspect of the performance, efficacy, nature or central characteristics of such goods or services.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Prohibition" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "II", "title": "Software Provider Review, Termination and Recordkeeping", "category": "affirmative_obligation", "summary": "Settling Defendant must review existing and prospective Software Providers for prohibited conduct, suspend or terminate non-compliant providers, and maintain records of all reviews and actions taken.", "verbatim_text": "A. Settling Defendant shall, within one hundred twenty (120) days of the date of entry of this Order, review whether each of Settling Defendant’s existing Software Providers, in the course of acting as a Software Provider, engages in any conduct described in Section I of this Order. If this review reveals that the Software Provider is engaging in any such conduct with respect to such services, Settling Defendant will immediately suspend services as necessary to stop such conduct, until further review establishes that the Software Provider is no longer engaging in any such conduct, or immediately terminate the Software Provider’s provision of technical support goods and services.\n\nB. If Settling Defendant becomes aware of any evidence or information suggesting that a Software Provider, in the course of acting as a Software Provider, is engaging in any conduct described in Section I of this Order, Settling Defendant shall perform an additional review of the Software Provider within thirty (30) days. If this review reveals that the Software Provider is 3 Case 9:19-cv-80431-RLR Document 5 Entered on FLSD Docket 03/29/2019 Page 4 of 11 engaging in any such conduct with respect to such services, Settling Defendant will immediately suspend services as necessary to stop such conduct, until further review establishes that the Software Provider is no longer engaging in any such conduct, or immediately terminate the Software Provider’s provision of technical support goods and services.\n\nC. Prior to entering into a business relationship with any prospective Software Provider, Settling Defendant shall conduct a review of whether the prospective Software Provider, in the course of providing technical support goods and services, has engaged, is engaging, or is likely to engage in any conduct described in Section I of this Order. Settling Defendant will not establish a business relationship with the prospective Software Provider if this review concludes that the prospective Software Provider is engaging or is likely to engage in any conduct described in Section I of this Order.\n\nD. Reviewing a Software Provider, for the purposes of Paragraphs A - C, above, must include steps reasonably calculated to determine whether a Software Provider, in the course of providing technical support goods and services, engages in any conduct described in Section I of this Order. Such steps may include obtaining and reviewing the Software Provider’s software, advertising and marketing materials, and consumer reviews, but need not include all of these steps.\n\nE. Settling Defendant shall create and maintain records of its reviews and any suspensions or terminations of the use or sale of technical support goods and services provided by each Software Provider, including documentation of the review process, procedures, and implementation, status, and outcome.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "III", "title": "Monetary Judgment", "category": "affirmative_obligation", "summary": "A monetary judgment of $25,000,000 is entered against Settling Defendant, to be paid to the FTC within 14 days of entry of the Order by electronic fund transfer.", "verbatim_text": "A. Judgment in the amount of twenty-five million dollars ($25,000,000) is entered in favor of the Commission against Settling Defendant as equitable monetary relief.\n\nB. Settling Defendant is ordered to pay the amount in Subsection A to the Commission within 14 days of entry of this Order by electronic fund transfer in accordance with instructions previously provided by a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "IV", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Settling Defendant relinquishes all rights to transferred assets, agrees that Complaint facts may be taken as true in future proceedings, acknowledges use of its tax ID for collections, and permits the FTC to use paid funds for equitable relief including consumer redress.", "verbatim_text": "A. Settling Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission, in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.\n\nC. The facts alleged in the Complaint establish all elements necessary to sustain an action by the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.\n\nD. Settling Defendant acknowledges that its Taxpayer Identification Numbers (Social Security Numbers or Employer Identification Numbers) may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.\n\nE. All money paid to the Commission pursuant to this Order may be deposited into a fund 5 Case 9:19-cv-80431-RLR Document 5 Entered on FLSD Docket 03/29/2019 Page 6 of 11 administered by the Commission or its designee to be used for equitable relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other equitable relief (including consumer information remedies) as it determines to be reasonably related to Settling Defendant’s practices alleged in the Complaint. Any money not used for such equitable relief is to be deposited to the U.S. Treasury as disgorgement. Settling Defendant has no right to challenge any actions the Commission or its representatives may take pursuant to this Subsection.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Consumer Redress" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "V", "title": "Customer Information", "category": "affirmative_obligation", "summary": "Settling Defendant must provide sufficient customer information to enable the FTC to administer consumer redress, and must supply any requested information within 14 days of a written request.", "verbatim_text": "IT IS FURTHER ORDERED that Settling Defendant, its officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, are permanently restrained and enjoined from directly or indirectly from failing to provide sufficient customer information to enable the Commission to efficiently administer consumer redress. If a representative of the Commission requests in writing any information in the possession of Settling Defendant related to redress, Settling Defendant must provide it, in the form prescribed by the Commission, within 14 days.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Consumer Redress" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "VI", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Settling Defendant must submit a sworn acknowledgment of receipt of the Order within 7 days, deliver copies to key personnel within 7 days (and to future personnel before they assume responsibilities), and obtain signed acknowledgments from all recipients within 30 days.", "verbatim_text": "A. Settling Defendant, within 7 days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 3 years after entry of this Order, Settling Defendant must deliver a copy of this Order to: (1) all principals, officers, and directors; (2) all upper-level management, including vice- presidents, division heads, merchants, and store managers, who have managerial responsibilities for the advertising, modification or operation of diagnostic software programs, for use with retail customers, that purport to detect security or performance issues on consumers’ Electronic Devices; and (3) any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting. Delivery must occur within 7 days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Settling Defendant delivered a copy of this Order, Settling Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Order Administration" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Settling Defendant must file a sworn compliance report one year after entry, submit sworn notices within 14 days of structural or contact changes for 10 years, notify the FTC of any bankruptcy filing within 14 days, and submit all required filings by email or overnight courier.", "verbatim_text": "A. One year after entry of this Order, Settling Defendant must submit a compliance report, sworn under penalty of perjury: 1. Settling Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Settling Defendant; (b) identify all of Settling Defendant’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, and the means of advertising, marketing, and sales; (d) describe in detail whether and how 7 Case 9:19-cv-80431-RLR Document 5 Entered on FLSD Docket 03/29/2019 Page 8 of 11 Settling Defendant is in compliance with each Section of this Order; and (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. For 10 years after entry of this Order, Settling Defendant must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in: (a) any designated point of contact; or (b) the structure of Settling Defendant or any entity that Settling Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Settling Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Settling Defendant within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: FTC v. Office Depot, Inc., et al.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Settling Defendant must create specified records for 10 years and retain each for 5 years, including accounting records, personnel records, consumer complaints, compliance documentation, and copies of all marketing materials.", "verbatim_text": "IT IS FURTHER ORDERED that Settling Defendant must create certain records for 10 years after entry of the Order, and retain each such record for 5 years. Specifically, Settling Defendant, in connection with marketing and selling computer security software or computer- related technical support services to retail customers, must create and retain the following records: A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each Person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nE. a copy of each unique advertisement or other marketing material.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor Settling Defendant's compliance through written requests for reports and documents, depositions, direct communications with employees, and undercover investigative methods; Settling Defendant must respond within 21 days of written requests.", "verbatim_text": "A. Within 21 days of receipt of a written request from a representative of the Commission, Settling Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 9 Case 9:19-cv-80431-RLR Document 5 Entered on FLSD Docket 03/29/2019 Page 10 of 11 (including telephonic depositions), 31, 33, 34, 36, 45, and 69. Provided, however, that Settling Defendant, after attempting to resolve a dispute without court action and for good cause shown, may file a motion with this Court seeking an order for one or more of the protections set forth in Rule 26(c).\n\nB. For matters concerning this Order, the Commission is authorized to communicate directly with the Settling Defendant. Settling Defendant must permit representatives of the Commission to interview any employee or other Person affiliated with Settling Defendant who has agreed to such an interview. The Person interviewed may have counsel present.\n\nC. The Commission may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Settling Defendant or any individual or entity affiliated with Settling Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "X", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of the Order.", "verbatim_text": "IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "remedy_types": [ "Order Administration" ], "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "docket_number": "9:19-cv-80431" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner its participation in privacy or security programs, the extent of any data incident, investigation results, data collection/use practices, or its overall protection of Personal Information.", "verbatim_text": "A. The extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard- setting organization;\n\nB. The extent of any Covered Incident or unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of Personal Information;\n\nC. The extent of any investigation and the results thereof, whether conducted by Respondent, a governmental agency, or a third party, into any Covered Incident or unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of Personal Information;\n\nD. The extent to which Respondent collects, maintains, uses, discloses, deletes, or permits or denies access to any Personal Information; and\n\nE. The extent to which Respondent otherwise protects the privacy, security, availability, confidentiality, orintegrity of any Personal Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "II", "title": "Required Notice to Consumers About Respondent's Security Incident Response", "category": "affirmative_obligation", "summary": "Within 14 days of the Order's effective date, Respondent must email all Affected Consumers an exact copy of the attached Exhibit A notice, with no additional information included.", "verbatim_text": "IT IS FURTHER ORDERED that,within fourteen (14) days after theeffective dateof this Order,Respondent must directly notify all Affected Consumers by sending an email, consisting solely of an exact copy of the notice attached hereto as Exhibit A(“Notice”), with the subject line“Update: May 2019 Data Exposure.” Respondent shall not include with the Notice any other information, documents, or attachments.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "III", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Within 30 days of Order issuance, Respondent must establish and maintain a comprehensive Information Security Program with specific safeguards including documentation, risk assessment, encryption, employee training, network monitoring, and service provider oversight.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent,in connection with the collection, maintenance, use,disclosure, or provision of access to Personal Information, must, within thirty (30) days of issuance of this Order, establish and implement, and thereafter maintain, a comprehensive Information Security Program (“Information Security Program”) that protects the security, confidentiality, and integrity ofPersonal Information. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Providethe written program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Information Security Program at least once every twelve (12)months and promptly(not to exceedthirty(30)days)after aCovered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;\n\nD. Assess and document, at least once every twelve (12)months and promptly (not to exceed thirty (30)days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the (1) unauthorized collection, maintenance, use,disclosureof, or provision of access to, Personal Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Respondent identifies to the security, confidentiality, or integrityof Personal Information identified in response to sub-Provision III.D. Each safeguard must be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, disclosure of, or provision of access to, Personal Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information. Such safeguards must also include: 1. Policies, procedures, and technical measures to systematically inventory Personal Information in Respondent’s control and delete Personal Information that is no longer necessary; 2. Policies, procedures, and technical measures to log and monitor access to repositories of Personal Information in Respondent’s control; 3. Encryptionof, at a minimum,all passport numbers, financial account information, and Health Information in Respondent’s control. 4. Training of all of Respondent’s employees, at least once every twelve (12) months, on how to safeguard Personal Information; 5. Technical measures to monitor all of Respondent’s networks, includingall systems and assets within those networks,to identify data security events, including unauthorized attempts to exfiltrate Personal Information from those networks; and Page 4 of 12 6. Data access controls for all repositories of Personal Informationin Respondent’s control,such as (a) restricting inbound connections to approved IP addresses, (b) requiring authentication to access them, and (c) limiting employee access to what is needed to perform that employee’s job function.\n\nF. Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of anysafeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and modify the Information SecurityProgram based on the results;\n\nG. Test and monitor the effectiveness of thesafeguards in placeat least once every twelve (12)months and promptly (not to exceedthirty(30)days) following a Covered Incident, and modifythe Information Security Program based on the results. Such testingand monitoringmust include: (1)vulnerability testing of Respondent’s network once every four (4) months and promptly (not to exceed thirty (30)days) after aCovered Incident, and(2) periodic penetration testing of Respondent’s network and promptly (not to exceed thirty (30)days) after aCovered Incident;\n\nH. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Respondent, and contractually require service providers to implement and maintain safeguards for Personal Information; and\n\nI. Evaluate and adjust the Information Security Program in light of any changes to Respondent’s operations or business arrangements, a Covered Incident, or any other circumstances that Respondent knows or has reason to knowmay have an impact on the effectiveness of the Information Security Program. At a minimum, Respondent must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "IV", "title": "Information Security Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party information security assessments covering compliance with the Information Security Program, conducted by a qualified independent assessor, with the initial assessment submitted to the FTC within 10 days of completion.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; and (3)retains all documents relevant to each Assessment for five (5) years after completion of such Assessment and will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or any similar claim.\n\nB. For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whothe Associate Director shall have the authority to approve in his sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each two-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must,for the entire assessment period: 1. determine whether Respondent has implemented and maintained the Information Security Program required by Provision III; 2. assess the effectiveness of Respondent’s implementation and maintenance of sub- Provisions III.A-I; 3. identify any gaps or weaknesses in, or instances of material noncompliance with,the Information Security Program; 4. address the status of gaps or weaknesses in, or instances of material non-compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and 5. identify specific evidence (including, but not limited to,documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely solely on assertions or attestations by Respondent’s management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent Respondent revises, updates, or adds one or more safeguards required under Provision III in the middle of an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. Each Assessment must be completed withinsixty(60)days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit theinitial Assessment to the Commission within ten(10)days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director forEnforcement, Bureau of Consumer Protection, Federal Trade Commission, Page 6 of 12 600 Pennsylvania AvenueNW,Washington, DC 20580. The subject line must begin, “In re SkyMed International,FTC File No.1923140.” All subsequent biennial Assessments must be retained by Respondent until the Order is terminated and provided to the Associate Director for Enforcement within ten(10)days ofrequest.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "V", "title": "Cooperation with Third-Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondent must fully cooperate with the Assessor by providing all relevant information, network and IT asset visibility, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;\n\nB. Provide orotherwise make available to the Assessor information about Respondent’s networks and all of Respondent’s IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the networks and IT assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication,any fact material to the Assessor’s: (1) determination of whether Respondent has implementedand maintainedthe Information Security Program required by Provision III; (2) assessment of the effectiveness of theimplementationand maintenance of sub-Provisions III.A-I; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with,the Information Security Program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "VI", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Each year after Order issuance, Respondent must provide the FTC with a sworn certification from a senior corporate manager or officer confirming compliance with the Order, disclosing any uncorrected noncompliance, and describing all Covered Incidents during the period.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsiblefor Respondent’s Information Security Program that: (1) Respondent has established,implemented, and maintainedthe requirements of this Order; (2) Respondent is not aware of any material noncompliance that has not been (a) correctedor (b) disclosed to the Commission; and (3) includes a brief description of all Covered Incidents that Respondent verified or confirmed during the certified period. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officerreasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Page 7 of 12 Pennsylvania Avenue NW,Washington, DC 20580. The subject line must begin, “In re SkyMed International, FTC File No.1923140.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "VII", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Within 30 days of discovering a Covered Incident, Respondent must submit a detailed report to the FTC covering the incident's date, facts, types of information affected, number of consumers affected, remediation steps taken, and copies of consumer notices sent.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within thirty (30) days after Respondent’s discovery of a Covered Incident, must submit a report to the Commission. The report must include, to the extent possible: A. Thedate, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known; C. A description of each type of information that was affected or triggered any notification obligation to the U.S. federal, state, or local government entity; D. The number of consumers whose information triggered any notification obligation to the U.S. federal, state, or local government entity; E. The acts that Respondent has taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of each materially different notice sent by Respondent to consumers or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re SkyMed International, FTC File No.1923140.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "VIII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt to the FTC within 10 days, deliver copies of the Order to all principals, officers, employees, and agents within required timeframes, and obtain signed acknowledgments from each within 30 days.", "verbatim_text": "A. Respondent, within ten (10)days after theeffective dateof this Order, must submit to the Commission an acknowledgment of receipt of this Ordersworn under penalty of perjury.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order,and all agents,and representatives whoparticipate in conduct Page 8 of 12 related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in Provision IX. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30)days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "IX", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must file a sworn compliance report one year after Order issuance, submit sworn notices within 14 days of any change in contact information or corporate structure, notify the FTC within 14 days of any bankruptcy filing, and ensure all sworn submissions are accurate and comply with 28 U.S.C. § 1746.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in whichRespondent must: (1) identifythe primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (2) identify all ofRespondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business, including the goods and services offered, what Personal Information is collected,andthe means of advertising, marketing, and sales; (4) describein detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes that Respondent made to comply with the Order; and (5) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14)days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent orany entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14)days of its filing.\n\nD. Anysubmission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of Americathat the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representativein writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by Page 9 of 12 overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin,“In re SkyMed International, FTC File No.1923140.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "X", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for 20 years after Order issuance (with a 5-year retention period per record), including accounting records, personnel records, consumer complaints, marketing materials, privacy representations, Assessment materials, law enforcement communications, and all compliance records.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name, addresses, telephone numbers,job title or position,dates of service, and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each unique advertisement or other marketing material making a representation subject to this Order;\n\nE. Acopy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security, availability, confidentiality, or integrity ofany Personal Information, including any representation concerning a change in any website or other service controlled by Respondent that relates to privacy, security, availability, confidentiality, or integrity of Personal Information;\n\nF. For five (5) years after the date of preparation of each Assessment required by this Order, all materials and evidence that the Assessor considered, reviewed, relied upon or examined toprepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment;\n\nG. For five (5) years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondent’s compliance with this Order;\n\nH. For five (5) years from the date created or received, all records, whether prepared by or on behalf of Respondent, that tend to show any lack of compliance by Respondent with this Order; and\n\nI. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "XI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondent's compliance by requesting additional reports and records, communicating directly with and interviewing Respondent's personnel, and using any other lawful investigative means including undercover contacts.", "verbatim_text": "A. Within ten(10)days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "XII", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC website and terminates 20 years from issuance, or 20 years from the most recent date a complaint alleging a violation is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDEREDthat this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate twenty (20) years from the date of its issuance, (which date may bestated at the end of this Order, nearthe Commission’s seal), or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation ofthis Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "docket_number": "C-4732" }, { "provision_number": "I", "title": "Prohibited Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent, expressly or by implication, any aspect of its collection, use, security, or disclosure of Covered Information, or any security features of its Meeting Services.", "verbatim_text": "IT IS ORDERED that Respondent, and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication: A. Respondent’s collection, maintenance, use, deletion, or disclosure of any Covered Information;\n\nB. The security features, or any feature that impacts a Third-Party Security Feature, included in any Meeting Service, or the material changes included in any updates thereof;\n\nC. The extent to which Respondent protects any Covered Information from unauthorized access;\n\nD. The extent to which a User can control the privacy or security of any Covered Information collected and maintained by Respondent, and the steps the User must take to implement such controls;\n\nE. The categories of third parties to which Respondent makes Covered Information accessible; or\n\nF. The extent to which Respondent otherwise maintains the privacy, security, confidentiality, or integrity of Covered Information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "II", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program within 60 days of the order, addressing risk assessment, safeguards, software security reviews, vulnerability management, data deletion, credential protections, security training, monitoring, incident response, and service provider oversight.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, and any business that Respondent controls directly or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must, within sixty (60) days of issuance of this order, establish and implement, and thereafter maintain, a comprehensive information security program (“Program” or “Information Security Program”) that protects the security, confidentiality, and integrity of such Covered Information. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Program, including all processes and procedures that will be used to implement all Program policies and safeguards;\n\nB. Provide the written Program and any material evaluations thereof or material updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Program;\n\nD. Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in the (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Respondent identifies to the security, confidentiality, and integrity of Covered Information identified in response to sub-Provision II.D. Each safeguard must 4 be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information.\n\n1. Implementing a security review by Zoom Security Personnel designated by Respondent of all new Meeting Services software or software updates, prior to release that, at a minimum, includes: a. Policies, procedures, and any applicable technical measures for reviewing all new Meeting Service software or software updates for commonly known vulnerabilities, including those identified by the Open Web Application Security Project (OWASP) and critical or high severity vulnerabilities in the National Vulnerability Database (NVD), and remediating or otherwise mitigating any such vulnerabilities; b. Policies, procedures, and any applicable technical measures to: (i) determine whether any new Meeting Services software or software update is designed to circumvent or bypass, in whole or in part, any Third-Party Security Feature such that the Third-Party Security Feature no longer provides the same protection(s) for Users against the risk of unauthorized access, collection, disclosure, use, misuse, loss, theft, alteration, destruction, or other compromise of Users’ Covered Information; and (ii) assess the risk of unauthorized access, collection, disclosure, use, misuse, loss, theft, alteration, destruction, or other compromise of the User’s Covered Information that will result from such circumvention or bypass, based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized; and c. Policies, procedures, and any applicable technical measures so that Respondent will not implement any new Meeting Services software or software update that has been identified under Part II.E.1.b(i) of this Order as designed to circumvent or bypass a Third-Party Security Feature, unless: (i) Zoom Security Personnel determine that the bypass or circumvention does not create a material risk of unauthorized access, collection, disclosure, use, misuse, loss, theft, alteration, destruction, or other compromise of Users’ Covered Information; or (ii) Respondent implements security measure(s) that offset or otherwise mitigate the risk(s) of unauthorized access, collection, disclosure, use, misuse, loss, theft, alteration, destruction, or other compromise of Users’ Covered Information that were identified under Part II.E.1.b(ii) of this Order;\n\n2. Implementing a vulnerability management program that includes: a. Conducting vulnerability scans of Respondent’s networks and systems on at least a quarterly basis; and 5 b. Policies, procedures, and any applicable technical measures for remediating or otherwise mitigating any critical or high severity vulnerabilities promptly (but in no event later than thirty (30) days after the vulnerability is detected), unless Respondent documents its rationale for not doing so;\n\n3. Implementing a default, randomized naming convention for recorded Meetings that are to be stored on Users’ local devices, and instructing Users to employ a unique file name when saving such recorded Meetings;\n\n4. Policies, procedures, and any applicable technical measures to: (a) systematically classify and inventory Covered Information in Respondent’s control; (b) log and monitor access to repositories of Covered Information in Respondent’s control; and (c) limit access to Covered Information by, at a minimum, limiting employee and service provider access to Covered Information to what is needed to perform that employee or service provider’s job function;\n\n5. Data deletion policies, procedures, and any applicable technical measures, including validating that all copies of Covered Information identified for deletion are deleted within thirty-one (31) days;\n\n6. Policies, procedures, and any applicable technical measures designed to reduce the risk of online attacks resulting from the misuse of valid Credentials by unauthorized third parties, including: (a) requiring Users to secure their accounts with strong, unique passwords; (b) using automated tools to identify non-human login attempts; (c) rate-limiting login attempts to minimize the risk of a brute force attack; and (d) implementing password resets for known compromised Credentials;\n\n7. Regular security training programs, on at least an annual basis, that are updated, as applicable, to address internal or external risks identified by Respondent under sub- Provision II.D of this Order, and that include, at a minimum: a. Security awareness training for all employees on Respondent’s security policies and procedures, including the requirements of this Order and the process for submitting complaints and concerns; and b. Training in secure software development principles, including secure engineering and defensive programming concepts, for developers, engineers, and other employees that design Respondent’s products or services or that are otherwise responsible for the security of Covered Information;\n\n8. Technical measures to monitor all of Respondent’s networks, systems, and assets within those networks to identify anomalous activity and/or data security events on Respondent’s network, including unauthorized attempts to exfiltrate Covered Information from Respondent’s networks;\n\n9. Incident response policies, procedures, and any applicable technical measures, including centralized log management and documenting remedial security actions;\n\n10. Technical measures designed to safeguard against unauthorized access to any network or system that stores, collects, maintains, or processes Covered Information, such as properly configured firewalls; properly configured physical or logical segmentation of networks, systems, and databases; and securing of remote access to Respondent’s networks through multi-factor authentication or similar technology except for when accessing such networks is for the purpose of using Meeting Services; and\n\n11. Protections, such as encryption, tokenization, or other same or greater protections, for Covered Information collected, maintained, processed, or stored by Respondent, including in transit and at rest;\n\nF. Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the security, confidentiality, and integrity of Covered Information, and modify the Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, and modify the Program based on the results. Such testing and monitoring must include penetration testing of Respondent’s network at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;\n\nH. Select and retain service providers capable of safeguarding Covered Information they access through or receive from Respondent, and contractually require service providers to implement and maintain safeguards for Covered Information sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information;\n\nI. Consult with, and seek appropriate guidance from, independent, third-party experts on data protection in the course of establishing, implementing, maintaining, and updating the Program; and\n\nJ. Evaluate and adjust the Program in light of any changes to Respondent’s operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in sub-Provision II.D of this Order, or any other circumstances that Respondent knows or has reason to know may have a material impact on the effectiveness of the Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Program at least once every twelve (12) months and modify the Program as necessary based on the results.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "III", "title": "Independent Program Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party assessments of its Information Security Program from a qualified, independent Assessor, covering specified reporting periods, with findings submitted to the FTC.", "verbatim_text": "A. The Assessments must be obtained from one or more qualified, objective, independent third-party professionals (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Program; and (3) retains all documents relevant to each Assessment for five (5) years after completion of such Assessment and (4) will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessor on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim;\n\nB. For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name(s), affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in her or his sole discretion;\n\nC. The reporting period for the Assessments must cover: (1) the first one hundred eighty (180) days after the Information Security Program has been put in place for the initial Assessment; and (2) each two-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments;\n\nD. Each Assessment must, for the entire assessment period: 1. Determine whether Respondent has implemented and maintained the Information Security Program required by Provision II of this Order, titled Mandated Information Security Program; 2. Assess the effectiveness of Respondent’s implementation and maintenance of sub- Provisions II.A-J; 3. Identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; 4. Address the status of gaps or weaknesses in, or instances of material non-compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and 5. Identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondent’s 8 management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Respondent revises, updates, or adds one or more safeguards required under Provision II of this Order during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard; and\n\nE. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Zoom Video Communications, Inc., FTC File No. 192 3167.” All subsequent biennial Assessments must be retained by Respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "IV", "title": "Cooperation with Third Party Assessor(s)", "category": "affirmative_obligation", "summary": "Respondent must fully cooperate with the third-party Assessor by providing all relevant information, network/IT asset visibility, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;\n\nB. Provide or otherwise make available to the Assessor information about Respondent’s networks and all of Respondent’s IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the networks and IT assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondent has implemented and maintained the Information Security Program required by Provision II of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions II.A-J; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "V", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondent must annually provide the FTC with a certification from a senior corporate manager or officer confirming compliance with the Order and disclosure of any material noncompliance.", "verbatim_text": "A. One (1) year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Information Security Program that: (1) Respondent has established, implemented, and maintained the requirements of this Order; and (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Zoom Video Communications, Inc., FTC File No. 192 3167.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "VI", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Respondent must submit a detailed report to the FTC within 30 days of discovering a Covered Incident (but no later than 10 days after first notifying any government entity), including incident details, affected information types, consumer count, remediation steps, and copies of notices.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within thirty (30) days after the date of Respondent’s discovery of a Covered Incident, but in any event no later than ten (10) days after the date Respondent first notifies any U.S. federal, state, or local government entity of the Covered Incident, must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. A description of each type of Covered Information that was affected or triggered any notification obligation to the U.S. federal, state, or local government entity; D. The number of consumers whose information was affected or that triggered the notification obligation to the U.S. federal, state, or local government entity; E. The acts that Respondent has taken to date to remediate the Covered Incident and protect Covered Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of any materially different notice sent by Respondent to consumers or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 10 Washington, DC 20580. The subject line must begin: “In re Zoom Video Communications, Inc., FTC File No. 192 3167.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "VII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt of this Order, deliver copies to all relevant personnel and new hires, and collect signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order, sworn under penalty of perjury;\n\nB. For five (5) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (a) all principals, officers, directors, and LLC managers and members; (b) all employees, agents, and representatives with managerial responsibilities related to the subject matter of the Order; and (c) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities;\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "VIII", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn annual compliance report one year after issuance, provide timely notices of changes to contact information or corporate structure, and notify the FTC of any bankruptcy filings.", "verbatim_text": "A. One (1) year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, and the means of collection, maintenance, use, deletion, or disclosure of information; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission;\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (a) any designated point of contact; or (b) the structure of the Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising 11 under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order;\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within fourteen (14) days of its filing;\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature; and\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Zoom Video Communications, Inc., FTC File No. 192 3167.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain for 5 years specified records including accounting records, personnel records, consumer complaints, compliance documentation, representations about Covered Information, and Assessment materials.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for five (5) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies of all U.S. consumer complaints that were submitted to Respondent and relate to the subject matter of the Order, and any response(s) to such complaints;\n\nD. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission;\n\nE. A copy of each widely disseminated and materially different representation by Respondent that describes (a) Respondent’s collection, maintenance, use, deletion, or disclosure of any Covered Information; (b) the security features, or any features that impact a Third-Party Security Feature, included in any Meeting Service, or the changes included in any updates thereof; (c) the extent to which Respondent protects Covered Information from unauthorized access, including any representation on any website or other service controlled by Respondent that relates to the privacy, security, 12 confidentiality, and integrity of Covered Information; (d) the extent to which a User can control the privacy or security of Covered Information and the steps the User must take to implement such controls; and (e) the categories of third parties to which Respondent makes Covered Information accessible; and\n\nF. For five (5) years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "X", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor Respondent's compliance by requesting reports and records, conducting interviews, and using other lawful investigative means including undercover interactions.", "verbatim_text": "A. Within fourteen (14) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, appear for depositions, and produce records for inspection and copying;\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present; and\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "XI", "title": "Order Effective Dates", "category": "duration", "summary": "This Order is effective upon publication on the FTC website and terminates 20 years from issuance or 20 years from the most recent federal court complaint alleging a violation of the Order, whichever is later, with specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate twenty (20) years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; 13 B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "docket_number": "C-4731" }, { "provision_number": "I", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish, implement, and maintain a comprehensive information security program within 60 days of the Order's effective date, meeting detailed minimum requirements across documentation, risk assessment, safeguards, training, encryption, access controls, and data minimization.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, and any business that Respondents control directly, or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Personal Information, must, within sixty (60) days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Personal Information. To satisfy this requirement, Respondents must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Designate a qualified employee responsible for coordinating, overseeing, and implementing the Information Security Program and enforcing the Information Security Program (“Qualified Individual”);\n\nC. Require the Qualified Individual to report in writing to Respondents’ board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondents responsible for Respondents’ Information Security Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident, if any. The report must include the following information: 1. The overall status of the Information Security Program and Respondents’ compliance with this Provision, including by providing the written program and any evaluations thereof or updates thereto; and 2. Material matters related to the Information Security Program, addressing issues such as risk assessment, risk management, and control decisions; service provider arrangements; results of testing, including any testing conducted pursuant to sub-Provision G of this Provision; Covered Incidents or violations of Respondents’ information security policies or procedures and management’s responses thereto; and recommendations for changes in the Information Security Program.\n\nD. Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, reasonably foreseeable internal and external risks to the security, confidentiality, or integrity of Personal Information within the possession, custody, or control of Respondents that could result in the (1) unauthorized collection, maintenance, use, or disclosure of, provision of access to, or destruction of, Personal Information; or (2) misuse, loss, theft, alteration, or other compromise of such information. The risk assessments must be written and must include: 7 1. Criteria for the evaluation and categorization of identified security risks or threats Respondents face; 2. Criteria for the assessment of the confidentiality, integrity, and availability of Respondents’ networks, systems, and assets and Personal Information, including the adequacy of the existing controls in the context of the identified risks or threats Respondents face; and 3. Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Information Security Program will address the risks.\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks identified in response to sub-Provision I.D. Each safeguard must be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, or disclosure of, provision of access to, or destruction of, Personal Information; or (2) misuse, loss, theft, alteration, or other compromise of such information. Such safeguards must also include: 1. Policies, procedures, standards, and technical measures to systematically inventory Personal Information in Respondents’ control, including policies, procedures, and technical measures to track and inventory the transfer and storage of Personal Information among and within Respondents’ various networks, systems, and assets; 2. Policies, procedures, standards, and technical measures to log and monitor access to networks, systems, and assets in Respondents’ control; 3. Policies, procedures, standards, and technical measures to monitor all of Respondents’ networks, systems, and assets to identify and log anomalous activity and/or data security events, including unauthorized attempts to access or exfiltrate Personal Information from Respondents’ networks, systems, and assets. Such measures must require Respondents to determine baseline system activity, identify and respond to anomalous events and unauthorized attempts to access or exfiltrate Personal Information, and verify the effectiveness of monitoring and logging; 4. Technical, organizational, and, as appropriate, physical controls to: a. Safeguard against unauthorized access to any network, system, or asset in Respondents’ control that stores, collects, maintains, or processes Personal Information, including properly configured firewalls; intrusion detection and prevention systems configured to identify and prevent unauthorized access to networks, systems, or assets that store, process, or connect to networks, systems, or assets that store or process Personal Information; file integrity 8 monitoring tools; data loss prevention tools; properly configured physical or logical segmentation of networks, systems, and databases; restricting inbound connections to approved IP addresses; requiring that connections to the network, system, or asset are authenticated and encrypted; preventing the storage of unsecured access keys or other unsecured credentials on Respondents’ networks, systems, or assets, or in any cloud-based services; requiring and enforcing strong passwords and other credentials; and b. Limit Authorized Users’ access only to Personal Information that they need to perform their duties and functions, or, in the case of consumers, to access their own information, periodically audit Authorized Users’ levels of access based on their need to know, and terminate access within 30 days following a change in Authorized Users’ need to know (including because of the termination of employment or contract) or if Authorized Users engage in inappropriate access or usage; 5. Policies and procedures to document in writing the content, implementation, and maintenance of an incident response plan designed to ensure the identification of, investigation of, and response to the unauthorized access to Personal Information. Such incident response plan must include policies and procedures to ensure the timely investigation of data security events and the timely remediation of critical and high-risk vulnerabilities. Respondents must revise and update this incident response plan to adapt to any changes to their networks, systems, and assets; 6. Regular security training programs, on at least an annual basis, that are updated, as applicable, to address internal or external risks identified by Respondents under sub-Provision I.D of this Order, and that include, at a minimum: a. Security awareness training for all employees and service providers who have access to networks, systems, or assets that contain Personal Information on Respondents’ security policies and procedures, including the requirements of this Order, to be conducted when an employee begins employment or takes on a new role in which the employee has access to networks, systems, or assets that contain Personal Information, and on at least an annual basis thereafter; b. For information security personnel, security updates and training sufficient to address relevant security risks; and c. For developers, engineers, other employees, and service providers with job duties that relate to the development, design, implementation, updating, modification, or operation of systems or software that Respondents use to provide products or services, training in secure development principles, including secure engineering and defensive programming concepts; 7. Utilizing qualified information security personnel employed by Respondents or an 9 affiliate or service provider sufficient to manage Respondents’ information security risks and to perform or oversee the Information Security Program, and verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures; 8. Protecting by encryption, at a minimum, all information about or derived from an individual’s government-issued identification documents or credentials, such as an image of a driver’s license, state identification card, or passport, or a driver’s license number, military identification number, passport number, or Social Security number, dates of birth, messages exchanged by users, and user account credentials held or transmitted by Respondents both in transit over external networks and at rest, except that, to the extent Respondents determine that encryption of this information, either in transit over external networks or at rest, is infeasible or would increase the risk of unauthorized access to consumers’ Personal Information, Respondents may instead secure such information using effective alternative compensating controls reviewed and approved by the Qualified Individual; 9. Adopting secure development practices and procedures for in-house developed applications utilized by Respondents for transmitting, accessing, or storing Personal Information and for evaluating, assessing, or testing the security of externally developed applications that Respondents utilize to transmit, access, or store Personal Information; 10. Adopting and implementing procedures for Change Management that apply to all networks, systems, and assets that contain Personal Information, which must include the following requirements as to each change subject to Change Management procedures: a. The change must be implemented by applying source code or configuration files to a network, system, or asset; b. The source code or configuration files required by sub-Provision I.E.10.a must be reviewed and approved, prior to their application, by a person with appropriate training or expertise other than the person proposing, planning, or implementing the change; and c. The means by which the reviewed code or configuration files are applied must be programmatic or automated, rather than manual, unless: i. The Qualified Individual makes a written determination that programmatic or automated application is impossible, and that such impossibility cannot be remedied without increased risk of unauthorized access to consumers’ Personal Information; and ii. Respondents develop and implement alternative procedures, specifically approved and documented by the Qualified Individual, to ensure that the 10 manual application of reviewed code or configuration files does not result in the introduction of error. 11. Requiring Multi-Factor Authentication for any of Respondents’ employees or contractors to access any information system in Respondents’ control that is used, in whole or in part, to store, collect, or transmit Personal Information, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls; and 12. Developing, implementing, and maintaining policies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures. Such policies and procedures must include the secure disposal of Personal Information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the consumer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, including to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; to comply with the consumer’s request; where the information is otherwise required to be retained by law or regulation; or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. To the extent Respondents retain information for longer than two years after the last date the information is used in connection with the provision of a product or service to the consumer to which it relates, Respondents must document in writing the legitimate business purpose for which Respondents retain such information and must delete such information upon the conclusion of the stated business purpose. Respondents must periodically review Respondents’ data retention policy to minimize the unnecessary retention of data;\n\nF. Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, and modify the Information Security Program based on the results. Such testing and monitoring must include vulnerability testing of Respondents’ networks, systems, and assets once every four (4) months and promptly (not to exceed thirty (30) days) after a Covered Incident, and penetration testing of Respondents’ networks, systems, and assets at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;\n\nH. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Respondents, including by implementing policies and procedures to adequately vet and assess the service providers’ data security practices 11 prior to contracting with the service providers and periodically thereafter. Respondents must also contractually require service providers to (1) provide regular security training programs to their employees; and (2) implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Personal Information; and\n\nI. Evaluate and adjust the Information Security Program in light of any material changes to Respondents’ operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in Provision I.D of this Order, or any other circumstances that Respondents know or have reason to know may have an impact on the effectiveness of the Information Security Program or any of its individual safeguards. At a minimum, Respondents must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "II", "title": "Information Security Assessments by a Third Party", "category": "assessment", "summary": "Respondents must obtain initial and biennial independent third-party assessments of their Information Security Program, with the Assessor approved by the FTC, covering the first 180 days and each two-year period thereafter for 20 years, and submit reports to the Commission.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third- party professional (“Assessor”), who (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; and (3) retains all documents relevant to each Assessment for five (5) years after completion of such Assessment and will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. The Assessor may not withhold any documents relating to Assessments of Respondents from the Commission on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory protection, or any similar claim.\n\nB. For each Assessment, Respondents must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director will have the authority to approve in her or his sole discretion.\n\nC. The reporting period for the Assessments must cover (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each two-year period thereafter for twenty (20) years after issuance of the Order for the biennial 12 Assessments.\n\nD. Each Assessment must, for the entire assessment period: 1. Determine whether Respondents have implemented and maintained the Information Security Program required by Provision I of this Order, titled Mandated Information Security Program; 2. Assess the effectiveness of Respondents’ implementation and maintenance of sub-Provisions I.A-I; 3. Identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; 4. Address the status of gaps or weaknesses in, or instances of material non- compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and 5. Identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of Respondents’ size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondents’ management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondents’ management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Respondents revise, update, or add one or more safeguards required under Provision I of this Order during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondents must submit an unredacted copy of the initial Assessment and a proposed redacted copy suitable for public disclosure to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Global Tel*Link Corporation, FTC File No. 2123012.” Respondents must retain an unredacted copy of each subsequent biennial Assessment as well as a proposed redacted copy of each subsequent biennial Assessment suitable 13 for public disclosure until the order is terminated and must provide each such Assessment to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "III", "title": "Cooperation with Third-Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondents must fully cooperate with the third-party Assessor by providing all relevant information, network visibility, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;\n\nB. Provide or otherwise make available to the Assessor information about Respondents’ network(s), systems, and assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s), systems, and assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s (1) determination of whether Respondents have implemented and maintained the Information Security Program required by Provision I of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions I.A-I; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "IV", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondents must annually provide the FTC with a certification from a senior corporate manager attesting to compliance with the Order, absence of uncorrected material noncompliance, and describing any Covered Incidents during the certified period.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondents responsible for Respondents’ Information Security Program that (1) Respondents have established, implemented, and maintained the requirements of this Order; (2) Respondents are not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of all Covered Incidents during the certified period. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all 14 annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Global Tel*Link Corporation, FTC File No. 2123012.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "V", "title": "Credit Monitoring and Identity Protection Product", "category": "affirmative_obligation", "summary": "Respondents must provide Affected Consumers with enrollment in an FTC-approved credit monitoring and identity protection product for two years, including daily credit monitoring, dark web alerts, identity theft insurance, and accessible enrollment for incarcerated consumers.", "verbatim_text": "A. The Product must be offered, provided, and maintained by an independent third party (the “Third Party”) that has been approved by the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission. Within 14 days of the effective date of this Order, Telmate and its successors and assigns must provide the name and qualifications of the Third Party to: DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Global Tel*Link Corporation, FTC File No. 2123012.”\n\nB. Within one hundred and twenty (120) days of receiving approval of the Third Party from the Associate Director for Enforcement for the Bureau of Consumer Protection, Telmate and its successors and assigns must: 1. Instruct or otherwise cause the Third Party to provide to each Affected Consumer receiving a notice pursuant to Section IX.B the means to register for or access the Product, such as an activation code; and 2. Provide the Third Party with sufficient information regarding Affected Consumers to enable the Third Party to efficiently identify and communicate with each Affected Consumer, including, to the extent known, information regarding whether any Affected Consumer is currently incarcerated; if so, in what Facility.\n\nC. After complying with sub-Provision B of this Provision, Telmate and its successors and assigns must, within thirty (30) days of learning the identity of an additional Affected Consumer, learning of any reason to believe that an Affected Consumer has not received the means to register for or access the Product, instruct or otherwise cause the Third Party to provide each such Affected Consumer with the means to register for or access the Product.\n\nD. Telmate and its successors and assigns must require the Third Party to communicate with each Affected Consumer using methods of communication that are reasonably calculated to reach that consumer, including in light of the consumer’s incarceration status. The 15 Third Party must be able to send and receive communications to and from consumers by mail.\n\nE. To the extent that Respondents provide communications services, including voice or telephone services or services related to incarcerated consumers’ ability to send and receive mail, in any Facility in which any Affected Consumer is incarcerated, Respondents will coordinate in good faith with Facilities to allow Affected Consumers who are incarcerated to enroll in the Product via those communication services, including by requesting that Facilities add a telephone number that can be used for enrollment in the Product to the approved call list. Respondents will make reasonable efforts to ensure that calls and mail between Third Party and Affected Consumers are free of charge.\n\nF. Affected Consumers must be eligible to enroll in the Product for a period of at least ninety (90) days following receipt of information from the Third Party about how to register for or access the Product. Telmate and its successors and assigns must cause the Third Party to provide each such Affected Consumer with two (2) years of enrollment in the Product beginning on the date that the Affected Consumer registers for the Product.\n\nG. The Product must include: 1. An option for Affected Consumers incarcerated in Facilities to receive automated credit monitoring alerts generated by the Product via a mechanism that is simple, accessible, secure, and free of charge to Affected Consumers and the Third Party, such as by providing a mechanism by which Affected Consumers can receive alerts by mail; 2. Daily Consumer Report monitoring from each of the three Nationwide Consumer Reporting Agencies showing key changes to one or more of an Affected Consumer’s Consumer Reports, including automated alerts when the following occur: new accounts are opened; inquiries or requests for an Affected Consumer’s Consumer Report for the purpose of obtaining credit, including for new credit card applications; changes to an Affected Consumer’s address; and negative information, including delinquencies or bankruptcies; 3. Automated alerts, using public or proprietary data sources: a. When data elements submitted by an Affected Consumer for monitoring, such as Social Security numbers, email addresses, or credit card numbers, appear on suspicious websites, including websites on the “dark web;” b. When names, aliases, and addresses have been associated with the Affected Consumer’s Social Security number in connection with information reported to the Consumer Reporting Agencies; c. When a payday loan or certain other unsecured credit has been taken or opened using the Affected Consumer’s Social Security number; 16 d. When banking activity is detected related to new deposit account applications, opening of new deposit accounts, changes to an Affected Consumer’s personal information on an account, and new signers being added to an Affected Consumer’s account; and e. When a balance is reported on an Affected Consumer’s credit line that has been inactive for at least six months; 4. One Million Dollars ($1,000,000) in identity theft insurance to cover costs related to incidents of identity theft or identity fraud, with coverage prior to the Affected Consumer’s enrollment in the Product, provided the costs result from a stolen identity event first discovered during the policy period and subject to the terms of the insurance policy; 5. A customer service center to provide assistance with enrollment, website navigation, monitoring alerts questions, dispute assistance, fraud resolution assistance, and other assistance related to the Product; 6. For Affected Consumers under the age of 18, the Product includes child monitoring services where the parent or guardian can enroll the Affected Consumer under the age of 18 to receive the following services: alerts when data elements submitted for monitoring appear on suspicious websites, such as websites on the “dark web;” and alerts when the Social Security number of an Affected Consumer under the age of 18 is associated with new names or addresses or the creation of a Consumer Report at one or more of the three Nationwide Consumer Reporting Agencies.\n\nH. Respondents must not receive or retain any monetary benefit from the Product.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "VI", "title": "Covered Incident Notification to Consumers and Facilities", "category": "affirmative_obligation", "summary": "Following any future Covered Incident, Respondents must identify Future Affected Consumers and notify them and affected Facilities within 30 days of any government notification, including specific required information about the incident.", "verbatim_text": "A. Within thirty (30) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondents must provide, to each Future Affected Consumer, a notice including: 1. The date, estimated date, or estimated date range when the Covered Incident occurred; 2. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known (unless otherwise prohibited by law); 3. A description of each type of Personal Information that Respondents have reason to 17 believe was accessed, acquired, or publicly exposed without authorization in connection with the Covered Incident; 4. The acts that Respondents have taken to date to remediate the Covered Incident and protect Personal Information from further exposure, acquisition, or access; 5. Information that a consumer can use to contact Respondents to inquire about the Covered Incident; 6. A statement that the consumer can obtain information from the Federal Trade Commission (“FTC”) and the Nationwide Consumer Reporting Agencies about fraud alerts and security freezes; and 7. The up-to-date toll-free numbers, addresses, and websites for the Nationwide Consumer Reporting Agencies and the FTC; and\n\nB. Within thirty (30) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondents must provide to (1) each Facility that is associated with the Personal Information that is accessed, acquired, or publicly exposed without authorization and (2) each Facility in which Respondents know that one or more Future Affected Consumers is incarcerated at the time of the Covered Incident (each a “Future Affected Facility”): 1. The date, estimated date, or estimated date range when the Covered Incident occurred; 2. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; 3. A description of each type of Personal Information that Respondents have reason to believe was accessed, acquired, or publicly exposed without authorization in connection with the Covered Incident; 4. The number of Future Affected Consumers and the number of Future Affected Consumers with a known relationship to the Facility; 5. An explanation of how the Facility can obtain more information about which consumers were affected by the Covered Incident and steps the Facility can take to assist Future Affected Consumers; and 6. The acts that Respondents have taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access;\n\nC. If Respondents identify an additional Future Affected Consumer more than thirty (30) days following the Covered Incident, Respondents must provide to the Future Affected 18 Consumer, within thirty (30) days of such identification, a notice including the elements listed at sub-Provision VI.A.1-7, and to each Future Affected Facility, if any, that has not previously been notified pursuant to sub-Provision VI.B., a notice including the elements listed at sub-Provision VI.B.1-6;", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "VII", "title": "Covered Incident Reports to the Commission", "category": "compliance_reporting", "summary": "Within 10 days of notifying any government entity of a Covered Incident, Respondents must submit a detailed report to the FTC including the incident's date, description, affected information types, number of consumers, and remediation actions.", "verbatim_text": "IT IS FURTHER ORDERED that, within ten (10) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondents must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. A description of each type of information that was affected by the Covered Incident; D. The number of consumers whose information was affected by the Covered Incident; E. The acts that Respondents have taken to date to remediate the Covered Incident and protect Personal Information from further exposure, acquisition, or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; F. As applicable, a statement that Respondents have received a request from a federal, state, or local law enforcement agency to delay notice to Future Affected Consumers and Facilities on the basis that such notice would interfere with an ongoing investigation and a copy of such request; and G. A representative copy of any materially different notice Respondents will send or have sent to consumers or to any United States federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Global Tel*Link Corporation, FTC File No. 2123012.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "VIII", "title": "Prohibition Against Misrepresentations About Security and Privacy", "category": "prohibition", "summary": "Respondents and their agents must not misrepresent their privacy and security measures, the occurrence or nature of any Covered Incident, notification efforts, industry-standard compliance, or their overall protection of Personal Information.", "verbatim_text": "A. Respondents’ privacy and security measures to prevent unauthorized access to Personal Information;\n\nB. The occurrence, extent, nature, potential consequences, or any other fact relating to a Covered Incident actually or potentially involving or affecting Personal Information within the ownership, custody, or control of one or more Respondents;\n\nC. The extent to which Respondents have notified or will notify affected parties in connection with a Covered Incident;\n\nD. The extent to which Respondents meet or exceed industry-standard security or privacy practices; and\n\nE. The extent to which Respondents otherwise protect the privacy, security, availability, confidentiality, or integrity of Personal Information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "IX", "title": "Notification to Consumers Affected by the Identified Breach", "category": "affirmative_obligation", "summary": "Within 120 days of Third Party approval, Respondents must post a required banner notice on all relevant websites and mobile apps for one year, and Telmate must send a direct notice to each Affected Consumer who did not receive written notice of the Identified Breach in May 2021.", "verbatim_text": "A. Respondents must post Clearly and Conspicuously on the home page of each of Respondents’ websites and the home screen of each of Respondents’ mobile applications that has been used to provide Telmate products and services an exact copy of the notice attached hereto as Attachment A (“Banner Notice”), including a hyperlink to an exact copy of the notice attached hereto as Attachment B (“Website and App Notice”). Respondents must leave these Notices in place for one year after posting them. Respondents must not include with the Website and App Notice any other information, documents, or attachments; and\n\nB. Telmate and its successors and assigns must provide a notice to each Affected Consumer to whom Respondents did not send written notice of the Identified Breach in May of 2021. The notice must consist solely of an exact copy of the notice attached hereto as Attachment C (“Direct Notice”). Respondents must not include with the Direct Notice any other information, documents, or attachments apart from those provided by the Third 20 Party for credit monitoring enrollment.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "X", "title": "Notification to Facilities", "category": "affirmative_obligation", "summary": "Within 120 days of Third Party approval, Telmate must send a notice by certified mail or courier to all Facilities with a known relationship to incarcerated Affected Consumers, describing obligations and providing information necessary to facilitate consumers' access to the credit monitoring product.", "verbatim_text": "IT IS FURTHER ORDERED that, within one hundred and twenty (120) days of approval of the Third Party offering, providing, and maintaining the Product pursuant to the Provision of this Order entitled “Credit Monitoring and Identity Protection Product,” Telmate and its successors and assigns must provide a notice to all Facilities with a known, present relationship to one or more incarcerated Affected Consumers. The notice must describe Telmate and its successors and assigns’ obligations under the Provisions of this Order entitled “Notification to Consumers Affected by the Identified Breach” and “Credit Monitoring and Identity Protection Product,” including: A. All information necessary for the Facility to facilitate incarcerated Affected Consumers’ ability to receive communications required pursuant to this Order and to communicate with the Third Party; B. The identity of and contact information for the Third Party; and C. Information regarding how the costs of incarcerated Affected Consumers’ communications with the Third Party are to be billed or covered. Such notice must be sent by first-class mail, postage paid and return receipt requested, or by courier service with signature proof of delivery.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "XI", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondents must submit a sworn acknowledgment of receipt of the Order to the FTC within 10 days, deliver copies to all key personnel and controlled businesses, and obtain signed acknowledgments within 30 days.", "verbatim_text": "A. Each Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. Each Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; (3) each business that Respondents control, directly or indirectly; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which a Respondent delivered a copy of this Order, that Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of 21 receipt of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "XII", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondents must submit a sworn annual compliance report one year after issuance, notify the FTC within 14 days of changes to contact information or corporate structure, and notify the FTC within 14 days of any bankruptcy filing.", "verbatim_text": "A. One (1) year after the issuance date of this Order, each Respondent must submit a compliance report, sworn under penalty of perjury, in which each Respondent must: 1. Identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; 2. Identify all of that Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; 3. Describe the activities of each business, including the goods and services offered; each means by which consumers can access each business’s goods and services, including each website or mobile application that consumers can use to access each service; the extent to which consumers can or must register or create an account or profile in order to access goods or services; the types of Personal Information that Respondents collect in connection with consumers’ use of goods or services, and the extent to which Respondents disclose any of that information to Facilities; the means of advertising, marketing, and sales; and the involvement of any other Respondent; 4. Describe in detail whether and how that Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and 5. Provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Each Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: 1. Any designated point of contact; or 2. The structure of any Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Each Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Global Tel*Link Corporation, FTC File No. 2123012.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "XIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must create and retain for five years specified categories of records, including accounting records, personnel records, consumer complaints, marketing materials, security representations, Assessment materials, law enforcement communications, and all compliance records.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each unique advertisement, marketing or business proposal (including any response to a Request for Proposal), or other marketing material making a representation subject to this Order;\n\nE. A copy of each widely disseminated representation by Respondents that relates to any Covered Incident or describes the extent to which Respondents maintain or protect the privacy, security and confidentiality of any Personal Information, including any representation concerning a change in any website or other service controlled by Respondents that relates to the privacy, security, and confidentiality of Personal Information;\n\nF. For five (5) years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondents, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and Assessments, and any other materials concerning Respondents’ compliance with related Provisions of this Order, for the compliance period covered by such Assessment;\n\nG. For five (5) years from the date received, copies of all subpoenas and other communications with law enforcement, if such communication relate to Respondents’ compliance with this Order or relate to any Covered Incident;\n\nH. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "XIV", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC has broad authority to monitor Respondents' compliance, including requiring sworn reports and document production within 10 days of request, conducting interviews, and using undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, each Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with each Respondent. Respondents must permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "XV", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates 20 years from issuance, or 20 years from the most recent date the FTC files a complaint alleging a violation, whichever is later, with specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: 24 A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "docket_number": "C-4801" }, { "provision_number": "I", "title": "Ban on Sale or Disclosure of Browsing Information", "category": "prohibition", "summary": "Respondents are prohibited from selling, licensing, or otherwise disclosing Browsing Information to Third Parties for Advertising Purposes, and from using Browsing Information for Advertising Purposes without Affirmative Express Consent.", "verbatim_text": "A. Sell, license, transfer, share, or otherwise disclose to or with a Third Party, for Advertising Purposes: (1) Browsing Information from any Avast Product; (2) any information product or service derived from or incorporating Browsing Information from any A vast Product; or (3) any models or algorithms derived from Browsing Information from any A vast Product;\n\nB. Use Browsing Information for Advertising Purposes without first obtaining Affirmative Express Consent; or\n\nC. Sell, license, transfer, share, or otherwise disclose to or with a Third Party, Browsing Information from any non-Avast Product, for Advertising Purposes, without first obtaining Affirmative Express Consent.\n\nWhen obtaining Affirmative Express Consent required under this Provision, Respondents must provide notice Clearly and Conspicuously that identifies the Browsing Information that will be used, sold, licensed, transferred, shared, or otherwise disclosed, and each purpose for which Browsing Information will be used, sold, licensed, transferred, shared, or otherwise disclosed, including by any Third Party.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "II", "title": "Prohibited Misleading Representations", "category": "prohibition", "summary": "Respondents must not misrepresent the purpose of their collection or use of Covered Information, the extent to which it is aggregated or anonymized, or the extent to which they collect, use, disclose, or maintain Covered Information or protect its privacy and security.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the collection, use, disclosure, or maintenance of Covered Information, must not misrepresent in any manner, expressly or by implication: A. The purpose of their collection, use, disclosure, or maintenance of Covered Information;\n\nB. The extent to which Covered Information is aggregated or anonymized; or\n\nC. The extent to which they collect, use, disclose, or maintain Covered Information, or otherwise protect the privacy, security, availability, confidentiality, or integrity of any Covered Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "III", "title": "Data Deletion", "category": "affirmative_obligation", "summary": "Respondents must delete all Jumpshot Data and any derived models, algorithms, or software within 20 days, instruct Third Parties to do the same, and provide sworn written statements confirming deletion to the Commission.", "verbatim_text": "A. Within twenty (20) days of the effective date of this Order, delete: the Jumpshot Data and any models, algorithms, or software developed by Jumpshot based on the Jumpshot Data. Respondents must provide a written statement to the Commission, sworn under penalty ofperjury, confirming that all such information, models or algorithms, and software have been deleted or destroyed.\n\nB. Within twenty (20) days of the effective date of this Order, instruct any Third Party that has received Browsing Information from Jumpshot to delete or destroy such information, models or algorithms derived therefrom, and any software developed to analyze Browsing Information, and provide a written statement to the Commission, sworn under penalty of perjury, confirming that Respondents issued such instructions. Respondents must promptly submit all correspondence, including demand letters, responsive letters, and any written statements required by this Provision, to the Commission pursuant to Provision XII of this Order.\n\nProvided, however, that any Browsing Information that any Respondent is otherwise required to delete or destroy pursuant to this provision may be retained, and may be disclosed, as requested by a government agency or otherwise required by law, regulation, court order, or other legal obligation, including as required by rules applicable to the safeguarding of evidence in pending litigation. In each written statement to the Commission required by this Provision, such Respondent shall describe in detail any Browsing Information that Respondent retains on any of these bases and the specific government agency, law, regulation, court order, or other legal obligation that prohibits Respondent from deleting or destroying such information. Within thirty 9 (30) days after the obligation to retain the information has ended, Respondent shall provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that Respondent has deleted or destroyed such information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion", "Algorithmic Destruction" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "IV", "title": "Notice to Users", "category": "affirmative_obligation", "summary": "Within 28 days of the effective date, Respondents must post a notice on their websites, notify users within affected Avast Products, and send the FTC-mandated Exhibit A Notice by email to affected users.", "verbatim_text": "A. Post Clearly and Conspicuously on Respondents' websites https://www.avast.com/ and https://www.avg.com a link to an exact copy of the notice attached hereto as Exhibit A (\"Exhibit A Notice\") for a period of one hundred and eighty (180) days following the date of the issuance of this Order;\n\nB. Post Clearly and Conspicuously a notification on Avast Products which collected Browsing Information between August 1, 2014 and January 30, 2020 that directs consumers to the Exhibit A Notice on a Sub-Provision IV.A website for a period of one hundred and eighty (180) days following the date of the issuance ofthis order; and\n\nC. Send the Exhibit A Notice to users who purchased or downloaded any Avast Products that collected Browsing Information prior to January 30, 2020, and for whom Respondents possess email contact information obtained between August 1, 2014 and January 30, 2020. The Exhibit A Notice shall be sent through email without any other information, documents, or attachments, with the subject line \"Notice of FTC Settlement.\"", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "V", "title": "Mandated Privacy Program", "category": "affirmative_obligation", "summary": "Within 60 days of the effective date, each Respondent that collects, uses, discloses, or maintains Covered Information must establish and maintain a comprehensive privacy program, including documentation, board reporting, designated personnel, risk assessments, safeguards, training, and ongoing monitoring.", "verbatim_text": "IT IS FURTHER ORDERED that each Respondent that collects, uses, discloses, or maintains Covered Information must, within sixty (60) days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive privacy program (the \"Program\") that protects the privacy of such Covered Information. To satisfy this requirement, each Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Program;\n\nB. Provide the written program and evaluations thereof to the Respondent's board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer responsible for the Program at least once every twelve (12) months;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Program;\n\nD. Assess and document, at least once every twelve (12) months, internal and external risks to the privacy of Covered Information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks to the privacy of Covered Information identified in response to Sub- Provision V.D. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information. Such safeguards must also include: 1. Training of all employees, at least once every twelve ( 12) months, on how to safeguard the privacy of Covered Information; 2. Technical measures to modify Browsing Information to render it Deidentified; 3. Documentation, for each product or service, of the decision to collect, use, share, disclose, or maintain Browsing Information, including by operation of any third-party software within the product or service. Such documentation should include: the name or names of the person or people who made the decision; for what purpose the Browsing Information is being collected, used, shared, or disclosed; the data segmentation controls in place to ensure that the Browsing Information collected is only used for the particular purpose for which it was collected; the data retention limit set and the technical means for achieving deletion; safeguards in place to prevent unauthorized sharing or sale; and the access controls in place to ensure only authorized employees with a need-to-know have access;\n\nF. Assess, at least once every twelve (12) months, the sufficiency of any safeguards in place to address the internal and external risks to the privacy of Covered Information, and modify the Program based on the results;\n\nG. Test and monitor, including by technical means, the effectiveness of the safeguards at least once every twelve (12) months, and modify the Program based on the results;\n\nH. Select and retain service providers capable of safeguarding Covered Information they access through or receive from each Respondent, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the privacy of Covered Information;\n\nI. Consult with, and seek appropriate guidance from, independent, third-party experts on privacy in the course of establishing, implementing, maintaining, and updating the Program; and\n\nJ. Evaluate and adjust the Program in light of any changes to the Respondent's operations or business arrangements, new or more efficient technological or operational methods to control for the risks identified in Sub-Provision V.D of this Order, or any other circumstances that the Respondent knows or has reason to know may have an impact on the effectiveness of the Program or any of its individual safeguards. At a minimum, each Respondent must evaluate the Program at least once every twelve (12) months and modify the Program based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "VI", "title": "Assessments by a Third Party", "category": "assessment", "summary": "Respondents must obtain initial and biennial independent third-party assessments of their Privacy Program, covering the first 180 days and each two-year period thereafter for 20 years, with results submitted to the FTC.", "verbatim_text": "A. The Assessment must be obtained from a qualified, objective, independent third-party professional (\"Assessor\"), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Program; (3) retains all documents relevant to each Assessment for 5 years after completion of such Assessment; and (4 ) will provide such documents to the Commission within 10 days of receipt of a written request from a representative of the Commission. The Assessor shall not withhold any such documents on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim, although such documents can be designated for confidential treatment in accordance with applicable law;\n\nB. For each Assessment, Respondents must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission (\"Associate Director\") with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in her or his sole discretion;\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each two-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments;\n\nD. Each Assessment must, for the entire assessment period: 1. Determine whether each Respondent has implemented and maintained the Program required by Provision V of this Order, titled Mandated Privacy Program; 2. Assess the effectiveness of each Respondent's implementation and maintenance of Sub-Provisions V.A-J; 3. Identify, through technical testing and any other assessment technique, any gaps or weaknesses in, or instances of material noncompliance with, the Program; 4. Address the status of gaps or weaknesses in, or instances of material non-compliance with, the Program that were identified in any prior Assessment required by this Order; and 5. Identify specific evidence (including, but not limited to, documents reviewed, sampling and technical testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of the Respondent's size, complexity, and risk profile; and (b) sufficient to justify the Assessor's findings. No finding of any Assessment shall rely primarily on assertions 12 or attestations by the Respondent's management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Program and did not rely primarily on assertions or attestations by the Respondent's management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that any Respondent revises, updates, or adds one or more safeguards required under Provision V of this Order in the middle of an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard; and\n\nE. Each Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondents must submit the initial Assessment to the Commission within 10 days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, \"In re Avast Limited et al.\" All subsequent biennial Assessments must be retained by Respondents until the Order is terminated and provided to the Associate Director for Enforcement within 10 days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right­ hand corner of each page, with the words \"DPIP Assessment\" in red lettering.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "VII", "title": "Cooperation with Third Party Assessor", "category": "affirmative_obligation", "summary": "Respondents must fully cooperate with third-party Assessors by providing all relevant information, disclosing network and IT asset details, and not misrepresenting any material facts.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;\n\nB. Provide or otherwise make available to the Assessor information about Respondents' networks and all of Respondents' IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the networks and IT assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor(s), and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor's: (1) determination of whether Respondent has implemented and maintained the Program required by Provision V of this Order, titled Mandated Privacy Program; (2) assessment of the effectiveness of the implementation and maintenance of Sub-Provisions V.A-J; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "VIII", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Beginning one year after issuance and each year thereafter, Respondents must submit to the FTC a sworn senior officer certification of compliance with the Privacy Program, and publish all certifications on their website.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior officer of each Respondent who is responsible for Compliance with Provision V of this Order, that: (1) each Respondent has established, implemented, and maintained a Privacy Program that complies in all material respects with the requirements of Provision V of this Order; and (2) each Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission. The certification must be based on the personal knowledge of the senior officer or subject-matter experts upon whom the senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, Respondents must submit all annual certifications to the Commission pursuant to this Order via email to DEBrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Avast Limited et al.\n\nC. Respondents must publish all annual certifications Clearly and Conspicuously on a separate page in the \"investors\" section of Respondents' website (e.g., investors.avast.com).", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "IX", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Respondents must pay $16,500,000 to the FTC within 9 days of the effective date of this Order by electronic fund transfer.", "verbatim_text": "A. Respondents must pay to the Commission $16,500,000, which Respondents stipulate their undersigned counsel holds in escrow for no purpose other than payment to the Commission.\n\nB. Such payment must be made within 9 days of the effective date of this Order by electronic fund transfer in accordance with instructions provided by a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "X", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Respondents relinquish all rights to transferred assets, agree that Complaint facts will be taken as true in any enforcement litigation, and acknowledge how unspent funds will be handled and the consequences of default.", "verbatim_text": "A. Respondents relinquish dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission to enforce its rights to any 14 payment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.\n\nC. The facts alleged in the Complaint establish all elements necessary to sustain an action by or on behalf of the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.\n\nD. All money paid to the Commission pursuant to this Order may be deposited into a fund administered by the Commission or its designee to be used for relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other relief (including consumer information remedies) as it determines to be reasonably related to Respondents' practices alleged in the Complaint. Any money not used is to be deposited to the U.S. Treasury. Respondents have no right to challenge any activities pursuant to this Provision.\n\nE. In the event of default on any obligation to make payment under this Order, interest, computed as if pursuant to 28 U.S.C. § 1961(a), shall accrue from the date of default to the date of payment. In the event such default continues for 10 days beyond the date that payment is due, the entire amount will immediately become due and payable.\n\nF. Each day of nonpayment is a violation through continuing failure to obey or neglect to obey a final order of the Commission and thus will be deemed a separate offense and violation for which a civil penalty shall accrue.\n\nG. Respondents acknowledge that their Taxpayer Identification Numbers (Social Security or Employer Identification Numbers), which Respondents have previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Redress" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "XI", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondents must submit a sworn acknowledgment of receipt of the Order within 10 days, deliver copies to all relevant personnel, and obtain signed acknowledgments from each recipient within 30 days of delivery.", "verbatim_text": "A. Each Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For three (3) years after the issuance date ofthis Order, each Respondent, must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees and agents managing conduct related to the subject matter of this Order ; and (3) any business entity resulting from any change in structure as set forth in Provision XII. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which a Respondent delivered a copy of this Order, that Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "XII", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondents must submit a sworn compliance report one year after issuance, file notices of material changes within 14 days, notify the FTC of any bankruptcy filings, and submit all materials via the specified channels.", "verbatim_text": "A. One year after the issuance date of this Order, each Respondent must submit a compliance report, sworn under penalty of perjury, in which each Respondent must: (1) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (2) identify all of that Respondent's businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business, Covered Information collected, used, disclosed; or maintained, the means of disclosing its Covered Information collection, use, disclosure, or maintenance practices, and the involvement of any other Respondent; (4 ) describe in detail whether and how that Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (5) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. For ten (10) years after the issuance date of this Order, each Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: 1. Each Respondent must submit notice of any change in: (a) any designated point of contact; or (b) the structure of any Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Each Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: \"I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: __\" and supplying the date, signatory's full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, 16 Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Avast Limited et al.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "XIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must create certain records for 10 years after the issuance date and retain each record for 5 years, covering accounting records, personnel records, advertising materials, privacy representations, Assessment materials, and all compliance records.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person's: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. A copy of each unique advertisement or other marketing material making a representation subject to this Order;\n\nD. A copy of each widely disseminated representation by Respondents that describes the extent to which Respondents collect, use, disclose, or maintain Covered Information, or otherwise protect the privacy, security, availability, confidentiality, or integrity of any Covered Information, including any representation concerning a change in any website or other service controlled by Respondents that relates to the privacy of Covered Information;\n\nE. For 5 years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondents, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondents' compliance with related Provisions of this Order, for the compliance period covered by such Assessment; and\n\nF. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "XIV", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor Respondents' compliance by requesting compliance reports and records, communicating directly with Respondents, interviewing personnel, and using other lawful investigative means.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the Commission, each Respondent must: submit additional compliance reports or other requested 17 information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with each Respondent. Respondents must permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-l.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "XV", "title": "Order Effective Dates", "category": "duration", "summary": "This Order is effective upon publication on the FTC's website and terminates 20 years from issuance, or 20 years from the most recent date the FTC files a complaint alleging a violation of this Order in federal court, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission's website (fie.gov) as a final order. This Order will terminate 20\n\npublication on the Commission's website (fie.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission's seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later;provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order's application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "docket_number": "2023033" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Respondent must not misrepresent in any way the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of personal information collected from consumers online.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent maintains and protects the privacy, confidentiality, security, or integrity of any personal information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "docket_number": "C-4133" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards, including risk designation, risk assessment, safeguard implementation, and ongoing evaluation.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "docket_number": "C-4133" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain biennial third-party security assessments from a qualified professional for twenty years, with the first assessment due within 180 days of service, and provide assessments and supporting materials to the FTC.", "verbatim_text": "IT IS FURTHER ORDERED that respondent obtain an assessment and report (an “Assessment”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, within one hundred and eighty (180) days after service of the order, and biennially thereafter for twenty (20) years after service of the order that: A. sets forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explains how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers; C. explains how the safeguards that have been implemented meet or exceed the protections required by Paragraph II of this order; and D. certifies that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and, for biennial reports, has so operated throughout the reporting period.\n\nEach Assessment shall be prepared by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nRespondent shall provide the first Assessment, as well as all: plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial\n\nAssessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "docket_number": "C-4133" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC compliance-related documents, including advertisements and representations about data security for five years, and assessment-related materials for three years after each biennial assessment.", "verbatim_text": "A. for a period of five (5) years: 1. a sample copy of each different print, broadcast, cable, or Internet advertisement, promotion, information collection form, Web page, screen, email message, or other document containing any representation regarding respondent’s online collection, use, and security of personal information from or about consumers. Each Web page copy shall be dated and contain the full URL of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting the information on the Web. Provided, however, that after creation of any Web page or screen in compliance with this order, respondent shall not be required to retain a print or electronic copy of: (1) any amended Web page or screen to the extent that the amendment does not affect respondent’s compliance obligations under this order; or (2) any Web page or screen that contains a hypertext link to respondent’s privacy policy, but otherwise does not relate to respondent’s compliance obligations under this order.\n\n2. any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each biennial Assessment required under Paragraph III of this order: all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relating to respondent’s compliance with Paragraphs II and III of this order for the compliance period covered by such biennial Assessment.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "docket_number": "C-4133" }, { "provision_number": "V", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, and employees with managerial responsibilities related to the order's subject matter within 30 days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "docket_number": "C-4133" }, { "provision_number": "VI", "title": "Compliance Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations, including dissolution, merger, sale, name or address change, or bankruptcy filing.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nProvided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "docket_number": "C-4133" }, { "provision_number": "VII", "title": "Compliance Reporting to FTC", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 180 days after service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within one hundred and eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "docket_number": "C-4133" }, { "provision_number": "VIII", "title": "Order Duration", "category": "duration", "summary": "This order terminates on March 4, 2025, or twenty years from the most recent date the FTC files a complaint alleging a violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on March 4, 2025, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Paragraph in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Paragraph. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Paragraph as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "docket_number": "C-4133" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other system failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "03.06_dsw_inc._in_the_matter_of", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "docket_number": "C-4157" }, { "provision_number": "II", "title": "Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain an initial and biennial third-party security assessments from a qualified, independent professional covering the first 180 days after service and each two-year period thereafter for 20 years; each assessment must certify the security program's effectiveness and be submitted to the FTC.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph I of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall: A. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the nonpublic personal information collected from or about consumers; 3 C. explain how the safeguards that have been implemented meet or exceed the protections required by Paragraph I of this order; and D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of nonpublic personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information SystemSecurityProfessional (CISSP); a person qualified as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment, as well as all: plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.06_dsw_inc._in_the_matter_of", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "docket_number": "C-4157" }, { "provision_number": "III", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC documents relating to compliance with this order, including for five years any documents contradicting compliance, and for three years after each biennial assessment all plans, reports, and materials relating to compliance with Paragraphs I and II.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance with the terms and provision of this order, including but not limited to: A. for a period of five (5) years: any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each biennial Assessment required under Paragraph II of this order: all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relating to respondent’s compliance with Paragraphs I and II of this order for the reporting period covered by such biennial Assessment.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.06_dsw_inc._in_the_matter_of", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "docket_number": "C-4157" }, { "provision_number": "IV", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "For ten years after service of the order, respondent must deliver a copy of the order to all current and future principals, officers, directors, managers, and supervisory employees; current personnel must receive it within 30 days of service, and future personnel within 30 days of assuming their role.", "verbatim_text": "IT IS FURTHER ORDERED that, for a period of ten (10) years after the date of service of this order, respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having supervisory responsibilities with respect to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after the date of service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.06_dsw_inc._in_the_matter_of", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "docket_number": "C-4157" }, { "provision_number": "V", "title": "Notice of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under the order, including dissolution, sale, merger, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.06_dsw_inc._in_the_matter_of", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "docket_number": "C-4157" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 180 days after service of the order, and at such other times as the FTC may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within one hundred eighty (180) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.06_dsw_inc._in_the_matter_of", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "docket_number": "C-4157" }, { "provision_number": "VII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on March 7, 2026, or twenty years from the most recent date the FTC files a complaint alleging a violation of the order in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on March 7, 2026, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Paragraph in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and 5 C. this order if such complaint is filed after the order has terminated pursuant to this Paragraph. Provided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Paragraph as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.06_dsw_inc._in_the_matter_of", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "docket_number": "C-4157" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondents must not misrepresent, in any manner, the extent to which they maintain and protect the privacy, confidentiality, or integrity of consumers' personal information.", "verbatim_text": "IT IS ORDERED that respondents and their officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, in Page 2 of 6 connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondents maintain and protect the privacy, confidentiality, or integrity of any personal information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "docket_number": "C-4252" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to their size, complexity, and the sensitivity of personal information they collect.", "verbatim_text": "IT IS FURTHER ORDERED that respondents and their officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ size and complexity, the nature and scope of respondents’ activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to, (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, and (3) prevention, detection, and response to attacks, intrusions, or other systems failure;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to retain service providers capable of appropriately safeguarding personal information they receive from respondents and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of respondents’ information security program in light of the results of the testing and monitoring required by Page 3 of 6 subpart C, any material changes to respondents’ operations or business arrangements, or any other circumstances that respondents know or have reason to know may have a material impact on the effectiveness of their information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "docket_number": "C-4252" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondents must obtain initial and biennial independent third-party security assessments covering defined reporting periods, with each assessment certifying the sufficiency of the security program, prepared by a qualified professional and submitted to the FTC.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with the online advertising, marketing, promotion, offering for sale, or sale of any product or service to consumers, in or affecting commerce, respondents, and their officers, agents, representatives, and employees, shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for ten (10) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondents have implemented and maintained during the reporting period to comply with Part II of this order;\n\nB. explain how such safeguards are appropriate to respondents’ size and complexity, the nature and scope of respondents’ activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and\n\nD. certify that respondents’ security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondents shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall Page 4 of 6 be retained by respondents until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "docket_number": "C-4252" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC copies of all materials used to prepare assessments (for 3 years) and all other compliance-related documents including advertisements (for 5 years).", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of: A. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondents, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondents’ compliance with Parts II and III of this order, for the compliance period covered by such Assessment;\n\nB. unless covered by IV.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this order, including but not limited to: 1. all advertisements and promotional materials containing any representations covered by this order, with all materials relied upon in disseminating the representation; and 2. any documents, whether prepared by or on behalf of respondents, that call into question respondents’ compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "docket_number": "C-4252" }, { "provision_number": "V", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "Respondents must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, within specified timeframes.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondents shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "docket_number": "C-4252" }, { "provision_number": "VI", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondents must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, including dissolutions, mergers, sales, bankruptcy filings, or name/address changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Page 5 of 6 order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondents learn fewer than thirty (30) days prior to the date such action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "docket_number": "C-4252" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file a written compliance report with the FTC within 180 days after service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall, within one hundred eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which they have complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "docket_number": "C-4252" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on March 16, 2029, or twenty years from the most recent date the U.S. or FTC files a federal court complaint alleging a violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on March 16, 2029, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent(s) did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent(s) will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "docket_number": "C-4252" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security and Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including misrepresentations about preventing unauthorized access or honoring user privacy choices.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, website, or other device, in connection with the offering of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to: (a) prevent unauthorized access to nonpublic consumer information; or (b) honor the privacy choices exercised by users.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "docket_number": "C-4316" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards, including risk assessment, safeguard implementation, service provider oversight, and program evaluation.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, website, or other device, in connection with the offering of any product or service, in or affecting commerce, shall, no later than the date or service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the nonpublic consumer information, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of reasonably-foreseeable, material risks, both internal and external, that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of nonpublic consumer information or in unauthorized administrative control of the Twitter system, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, account takeovers, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding nonpublic consumer information such service providers receive from respondent or obtain on respondent’s behalf, and the requirement, by contract, that such service providers implement and maintain appropriate safeguards; provided, however, that this subparagraph shall not apply to personal information about a consumer that respondent provides to a government agency or lawful information supplier when the agency or supplier already possesses the information and uses it only to retrieve, and supply to respondent, additional personal information about the consumer.\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "docket_number": "C-4316" }, { "provision_number": "III", "title": "Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from a qualified, independent professional covering the first 180 days after service and each two-year period thereafter for ten years, with each assessment setting forth safeguards, their appropriateness, compliance with Part II, and certifying program effectiveness.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order for the biennial Assessments. Each Assessment shall:\n\n(1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the nonpublic personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by Paragraph II of this order; and\n\nD. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information and that the program has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is\n\nprepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "docket_number": "C-4316" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC copies of widely-disseminated security statements (3 years), consumer complaints (6 months), law enforcement communications (2 years), documents contradicting compliance (5 years), and materials used to prepare assessments (3 years after each assessment).", "verbatim_text": "A. for a period of three (3) years from the date of preparation or dissemination, whichever is later, all widely-disseminated statements, including, but not limited to, statements posted on respondent’s website that describe the extent to which respondent maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, with all materials relied upon in making or disseminating such statements, except that respondent shall not be required to provide any such statements that are made using the Twitter microblogging platform;\n\nB. for a period of six (6) months from the date received, all consumer complaints directed at respondent, or forwarded to respondent by a third party, that relate to respondent’s activities as alleged in the draft complaint and any responses to such complaints;\n\nC. for a period of two (2) years from the date received, copies of all subpoenas and other communications with law enforcement entities or personnel, if such communications raise issues that relate to respondent’s compliance with the provisions of this order;\n\nD. for a period of five (5) years from the date received, any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nE. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, for the compliance period covered by such Assessment.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "docket_number": "C-4316" }, { "provision_number": "V", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities within 30 days of service or assumption of responsibilities.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nthis order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "docket_number": "C-4316" }, { "provision_number": "VI", "title": "Compliance Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations, including dissolution, merger, sale, bankruptcy filing, or name/address change; if less than 30 days' notice is possible, notification must be made as soon as practicable.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\naddress. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "docket_number": "C-4316" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report within 60 days of service of the order and submit additional written reports within 10 days of written notice from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after the date of service of this order file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which respondent has complied with this order. Within\n\nten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "docket_number": "C-4316" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on March 2, 2031, or twenty years from the most recent date the FTC files a complaint alleging a violation, whichever is later, subject to specified exceptions for dismissed complaints.", "verbatim_text": "This order will terminate on March 2, 2031, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date Page 6 of 7 such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "docket_number": "C-4316" }, { "provision_number": "I", "title": "Prohibition Against Misrepresenting Effectiveness of Information Removal Service", "category": "prohibition", "summary": "Respondents must not misrepresent, in any manner, the effectiveness of PrivacyLock or any similar service that allows consumers to remove publicly available information from respondents' search results, websites, or advertisements.", "verbatim_text": "IT IS ORDERED that respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, promotion, offering for sale, sale, or distribution of “PrivacyLock” or any other service offered to consumers that will allow consumers to remove publicly available information from respondents’ search results, websites, or advertisements, shall not misrepresent, in any manner, expressly or by implication, the effectiveness of such service.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "docket_number": "C-4317" }, { "provision_number": "II", "title": "Prohibition Against Representations Without Clear Disclosure of Material Limitations", "category": "prohibition", "summary": "Respondents must not make any representation about the effectiveness of PrivacyLock or a similar service unless they clearly and prominently disclose all material limitations, including duration limits and circumstances under which information will not be removed or will reappear.", "verbatim_text": "IT IS FURTHER ORDERED that respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, promotion, offering for sale, sale, or distribution of “PrivacyLock” or any other service offered to consumers that will allow consumers to remove publicly available information from respondents’ search results, websites, or advertisements, shall not make any representation, in any manner, expressly or by 2 implication, about the effectiveness of such service, unless they disclose, clearly and prominently, any material limitations regarding such service, including, but not limited to, (1) any limitations on the duration of the removal; and (2) any circumstances under which information about the consumers will not be removed or will reappear.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "docket_number": "C-4317" }, { "provision_number": "III", "title": "Refunds and Accounting", "category": "affirmative_obligation", "summary": "Respondents must issue full refunds to all consumers who paid for PrivacyLock, provide notice via email and on their website, and submit a complete accounting to the Commission of all refunds paid and amounts not refunded, with any unrefunded amounts remitted to the U.S. Treasury as disgorgement.", "verbatim_text": "A. Upon issuance of this order, provide a full and complete refund to any consumer who requested “PrivacyLock” and was assessed a charge for such service, by crediting the credit or debit card used to pay for such service, and providing notice of the refund through an email message sent to affected consumers;\n\nB. The email message shall also include contact information for respondents, including name, address and a toll-free telephone number, for consumers to use to contact respondents and receive a full and complete refund if, for any reason, respondents are unable to credit the consumer’s credit or debit card; and\n\nC. For a period of one (1) year after the date of issuance of this order, provide notice to consumers of the refund required by Section III.B. of this order. Such notice shall be clearly and prominently displayed on respondents’ website www.ussearch.com; and\n\nD. Within one year of the issuance of this order, respondents shall provide a full and complete accounting to the Commission of all refunds paid to consumers, including amounts paid, and the names and addresses (email and US mail) of consumers who received the refunds. Respondents shall also include in such an accounting all amounts that were not refunded to consumers, for whatever reason. Any amount not refunded to consumers shall be deposited with the United States Treasury as disgorgement. No portion of this payment to the United States Treasury shall be deemed a payment of any fine, penalty, or punitive assessment.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "docket_number": "C-4317" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must retain and make available to the FTC for five years after the last dissemination of any covered representation: all advertisements, consumer complaints and refund requests with responses, and all records necessary to demonstrate compliance with the order.", "verbatim_text": "IT IS FURTHER ORDERED that for a period of five (5) years after the last date of dissemination of any representation covered by this order, respondents US Search, Inc. and US Search, LLC, and their successors and assigns, shall maintain and upon request make available to the Federal Trade Commission for inspection and copying: A. All advertisements and promotional materials containing the representation;\n\nB. Complaints and refund requests (whether received directly or indirectly, such as through a third party) and any responses to those complaints or requests;\n\nC. All records and documents necessary to demonstrate full compliance with each provision of this order, including but not limited to, copies of acknowledgments of receipt of this order required by Section V. and all reports submitted to the FTC pursuant to Section VII.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "docket_number": "C-4317" }, { "provision_number": "V", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "For five years from issuance, respondents must deliver a copy of the order to all current and future principals, officers, directors, and managers engaged in related conduct, and obtain signed, dated acknowledgments of receipt within 30 days of delivery.", "verbatim_text": "IT IS FURTHER ORDERED that, for a period of five (5) years from the date of issuance of this order, respondents US Search, Inc. and US Search, LLC, and their successors and assigns, shall deliver a copy of this order to all current and future principals, officers, directors, and managers who engage in conduct related to the subject matter of the order, and any business entity resulting from any change in structure set forth in Section VI. For current\n\npersonnel, delivery shall be within five (5) days of service of this order. For new personnel, delivery shall occur prior to them assuming their responsibilities. For any business entity resulting from any change in structure set forth in Section VI, delivery shall be at least ten (10) days prior to the change in structure. Respondents must secure a signed and dated statement\n\ndays prior to the change in structure. Respondents must secure a signed and dated statement acknowledging receipt of the order within thirty (30) days of delivery from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "docket_number": "C-4317" }, { "provision_number": "VI", "title": "Notification of Corporate Changes", "category": "monitoring", "summary": "Respondents must notify the FTC at least 30 days before any corporate change that may affect compliance obligations, such as dissolution, merger, sale, subsidiary creation, bankruptcy filing, or name/address change, with notices sent by overnight courier or first-class mail with simultaneous email.", "verbatim_text": "IT IS FURTHER ORDERED that, respondents US Search, Inc. and US Search, LLC, and their successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation or business entity that may affect compliance obligations arising under this order, including but not limited to: incorporation or other organization; a dissolution, assignment, sale, merger, or other action; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the business name or address. Provided, however, that, with respect to any proposed change in the corporation or business entity about which a respondent learns less than thirty (30) days prior to the date such action is to take place, such respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line FTC v. US Search, Inc. and US Search, LLC. Provided, however, that, in lieu of overnight courier, notices may be sent by first- class mail, but only if an electronic version of such notices is contemporaneously sent to the Commission at Debrief@ftc.gov.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "docket_number": "C-4317" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must each file a written compliance report with the FTC within 60 days of service of the order, and submit additional written reports within 10 days of any written request from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondents US Search, Inc. and US Search, LLC, and their successors and assigns, within sixty (60) days after the date of service of this order, shall each file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of their own compliance with this order. Within ten (10) days of receipt of\n\nthe manner and form of their own compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, they shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "docket_number": "C-4317" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on March 14, 2031, or 20 years from the most recent date a federal court complaint alleging a violation of the order is filed, whichever is later, with specific carve-outs for provisions with shorter terms and for respondents not named as defendants.", "verbatim_text": "This order will terminate on March 14, 2031, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order's application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "docket_number": "C-4317" }, { "provision_number": "I", "title": "Prohibition Against Privacy Misrepresentations", "category": "prohibition", "summary": "Respondents must not misrepresent the extent to which they maintain privacy or confidentiality of consumer data, including collection, use, disclosure, or sharing practices, or the extent to which software code determines whether a user has previously visited a webpage.", "verbatim_text": "IT IS ORDERED that respondents and their officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, or other device, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: (A) the extent to which they maintain the privacy or confidentiality of data from or about a particular consumer, computer, or device, including but not limited to the extent to which that data is collected, used, disclosed, or shared; or (B) the extent to which software code on a webpage determines whether a user has previously visited a webpage.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "docket_number": "C-4389" }, { "provision_number": "II", "title": "Prohibition on History Sniffing", "category": "prohibition", "summary": "Respondents are prohibited from collecting any data through history sniffing or using any data obtained by history sniffing.", "verbatim_text": "IT IS FURTHER ORDERED that respondents and their officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, or other device, in connection with online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, are prohibited from collecting any data through history sniffing or using any data obtained by history sniffing.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "docket_number": "C-4389" }, { "provision_number": "III", "title": "Data Deletion and Non-Use Requirements", "category": "affirmative_obligation", "summary": "Respondents must not use, disclose, sell, rent, lease, or transfer any information collected using history sniffing, and must permanently delete or destroy all such information within five days, providing written confirmation to the Commission.", "verbatim_text": "other device, shall not use, disclose, sell, rent, lease, or transfer any information that was collected using history sniffing. Within five (5) days after the date of service of this order,\n\ncollected using history sniffing. Within five (5) days after the date of service of this order, respondents shall permanently delete or destroy all information collected using history sniffing, and shall provide a written statement to the Commission, sworn under penalty of perjury, confirming that all such information has been deleted or destroyed. Provided that, if\n\nconfirming that all such information has been deleted or destroyed. Provided that, if respondents are prohibited from deleting or destroying such information by law, regulation, or court order, respondents shall provide a written statement to the Commission, sworn under penalty of perjury, identifying any information that has not been deleted or destroyed and the specific law, regulation, or court order that prohibits respondents from deleting or destroying such information. Unless otherwise directed by a representative of the Commission, all", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "docket_number": "C-4389" }, { "provision_number": "IV", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC records including consumer complaints, compliance records, and publicly disseminated documents related to data collection and privacy practices for specified retention periods.", "verbatim_text": "1. Consumer complaints or inquiries directed to respondents or forwarded to respondents by a third party concerning: (a) any collection of data by respondents; (b) the use, disclosure, or sharing of such data by respondents; or (c) opt-out practices or any other mechanism to limit or prevent such collection of data or the use, disclosure, or sharing of data collected by respondents, as well as any responses to such complaints or inquiries;\n\n2. All records necessary to demonstrate full compliance with each provision of this order, including all submissions to the Commission; and\n\nB. For a period of three (3) years after the last public dissemination thereof by respondents, respondents’ terms of use, form network contracts, marketing materials, frequently asked questions, privacy policies, and other documents publicly disseminated by respondents relating to: (a) collection of data by respondents; (b) the use, disclosure or sharing of such data by respondents; (c) opt-out practices and other mechanisms to limit or prevent such collection of data by respondents or the use, disclosure, or sharing of data collected by respondents; (d) respondents’ membership in any self-regulatory body; and (e) respondents’ participation in and compliance with any privacy, security, or other compliance program sponsored by the government or other third party.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "docket_number": "C-4389" }, { "provision_number": "V", "title": "Order Acknowledgment Requirements", "category": "acknowledgment", "summary": "Respondents must deliver a copy of this order to current and future principals, officers, directors, managers, and relevant personnel for three years, securing signed acknowledgments of receipt.", "verbatim_text": "order, respondents shall deliver a copy of this order to: (1) all current and future principals, officers, directors, and managers; and (2) all current and future managers, employees, agents and representatives who have responsibilities on behalf of respondents with respect to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq. Respondents shall deliver this order to\n\nrequirements of the E-Sign Act, 15 U.S.C. § 7001 et seq. Respondents shall deliver this order to current personnel within thirty (30) days after the date of service of the order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nrequirements of the E-Sign Act, 15 U.S.C. § 7001 et seq. Respondents shall deliver this order to current personnel within thirty (30) days after the date of service of the order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "docket_number": "C-4389" }, { "provision_number": "VI", "title": "Change in Corporate Status Notification", "category": "compliance_reporting", "summary": "Respondents must notify the Commission at least thirty days prior to any change in corporate structure or status that may affect compliance obligations, including dissolution, merger, sale, bankruptcy, or change of name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall notify the Commission at least thirty (30) days prior to any change in respondents that may affect compliance obligations arising under this order, including but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in respondents’ name or address.\n\nProvided, however, that with respect to any proposed change about which respondents learn less than thirty (30) days prior to the date such action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "docket_number": "C-4389" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file a true and accurate compliance report with the Commission within ninety days after service of the order and submit additional reports upon request within ten days.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall, within ninety (90) days after the date of service of this order, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which respondents have complied with this order.\n\nWithin ten (10) days of receipt of written notice from a representative of the Commission, respondents shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "docket_number": "C-4389" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on March 13, 2033, or twenty years from the most recent date a complaint alleging violation is filed in federal court, whichever comes later, subject to specified exceptions and conditions.", "verbatim_text": "This order will terminate on March 13, 2033, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part of this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that the respondents did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that this order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "docket_number": "C-4389" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently prohibited from using monitoring technology to gather, receive, store, or communicate data from computers rented to consumers, except when providing consumer-initiated technical assistance.", "verbatim_text": "A. Using any monitoring technology to gather data or information from or about a consumer from any computer rented to a consumer; or\n\nB. Receiving, storing, or communicating any data or information from or about a consumer that was gathered from a computer rented to a consumer using any monitoring technology.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "affirmative_obligation", "summary": "Respondent must provide clear and prominent notice and obtain affirmative express consent before using geophysical location tracking technology on rented consumer products, with specific notice requirements for computers including desktop icons.", "verbatim_text": "A. Gathering any data or information from any consumer product via any geophysical location tracking technology without providing clear and prominent notice to the consumer who rented the product at the time it is rented and also obtaining affirmative express consent from the consumer at the time the consumer product is rented;\n\n1. Clear and Prominent Notice: respondent shall provide a clear and prominent notice to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the rented consumer product; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the consumer can contact someone for additional information; and\n\n2. Affirmative Express Consent: respondent shall obtain affirmative express consent by giving the renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Section shall require respondent to rent an item to a consumer who declines to consent to installation or activation of any geophysical tracking technology; and\n\nC. In connection with the rental of computers, installing or activating on rented computers geophysical location tracking technology where that technology does not provide clear and prominent notice to the computer user immediately prior to each use of the geophysical location tracking technology, as clear and prominent is defined above, and by the installation of a clear and prominent icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent is prohibited from making false representations in any notice, prompt, or software application that results in gathering consumer data or information.", "verbatim_text": "to be made, or assisting others in making or causing to be made, any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering data or information from or about a consumer.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "IV", "title": "No Use of Improperly Obtained Information in Collections", "category": "prohibition", "summary": "Respondent is prohibited from using any data obtained in violation of Parts I, II, and III when collecting or attempting to collect debts.", "verbatim_text": "and enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any data or information from or about a consumer obtained in a manner that does not comply with Parts I, II, and III of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "V", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete or destroy data previously gathered using non-compliant monitoring or tracking technology and ensure data transfers are encrypted during transmission.", "verbatim_text": "A. Delete or destroy data or information from or about a consumer previously gathered or stored using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order, unless such action is otherwise prohibited by court order or other legal obligation and after the expiration of any such court order or other legal obligation the information is deleted or destroyed; and\n\nB. Only transfer any data or information from or about a consumer that was gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers, if the information collected is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance", "Data Security" ], "remedy_types": [ "Data Deletion" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "VI", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the security, privacy, or confidentiality of consumer data.", "verbatim_text": "own transaction shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any data or information from or about a consumer.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "VII", "title": "Oversight and Monitoring of Franchisees", "category": "monitoring", "summary": "Respondent must require franchisees to comply with order requirements, prohibit franchisees from violating provisions within 30 days, monitor franchisee compliance annually, and take corrective action or terminate non-compliant franchisees.", "verbatim_text": "A. Require its franchisees to delete or destroy data or information from or about a consumer previously gathered or stored using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order, unless such action is otherwise prohibited by court order or other legal obligation, in which case, after the expiration of any such court order or other legal obligation, respondent shall require its franchisees to delete or destroy the data or information;\n\nB. Within thirty (30) days after the date of service of this Order, prohibit each of its franchisees from, in connection with a covered rent-to-own transaction: 1. Using any monitoring technology to gather data or information from or about a consumer from any computer rented to a consumer; 2. Receiving, storing, or communicating any data or information from or about a consumer that was gathered from a computer rented to a consumer using any monitoring technology; Page 7 of 10 3. Gathering any data or information from any consumer product via any geophysical location tracking technology in a manner that: a. does not comply with Part II of this Order; and b. that respondent has not approved in advance of the franchisee’s use of such technology; 4. Using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any data or information from or about a consumer obtained in a manner that does not comply with Parts I, II, and III of this Order; and 5. Making, or causing to be made, any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering data or information from or about a consumer;\n\nC. Monitor compliance by each franchisee with the requirements of Parts VII.A and VII.B, including but not limited to by annually reviewing each franchisee’s compliance with Parts VII.A. and VII.B.; and\n\nD. When respondent knows, or has reason to know, whether as a result of monitoring required by Part VII.C. or otherwise, that a franchisee has violated any requirement imposed on that franchisee by respondent in compliance with Parts VII.A. or VII.B.: 1. Immediately take action to ensure that the franchisee corrects its practices; and 2. Terminate any such franchisee that fails to make such correction.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "VIII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver copies of the order to all current and future personnel and franchisee principals with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this Order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this Order and to all franchisee principals. Delivery must occur within thirty (30) days after the date of service of the Order for current personnel and franchisee principals. For new personnel and franchisee principals, delivery must occur before they assume\n\nprincipals. For new personnel and franchisee principals, delivery must occur before they assume their responsibilities. From each individual to whom respondent delivers a copy of this Order,\n\ntheir responsibilities. From each individual to whom respondent delivers a copy of this Order, respondent must obtain a signed and dated acknowledgment of receipt of this Order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "IX", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file initial and ongoing compliance reports with the Commission, notify the Commission of corporate changes at least 30 days in advance, and respond to additional reporting requests within 10 days.", "verbatim_text": "A. Respondent, and its successors and assigns, shall, within sixty (60) days after the date of service of this Order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which they have complied with this Order. Within ten (10) days of receipt of written notice\n\nin which they have complied with this Order. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports;\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this Order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this Order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge; and", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "X", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years all documents related to consumer privacy complaints, compliance with the order, and acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – VII of this Order, maintain and upon reasonable notice make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning consumer privacy, specifically including complaints or inquiries related to any monitoring or geophysical tracking technologies and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this Order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this Order, and all reports submitted to the Commission pursuant to this Order;\n\nC. Contradict, qualify, or call into question respondent’s compliance with this Order; or\n\nD. Acknowledge receipt of this Order obtained pursuant to Part VIII.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "XI", "title": "Termination of Order", "category": "duration", "summary": "Order terminates on March 10, 2034, or twenty years from the most recent date the FTC files a complaint alleging violation of the order in federal court, whichever comes later.", "verbatim_text": "This Order will terminate on March 10, 2034, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this Order that terminates in less than twenty (20) years; and B. This Order if such complaint is filed after the Order has terminated pursuant to this Part. Provided, further, that, if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Part as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "docket_number": "C-4442" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Covered Software", "category": "prohibition", "summary": "Oracle must not misrepresent the privacy or security of its Covered Software or how to uninstall older Iterations of the Covered Software.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in or affecting commerce, must not misrepresent: (1) the privacy or security of the Covered Software on a consumer’s computer, including but not limited to the effect on privacy or security of any installation or update of the Covered Software; or (2) how to uninstall older Iterations of the Covered Software.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "docket_number": "C-4571" }, { "provision_number": "II", "title": "Disclosure Requirements During Java SE Installation or Update", "category": "affirmative_obligation", "summary": "During any installation or update of Java SE released after service of the order, Oracle must clearly and conspicuously disclose older installed Iterations, warn of security risks from retaining them, and provide instructions for uninstalling them.", "verbatim_text": "A. Clearly and Conspicuously discloses to the consumer all Iterations of Java SE 1.4.2 or later, other than any Iteration(s) Released Within the Last Quarter, currently installed on the consumer’s computer;\n\nB. Clearly and Conspicuously explains that there may be risks to the security of the consumer’s computer if the consumer chooses not to remove any Iterations of Java SE older than the Iteration(s) Released Within The Last Quarter currently installed on the consumer’s computer; and\n\nC. Clearly and Conspicuously discloses which Iterations of Java SE 1.4.2 or later, other than any Iteration(s) Released Within the Last Quarter, that remain installed following installation or update of Java SE, and Clearly and Conspicuously provides instructions describing how consumers can effectively uninstall these Iterations.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "docket_number": "C-4571" }, { "provision_number": "III", "title": "Notification to Affected Consumers of Older Insecure Java SE Iterations", "category": "affirmative_obligation", "summary": "Oracle must notify Affected Consumers that they may have older, insecure Iterations of Java SE on their computers, including via website hyperlink, security bulletins, social media, and by providing free uninstall tools and support.", "verbatim_text": "A. Posting of a Clear and Conspicuous hyperlink on the home page of respondent’s primary, consumer-facing website for Java SE. Such hyperlink must read “IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE.” The hyperlink should connect to a sample of the letter shown in Attachment A. This hyperlink and sample letter must be posted no later than ten (10) days after the date of service of the order and for at least two years following posting;\n\nB. On or before ten (10) days after the date of service of this order, provide Clear and Conspicuous notice to Affected Consumers regarding the contents of Attachment A. Respondent shall inform Affected Consumers by: 1. Contacting Avast Software, AVG Technologies, ESET North America, Avira, Inc., McAfee, Inc., Symantec Corporation, Trend Micro, Inc., and Mozilla Corporation to request that these entities publish this notice in their security bulletins;\n\n2. Sending a Twitter notification via respondent’s primary Twitter account for Java SE, the text of which shall read “IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE,” and link to a sample of the letter shown in Attachment A; and\n\n3. Sending a Facebook notification via respondent’s primary Facebook account for Java SE, the text of which shall read “IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE,” and link to a sample of the letter shown in Attachment A; and\n\nC. On or before ten (10) days after the date of service of this order and for three (3) years thereafter, providing prompt and free help to Affected Consumers through: 4 1. An uninstall tool that allows Affected Consumers to uninstall Iterations of Java SE, 1.4.2 or later;\n\n2. A page on respondent’s primary, consumer-facing website for Java SE that Clearly and Conspicuously explains how to uninstall Iterations of Java SE, and provides a link to the uninstall tool referenced in Part III.C.1; and\n\n3. A Clear and Conspicuous electronic form, specific to update and uninstall issues, available on respondent’s primary, consumer-facing website for Java SE. Respondent shall answer within a reasonable time, by email, consumers who fill out such form.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "docket_number": "C-4571" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Oracle must maintain and make available to the FTC for five years all documents relating to compliance with the order, including advertisements, release notes, and any documents contradicting compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and, upon request, make available to the Federal Trade Commission for inspection and copying, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of each document relating to compliance with this order, including but not limited to: A. All advertisements, promotional materials, installation and user guides, websites, and installation screens containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation;\n\nB. All release notes for all Java SE Iterations, including the Iterations’ release dates; and\n\nC. Any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "docket_number": "C-4571" }, { "provision_number": "V", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Oracle must deliver a copy of the order to relevant current and future subsidiaries, officers, directors, managers, and supervisory employees, and obtain signed acknowledgments of receipt within 30 days of delivery.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, must deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, employees, agents, and representatives having managerial or supervisory responsibilities relating to Parts I - III of this order. Respondent must deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes\n\nand to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure\n\nsuch position or responsibilities. For any business entity resulting from any change in structure set forth in Part VI, delivery must be at least ten (10) days prior to the change in structure.\n\nRespondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "docket_number": "C-4571" }, { "provision_number": "VI", "title": "Notice of Corporate Changes", "category": "compliance_reporting", "summary": "Oracle must notify the FTC at least 30 days prior to any corporate changes that may affect compliance obligations, such as dissolution, merger, sale, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all\n\ncorporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all\n\nobtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line In the Matter of Oracle Corporation, FTC File No. 132 3115. Provided, however, that in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of any such notice is contemporaneously sent to the Commission at Debrief@ftc.gov.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "docket_number": "C-4571" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Oracle must file an initial written compliance report with the FTC within 90 days of service of the order, and submit additional reports within 10 days of written request from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "docket_number": "C-4571" }, { "provision_number": "VIII", "title": "Order Duration", "category": "duration", "summary": "The order terminates on March 28, 2036, or 20 years from the most recent date the FTC files a complaint alleging any order violation in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on March 28, 2036, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. 6 Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "docket_number": "C-4571" }, { "provision_number": "I", "title": "Prohibition on the Disclosure of Sensitive Personal Information", "category": "prohibition", "summary": "Defendant is permanently enjoined from selling, transferring, or otherwise disclosing consumers' Sensitive Personal Information to any person, with limited exceptions for payment processing with express consumer consent.", "verbatim_text": "16 IT IS THEREFORE ORDERED that Defendant is hereby permanently restrained 17 and enjoined from, or assisting others engaged in, selling, transferring, or otherwise 18 disclosing a consumer’s Sensitive Personal Information to any Person, except as 19 otherwise provided in Sections IV or IX of this Order; provided, however, that this 20 Section I shall not prohibit the Defendant from transferring or otherwise disclosing a 21 consumer’s Sensitive Personal Information to the extent necessary to process payment for 22 any product or service sold by the Defendant directly to that consumer and for which the 23 Defendant has the consumer’s express, informed consent for that sale.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "II", "title": "Prohibited Misrepresentations Relating to Financial Products or Services", "category": "prohibition", "summary": "Defendant is permanently enjoined from misrepresenting the likelihood that any person will obtain a loan or credit, or the terms and rates available for any loan or extension of credit.", "verbatim_text": "25 IT IS FURTHER ORDERED that Defendant and its officers, agents, employees, 26 and attorneys, and those persons or entities in active concert or participation with any of 27 them who receive actual notice of this Order, whether acting directly or indirectly, in 28 connection with the advertising, marketing, promotion, offering for sale, or selling of any - 3 - Case 2:14-cv-02750-NVW Document 54 Filed 02/05/16 Page 4 of 11 1 Financial Product or Service, are hereby permanently restrained and enjoined from 2 misrepresenting or assisting others in misrepresenting, expressly or by implication: 3 A. The likelihood that any Person will obtain a loan or other extension of 4 credit; and 5 B. The terms or rates that are available for any loan or other extension of 6 credit.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "III", "title": "Prohibited Misrepresentations Relating to All Products or Services", "category": "prohibition", "summary": "Defendant is permanently enjoined from misrepresenting consumer authorization, product outcomes, refund/cancellation policies, or any material fact about any product or service.", "verbatim_text": "8 IT IS FURTHER ORDERED that Defendant and its officers, agents, employees, 9 and attorneys, and those persons or entities in active concert or participation with any of 10 them who receive actual notice of this Order, whether acting directly or indirectly, in 11 connection with the advertising, marketing, promotion, offering for sale, or selling of any 12 product or service, are hereby permanently restrained and enjoined from misrepresenting 13 or assisting others in misrepresenting, expressly or by implication: 14 A. That a consumer has authorized or otherwise consented to the purchase of a 15 product or service; 16 B. The likelihood of any particular outcome or result from a product or 17 service; 18 C. The nature or terms of any refund, cancellation, exchange, or repurchase 19 policy, including, but not limited to, the likelihood of a consumer obtaining 20 a full or partial refund, or the circumstances in which a full or partial refund 21 will be provided to the consumer; and 22 D. Any other fact material to consumers concerning any product or service, 23 such as: the total costs; any material restrictions, limitations, or conditions; 24 or any material aspect of its performance, efficacy, nature, or central 25 characteristics.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "IV", "title": "Consumer Information", "category": "affirmative_obligation", "summary": "Defendant must provide consumer information to the FTC upon request, is prohibited from using or disclosing consumer information obtained prior to the Order, and must destroy all such consumer information within 30 days of the Order.", "verbatim_text": "3 A. Failing to provide sufficient consumer information to enable the FTC to 4 administer efficiently consumer redress. If a representative of the FTC 5 requests in writing any information related to redress, Defendant must 6 provide it, in the form prescribed by the FTC, within 14 days.\n\n7 B. Disclosing, using, or benefitting from consumer information, including the 8 name, address, telephone number, email address, social security number, 9 other identifying information, or any data that enables access to a 10 consumer’s account (including a credit card, bank account, or other 11 financial account) of any person that any defendant obtained prior to entry 12 of this Order in connection with the marketing or offering of payday loans 13 or other extensions of credit.\n\n14 C. Failing to destroy such consumer information in all forms in Defendant’s 15 possession, custody, or control within thirty (30) days after entry of this 16 order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "V", "title": "Monetary Judgment", "category": "affirmative_obligation", "summary": "A judgment of $4,124,710 is entered in favor of the FTC but suspended based on the accuracy of Defendant's financial disclosures; the suspension may be lifted if material misstatements are found, and all paid funds are used for consumer redress or equitable relief.", "verbatim_text": "22 A. Judgment in the amount of four million, one hundred twenty four thousand, 23 seven hundred ten dollars ($4,124,710) is entered in favor of the FTC 24 against Defendant as equitable monetary relief. The Judgment is suspended 25 subject to the Subsections below.\n\n26 B. The Commission’s agreement to the suspension of the judgment is 27 expressly premised upon the truthfulness, accuracy, and completeness of 28 Defendant’s sworn financial statements and related documents - 5 - Case 2:14-cv-02750-NVW Document 54 Filed 02/05/16 Page 6 of 11 1 (collectively, “financial representations”) submitted to the Commission, 2 namely, the Financial Statement of Defendant LeapLab, LLC signed by 3 John Ayers, manager, on October 1, 2015, including the attachments;\n\n4 C. The suspension of the judgment will be lifted if, upon motion by the 5 Commission, the Court finds that Defendant failed to disclose any material 6 asset, materially misstated the value of any asset, or made any other 7 material misstatement or omission in the financial representations identified 8 above.\n\n9 D. If the suspension of the judgment is lifted as to Defendant, the judgment 10 becomes immediately due as to Defendant in the amount specified in 11 Subsection V.A. above (which the parties stipulate to only for purposes of 12 this Section represents the consumer injury alleged in the Complaint), less 13 any payment previously made pursuant to this Section, plus interest 14 computed from the date of entry of this Order.\n\n15 E. All money paid to the FTC pursuant to this Order may be deposited into a 16 fund administered by the FTC or its designee to be used for equitable relief, 17 including consumer redress and any attendant expenses for the 18 administration of any redress funds. If a representative of the FTC decides 19 that direct redress to consumers is wholly or partially impracticable or 20 money remains after redress is completed, the FTC may apply any 21 remaining money for such other equitable relief (including consumer 22 information remedies) as the FTC determines to be reasonably related to 23 the practices alleged in the Complaint. Any money not used for such 24 equitable relief is to be deposited to the United States Treasury as equitable 25 disgorgement. Defendant has no right to challenge any actions the FTC or 26 its representatives may take pursuant to this Subsection.\n\n1 F. Defendant relinquishes dominion and all legal and equitable right, title, and 2 interest in all assets transferred pursuant to this Order and may not seek the 3 return of any assets.\n\n4 G. The facts alleged in the Complaint will be taken as true, without further 5 proof, in any subsequent civil litigation by or on behalf of the FTC, in a 6 proceeding to enforce its rights to any payment or monetary judgment 7 pursuant to this Order, such as a nondischargeability complaint in any 8 bankruptcy case.\n\n9 H. The facts alleged in the Complaint establish all elements necessary to 10 sustain an action by the FTC pursuant to Section 523(a)(2)(A) of the 11 Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have 12 collateral estoppel effect for such purposes.\n\n13 I. Defendant acknowledges that its Taxpayer Identification Numbers (Social 14 Security Numbers or Employer Identification Numbers), which Defendant 15 previously submitted to the FTC, may be used for collecting and reporting 16 on any delinquent amount arising out of this Order, in accordance with 31 17 U.S.C. § 7701.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "VI", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Defendant must acknowledge receipt of the Order, deliver copies to relevant personnel and business entities, and obtain signed acknowledgments from all recipients.", "verbatim_text": "21 A. Within 7 days of entry of this Order, Defendant must submit to the FTC an 22 acknowledgment of receipt of this Order sworn under penalty of perjury.\n\n23 B. For 5 years after entry of this Order, Defendant must deliver a copy of this 24 Order to: (1) all principals, officers, directors, and LLC managers and 25 members; (2) all employees, agents, and representatives who participate in 26 conduct related to the subject matter of this Order; and (3) any business 27 entity resulting from any change in structure as set forth in the Section 28 entitled Compliance Reporting. Delivery must occur within 7 days of entry - 7 - Case 2:14-cv-02750-NVW Document 54 Filed 02/05/16 Page 8 of 11 1 of this Order for current personnel. For all others, delivery must occur 2 before they assume their responsibilities.\n\n3 C. From each individual or entity to which Defendant delivered a copy of this 4 Order, Defendant must obtain, within 30 days, a signed and dated 5 acknowledgment of receipt of this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendant must submit a sworn compliance report one year after the Order, provide notice of material changes within 14 days for 20 years, notify the FTC of any bankruptcy filing within 14 days, and submit all sworn filings in the required format and manner.", "verbatim_text": "9 A. One year after entry of this Order, Defendant must submit a compliance 10 report, sworn under penalty of perjury. In that report, Defendant must: (a) 11 identify the primary physical, postal, and email address and telephone 12 number, as designated points of contact, which representatives of the FTC 13 may use to communicate with Defendant; (b) identify all of Defendant’s 14 businesses by all of their names, telephone numbers, and physical, postal, 15 email, and Internet addresses; (c) describe the activities of each business, 16 including the products and services offered, the means of advertising, 17 marketing, and sales, and the involvement of any other defendant; (d) 18 describe in detail whether and how Defendant is in compliance with each 19 Section of this Order; and (e) provide a copy of each Order 20 Acknowledgment obtained pursuant to this Order, unless previously 21 submitted to the FTC;\n\n22 B. For 20 years following entry of this Order, Defendant must submit a 23 compliance notice, sworn under penalty of perjury, within 14 days of any 24 change in the following: (a) any designated point of contact; or (b) the 25 structure of Defendant or any entity that Defendant has any ownership 26 interest in or directly or indirectly controls that may affect compliance 27 obligations arising under this Order, including: creation, merger, sale, or 28 dissolution of the entity or any subsidiary, parent, or affiliate that engages - 8 - Case 2:14-cv-02750-NVW Document 54 Filed 02/05/16 Page 9 of 11 1 in any acts or practices subject to this Order.\n\n2 C. Defendant must submit to the FTC notice of the filing of any bankruptcy 3 petition, insolvency proceeding, or any similar proceeding by or against 4 Defendant within 14 days of its filing.\n\n5 D. Any submission to the FTC required by this Order to be sworn to under 6 penalty of perjury must be true and accurate and comply with 28 U.S.C. 7 § 1746, such as by concluding: “I declare under penalty of perjury under 8 the laws of the United States of America that the foregoing is true and 9 correct. Executed on:_____” and supplying the date, signatory’s full name, 10 title (if applicable), and signature.\n\n11 E. Unless otherwise directed by an FTC representative in writing, all 12 submissions to the FTC pursuant to this Order must be emailed to 13 DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) 14 to: Associate Director for Enforcement, Bureau of Consumer Protection, 15 Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, 16 DC 20580. The subject line must begin: FTC v. Sitesearch, et al.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendant must create specified records for 20 years after entry of the Order and retain each record for 5 years, covering consumer consent records, accounting records, personnel records, complaints, compliance documentation, and marketing materials.", "verbatim_text": "18 IT IS FURTHER ORDERED that Defendant must create certain records for 20 19 years after entry of the Order and retain each such record for 5 years. Specifically, 20 Defendant must create and maintain the following records: 21 A. Proof of consumers’ express, informed consent to have their Sensitive 22 Personal Information transferred or disclosed, which includes the 23 consumer’s name, and, if collected, phone number, and address; the 24 manner, time, place, and method of the authorization; and sufficient data to 25 readily show the complete consumer experience, including an audio 26 recording of the entirety of any telemarketing transaction;\n\n1 B. Accounting records showing the revenues from all goods or services sold, 2 all costs incurred in generating those revenues, and the resulting net profit 3 or loss;\n\n4 C. Personnel records showing, for each person providing services, whether as 5 an employee or otherwise, that person’s: name, addresses, and telephone 6 numbers; job title or position; dates of service; and, if applicable, the reason 7 for termination;\n\n8 D. Complaints and refund requests, whether received directly or indirectly, 9 such as through a third party, and any response;\n\n10 E. All records necessary to demonstrate full compliance with each provision 11 of this Order, including all submissions to the FTC; and\n\n12 F. A copy of each unique advertisement or other marketing material.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC has broad authority to monitor Defendant's compliance, including demanding information, conducting depositions, using discovery procedures, communicating directly with Defendant's personnel, and employing undercover methods.", "verbatim_text": "17 A. Within 14 days of receipt of a written request from a representative of the 18 FTC, Defendant must: submit additional compliance reports or other 19 requested information, which must be sworn to under penalty of perjury; 20 appear for depositions; and produce documents, for inspection and copying. 21 The FTC is also authorized to obtain discovery, without further leave of 22 Court, using any of the procedures prescribed by Federal Rules of Civil 23 Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 24 69.\n\n25 B. For matters concerning this Order, the FTC is authorized to communicate 26 directly with Defendant. Defendant must permit representatives of the FTC 27 to interview any employee or other person affiliated with Defendant who 28 - 10 - Case 2:14-cv-02750-NVW Document 54 Filed 02/05/16 Page 11 of 11 1 has agreed to such an interview. The person interviewed may have counsel 2 present.\n\n3 c. The FTC may use all other lawful means, including posing, through its 4 representatives, as consumers, suppliers, or other individuals or entities, to 5 Defendant or any individual or entity affiliated with Defendant, without the 6 necessity of identification or prior notice. Nothing in this Order limits the 7 FTC's lawful use of compulsory process, pursuant to Sections 9 and 20 of 8 the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "X", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of the Order.", "verbatim_text": "10 IT IS FURTHER ORDERED that this Comt retains jurisdiction of this matter for 11 purposes of construction, modification, and enforcement of this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "docket_number": "CV-14-02750-PHX-NVW" }, { "provision_number": "I", "title": "Prohibition Against Violating FTC Order", "category": "prohibition", "summary": "Defendant and all persons acting in concert with it are permanently enjoined from violating, directly or indirectly, any provision of the 2012 FTC Order.", "verbatim_text": "Defendant, and its officers, agents, representatives, employees, and attorneys, and all persons in active concert or participation with any of them who receive actual notice of this Order by personal service or otherwise, are permanently enjoined from violating, directly or indirectly, through any corporation, subsidiary, division, or other device, any provision of the FTC Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "II", "title": "Civil Penalty Judgment", "category": "affirmative_obligation", "summary": "A civil penalty judgment of $500,000 is entered against Defendant, which must be paid within 7 days of entry of this Order via electronic fund transfer.", "verbatim_text": "Judgment in the amount of five hundred thousand dollars ($500,000) is entered against Defendant as a civil penalty.\n\nA. Within seven (7) days of entry of this Order, Defendant must pay the civil penalty in the form of an electronic fund transfer in accordance with the procedures specified by the Consumer Protection Branch, Civil Division, U.S. Department of Justice, Washington, DC 20530.\n\nB. Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and will not seek the return of any assets.\n\nC. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the FTC, including in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "III", "title": "Evaluation of Informed User Consent to Data Collection and Use", "category": "assessment", "summary": "Before making any Targeting Tool available to consumers, Defendant must obtain an evaluation and report from a qualified, FTC-approved third-party professional certifying compliance with the FTC Order's disclosure and consent requirements.", "verbatim_text": "If Defendant is required to make a disclosure or obtain consent pursuant to Section I of the FTC Order, prior to the date on which Defendant makes the Targeting Tool available to consumers, Defendant must obtain an evaluation and report from a qualified, objective, independent third-party professional specializing in website design and user experience (\"evaluator\"). Defendant's evaluator selection is subject to approval from the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission. For any disclosure or consent governed by Section I of the FTC Order, the evaluator must certify Defendant's adherence to the FTC Order's \"clearly and prominently\" disclosure requirement and \"express, affirmative\" consent requirement.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "IV", "title": "Assessment of Targeting Tool", "category": "assessment", "summary": "For any assessment conducted under Section VI of the FTC Order, Defendant must obtain advance written approval from the FTC Associate Director for Enforcement for the assessment's scope and design.", "verbatim_text": "For any assessment conducted pursuant to Section VI of the FTC Order, Defendant must obtain advance written approval of the assessment's scope and design from the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "V", "title": "Removal of the RewardU Toolbar and Associated Cookies", "category": "affirmative_obligation", "summary": "Defendant must permanently expire all RewardU-related cookies and notify all affected consumers to uninstall the toolbar and delete associated cookies within 30 days of entry of the Order.", "verbatim_text": "Defendant must configure its systems to permanently expire any RewardU-related cookie previously placed by Defendant. Defendant must effectively notify all consumers who\n\npreviously placed by Defendant. Defendant must effectively notify all consumers who downloaded the RewardU toolbar to uninstall the toolbar and delete any associated cookies. Defendant's notice must explain to consumers how to perform these actions. Defendant must provide the notice, within 30 days after the date of entry of the Order:\n\nA. By emailing the notice to consumers at the email address they most recently provided to Upromise;\n\nB. By posting a notice on the RewardU page of the Upromise.com website for at least 2 years;\n\nC. By providing the notice to any consumer who complains or inquires about the privacy or security of the RewardU toolbar during the next 3 years.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "VI", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Defendant must submit a sworn acknowledgment of receipt of the Order to the FTC within 7 days, deliver copies of the Order to all principals and relevant personnel, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Defendant, within 7 days of entry of this Order, must submit to the FTC an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 5 years after entry of this Order, Defendant must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, 4 Case 1:17-cv-10442-RGS Document 4 Filed 03/23/17 Page 5 of 22 agents, and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting. Delivery must occur within 7 days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendant must submit a sworn compliance report one year after entry of the Order, and for 20 years thereafter must submit sworn compliance notices within 14 days of certain changes in structure or contact information, and within 14 days of any bankruptcy filing.", "verbatim_text": "A. One year after entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury: 1. Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Plaintiff or FTC may use to communicate with Defendant; (b) identify all of Defendant's businesses by all of its names, telephone numbers, and physical, postal, email, and Internet addresses; ( c) describe the activities of each business; ( d) describe in detail whether and how Defendant is in compliance with each Section of this Order; and ( e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the FTC.\n\nB. For 20 years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: I. Defendant must report any change in: (a) any designated point of contact; or (b) the structure of Defendant or any entity that Defendant has any ownership interest in or 5 Case 1:17-cv-10442-RGS Document 4 Filed 03/23/17 Page 6 of 22 controls directly or indirectly that may affect compliance obligations arising under this Order, including the creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Defendant must submit to the FTC notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendant within 14 days of its filing.\n\nD. Any submission to the FTC required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: \"I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: __\" and supplying the date, signatory's full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a FTC representative in writing, all submissions to the FTC pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: FTC v. Upromise, Matter No. C43501.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendant must create certain records for 20 years after entry of the Order and retain each such record for 5 years, including compliance records, accounting records, and personnel records.", "verbatim_text": "Defendant must create certain records for 20 years after entry of the Order, and retain each such record for 5 years. Specifically, Defendant must create and retain the following records: A. All records necessary to demonstrate full compliance with each provision of this Order and the FTC Order, including all submissions to the FTC;\n\nB. Accounting records showing the revenues from all goods or services sold or licensed; and\n\nC. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person's: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "Plaintiff and the FTC have broad rights to monitor Defendant's compliance, including demanding additional reports, conducting depositions and discovery, communicating directly with Defendant, and using undercover means, all without further court order.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the Plaintiff or the FTC, Defendant must submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Plaintiff and the FTC are authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.\n\nB. For matters concerning this Order, the Plaintiff and the FTC are authorized to communicate directly with Defendant. Defendant must permit representatives of the Plaintiff and the FTC to interview any employee or other person affiliated with Defendant who has agreed to such an interview. The person interviewed may have counsel present.\n\nC. The Plaintiff and the FTC may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the FTC's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-l.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "X", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "verbatim_text": "This Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "I (FTC Order)", "title": "Disclosure and Consent for Targeting Tool", "category": "affirmative_obligation", "summary": "Respondent must clearly and prominently disclose all types of data collected and how it is used, and must obtain express affirmative consent from consumers prior to enabling any Targeting Tool, including for previously installed TurboSaver Toolbars before making material changes.", "verbatim_text": "A. Prior to the conswner enabling (by downloading, installing, or otheIWise activating) any Targeting Tool: 1. Clearly and prominently, and prior to the display of and on a separate screen from, any \"end user license agreement,\" \"privacy policy,\" \"terms of use\" page, or similar document, disclose: a) all the types of data that the Targeting Tool will collect, including but not limited to, if applicable, a statement that the data includes transactions or communications between the consumer and third parties in secure sessions, interactions with shopping baskets, application forms, online accounts, web-based email 4 Case 1:17-cv-10442-RGS Document 4 Filed 03/23/17 Page 16 of 22 accounts, or search engine pages, and if the information includes personal, financial or health information.\n\nb) how the data is used, including if the data is shared with a third party, other than as reasonably necessary: (i) to comply with applicable law, regulation, or legal process, (ii) to enforce respondent's terms of use, or (iii) to detect, prevent, or mitigate fraud or security vulnerabilities.\n\n2. Obtain express affirmative consent from the consumer to the enabling (by downloading, installing, or otherwise activating) and to the collection of data.\n\nB. For those TurboSaver Toolbars installed by consumers before the date of issuance of this order, prior to (1) enabling data collection through any Targeting Tool or (2) otherwise making any material change from stated practices about collection or sharing of personal information through the TurboSaverToolbar, provide the notice and obtain the express consent described in subparts A{U and (2) of this Part.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "II (FTC Order)", "title": "Notification to Affected Consumers", "category": "affirmative_obligation", "summary": "Respondent must notify Affected Consumers about the Personalized Offers feature, the data collected, and how to disable and uninstall the TurboSaver Toolbar through website posting, direct consumer inquiries, and direct notice.", "verbatim_text": "1. Begmmng within thirty (30) days after the date of service of this order and for two (2) years after the date of service of this order, posting of a clear and prominent notice on its website.\n\n2. Beginning within thirty (30) days after the date of service of this order and for three (3) years after the date of service of this order, informing Affected Consumers who complain or inquire about the privacy or security of the TurboSaver Toolbar.\n\n3. Within sixty (60) days after.the date of service of this order, providing direct, clear and prominent notice to Affected Consumers who have the Personalized Offers feature enabled.\n\nB. Provide prompt, toll-free, telephonic and electronic mail support to help Affected Conswners disable the Personalized Offers feature and, if requested, uninstall the TurboSaver Toolbar.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "III (FTC Order)", "title": "Deletion of Collected Information", "category": "affirmative_obligation", "summary": "Respondent must delete or destroy all Collected Information in its custody or control within 5 days of service of the FTC Order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within five (5) days after the date of service of this order, delete or destroy, or cause to be deleted or destroyed, all Collected Information in respondent's custody or control, unless otherwise directed by a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "IV (FTC Order)", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent must not make any false or misleading representations about the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of personal information collected from consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, website, or other device, in connection with its advertising, marketing, promotion, or offering of any service or product in or affecting commerce, shall not make any representation, in any manner, expressly or by implication, about the extent to which respondent maintains and protects the security, privacy, confidentiality, or integrity of any personal information collected from or about consumers, unless the representation is true, and non-misleading.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "V (FTC Order)", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive, fully documented information security program with administrative, technical, and physical safeguards appropriate to its size, complexity, and the sensitivity of the personal information it collects.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, website, or other device, in connection with its advertising, marketing, promotion, or offering of any product or service, in or affecting commerce, shall maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of personal information collected fr~m or about conswners. This section may be satisfied through the review and maintenance of an existing program so long as that program fulfills the requirements set forth herein. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent's size and complexity and the nature and scope of respondent's activities, and the sensitivity of the personal information collected from or about conswners, including:\n\nA. The designation of an employee or employees to coordinate and be accountable for the information secwity program;\n\nB. The identification of material internal and external risks that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of personal information and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) 6 Case 1:17-cv-10442-RGS Document 4 Filed 03/23/17 Page 18 of 22 employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, account takeovers, or other systems failures;\n\nC. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures;\n\nD. The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information such service providers receive from respondent or obtain on respondent's behalf, and the requirement, by contract, that such service providers implement and maintain appropriate safeguards; and\n\nE. The evaluation and adjustment of respondent's information security program in light of the results of the testing and monitoring required by subpart C, any material changes to respondent's operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "VI (FTC Order)", "title": "Third-Party Security Assessments of Covered Online Services", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments for any Covered Online Service from a qualified, independent professional, covering the first 180 days and each two-year period thereafter for 20 years.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with-Part V of this order, for any Covered Online Service respondent shall obtain initial and biennial assessments and reports (\"Assessments\") from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. Set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. Explain how such safeguards are appropriate to respondent's size and complexity, and the nature and scope of respondent's activities, and the sensitivity of the personal infonnation collected from or about consumers;\n\nC. Explain how the safeguards that have been implemented meet or exceed the protections required by Part V of this order; and\n\nD. Certify that respondent's security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (6 0) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director ofEnforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "VII (FTC Order)", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available for FTC inspection, for 5 years after the last dissemination of any covered representation, all advertisements, supporting materials, contradicting evidence, and Order acknowledgments; and for 3 years after each assessment, all materials used to prepare that assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for a period of five (5) years after the last date of dissemination of any representation covered by this order, maintain and upon request make available to the Commission for inspection and copying: A. All advertisements, labeling, packaging and promotional material containing the representation; B. All materials relied upon in disseminating the representation; C. All tests, reports, studies, surveys, demonstrations, or other evidence in its possession or control that contradict, qualify, or call into question the representation, or the basis relied upon for the representation, including complaints and other communications with consumers or with governmental or consumer protection organizations; and D. All acknowledgments of receipt of this order, obtained pursuant to Part IX.\n\nMoreover, for a period of three (3) years after the date of preparation of each Assessment required under Part VI of this order, respondent shall maintain and upon request make available to the Commission for inspection and copying all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, for the compliance period covered by such Assessment.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "VIII (FTC Order)", "title": "Cooperation with the Commission", "category": "monitoring", "summary": "Respondent must cooperate in good faith with the FTC in connection with this action or any related subsequent investigation, appearing for interviews, conferences, discovery, and proceedings as reasonably requested.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, in connection with this action or any subsequent investigations related to or associated with the transactions or the occurrences that are the subject of the Commission's complaint, cooperate in good faith with the Commission and appear at such places and times as the Commission shall reasonably request, after written notice, for interviews, conferences, pretrial discovery, review of documents, and for such other matters as may be reasonably requested by the Commission. Ifr equested in writing by the Commission, respondent shall appear and provide truthful testimony in any trial, deposition, or other proceeding related to or associated with the transactions or the occurrences that are the subject of the complaint, without the service of a subpoena.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "IX (FTC Order)", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the FTC Order to all current and future principals, officers, directors, and relevant managers, and obtain a signed and dated acknowledgment from each recipient.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to: (1) all current and future principals, officers, and directors; and (2) all current and future managers who have responsibilities with respect to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq. Respondent shall deliver this order to current personnel within thirty (30) days after the date of service of the order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "X (FTC Order)", "title": "Compliance Reporting / Notification of Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any change that may affect compliance obligations, including dissolution, sale, merger, creation or dissolution of subsidiaries, bankruptcy filing, or change in name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in respondent that may affect compliance obligations arising under this order, including but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary (including an LLC), parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in respondent's name or address. Provided, however, that with respect to any proposed change about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nUnless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line FTC v. Upromise. Provided. however, that, in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of such notices is contemporaneously sent to the Commission at Debrief@ftc.gov.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "XI (FTC Order)", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report within 60 days of service of the FTC Order and submit additional written reports within 10 days of the FTC's written request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after service of this order, and at such other times as the FTC may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which\n\nrespondent has complied with this order. Within ten (I 0) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "XII (FTC Order)", "title": "Order Duration / Termination", "category": "duration", "summary": "The FTC Order terminates on December 31, 2031, or 20 years from the most recent date the United States or the FTC files a complaint alleging any violation of the order in federal court, whichever is later.", "verbatim_text": "This order will terminate on December 31, 2031, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part of this order that terminates in less than twenty (20) years; B. This order's application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. ·", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "docket_number": "C-4351" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, the extent to which it participates in, complies with, or is certified under any privacy or security program sponsored by a government or self-regulatory organization, including EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield, and APEC Cross-Border Privacy Rules.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework, the Swiss-U.S. Privacy Shield framework, and the APEC Cross-Border Privacy Rules.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "03.20_t_m_protection_resources", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "docket_number": "C-4709" }, { "provision_number": "II", "title": "Requirement to Meet Continuing Obligations Under Privacy Shield", "category": "affirmative_obligation", "summary": "Respondent must either affirm to the Department of Commerce that it will continue applying Privacy Shield principles (or use another EU-law-authorized means) to personal information received during participation, or return or delete that information — both within ten days of the Order's effective date.", "verbatim_text": "A. affirm to the Department of Commerce, within ten (10) days after the effective date of this Order and on an annual basis thereafter for as long as it retains such information, that it will Page 2 of 6 1. continue to apply the EU-U.S. Privacy Shield framework principles to the personal information it received while it participated in the Privacy Shield; or 2. protect the information by another means authorized under EU law, including by using a binding corporate rule or a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission; or\n\nB. return or delete the information within ten (10) days after the effective date of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.20_t_m_protection_resources", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "docket_number": "C-4709" }, { "provision_number": "III", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit an acknowledgment of receipt of the Order to the Commission within ten days, deliver copies of the Order to relevant personnel within specified timeframes, and obtain signed acknowledgments from each recipient within thirty days of delivery.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For five (5) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.20_t_m_protection_resources", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "docket_number": "C-4709" }, { "provision_number": "IV", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report within 60 days, submit sworn notices of changes to contact information or corporate structure within 14 days, and submit notice of any bankruptcy filing within 14 days, all in accordance with specified submission requirements.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Page 3 of 6 Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re T&M Protection Resources, LLC, FTC File No. 192 3092, Docket No. C-4709.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.20_t_m_protection_resources", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "docket_number": "C-4709" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for ten years after the Order's issuance date and retain each record for five years, including accounting records, personnel records, compliance records, and copies of representations subject to the Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for ten (10) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services related to the subject matter of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.20_t_m_protection_resources", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "docket_number": "C-4709" }, { "provision_number": "VI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance through written requests for reports and records, direct communications and interviews with affiliated persons, and other lawful investigative means including undercover inquiries.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.20_t_m_protection_resources", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "docket_number": "C-4709" }, { "provision_number": "VII", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is final and effective upon publication on the FTC's website and terminates on March 16, 2040, or twenty years from the most recent date a complaint alleging a violation is filed in federal court, whichever is later, with specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on March 16, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "03.20_t_m_protection_resources", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "docket_number": "C-4709" }, { "provision_number": "I", "title": "Use of Facial Recognition or Analysis Systems Prohibited", "category": "prohibition", "summary": "Respondents are prohibited for five years from deploying or using any Facial Recognition or Analysis System in any retail store, retail pharmacy, or online retail platform.", "verbatim_text": "IT IS ORDERED that Respondents, in connection with the activities of any Covered Business, are prohibited for five (5) years from the effective date of this Order from deploying or using, or assisting in the deployment or use of, any Facial Recognition or Analysis System, whether directly or through an intermediary, in any retail store or retail pharmacy or on any online retail platform.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Biometric Ban" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "II", "title": "Deletion of Covered Biometric Information", "category": "affirmative_obligation", "summary": "Respondents must delete all consumer photos and videos used with facial recognition systems within 45 days, notifythird parties and instruct them to delete within 60 days, and forward third-party deletion confirmations within 10 days of receipt.", "verbatim_text": "A. Within forty-five (45) days after the effective date of this Order, delete or destroy all photos and videos of consumers used or collected in connection with the operation of a Facial Recognition or Analysis System prior to the effective date of this Order, and any data, models, or algorithms derived in whole or in part therefrom, and provide a written statement to the Commission, sworn under penalty of perjury, confirming that all such information has been deleted or destroyed;\n\nB. Within sixty (60) days after the effective date of this Order, Respondents must: 1. Identify all third parties, other than government entities, that received photos and videos of consumers used or collected in connection with the operation of a Facial Recognition or Analysis System prior to the effective date of this Order, and any data, models, or algorithms derived in whole or in part therefrom from any Covered Business, provide a copy of the Complaint and Order to all such identified third parties, notify all such identified third parties in writing that the Federal Trade Commission alleges that Respondents used that information in a manner that was unfair in violation of the FTC Act, and instruct all such identified third parties to delete all photos and videos of consumers used or collected in connection with the operation of a Facial Recognition or Analysis System prior to the effective date of this Order, and any data, models, or algorithms derived in whole or in part therefrom, and demand written confirmation of deletion. Defendant’s instruction to each such identified third party shall include a description of the Biometric Information to be deleted. Defendant must provide all instructions sent to the identified third parties to: DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of 6 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 14 of 138 Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In the Matter of Rite Aid;” and\n\n2. Provide all receipts of confirmation and any responses from third parties within ten (10) days of receipt to: DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In the Matter of Rite Aid.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Data Deletion" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "III", "title": "Mandated Automated Biometric Security or Surveillance System Monitoring Program", "category": "affirmative_obligation", "summary": "Before using any Automated Biometric Security or Surveillance System, Respondents must establish, implement, and maintain a comprehensive monitoring Program that identifies and addresses consumer risks, including disproportionate impacts by race, ethnicity, gender, sex, age, or disability.", "verbatim_text": "A. Document in writing the content, implementation, and maintenance of the Program;\n\nB. Designate a qualified employee or employees to coordinate and be responsible for the Program;\n\nC. For each Automated Biometric Security or Surveillance System used, prior to its implementation (or for any Automated Biometric Security or Surveillance System in use as of the effective date of this Order, within ninety (90) days of the effective date of this Order) and, thereafter, at least once every twelve (12) months, conduct a written assessment (“System Assessment”) of potential risks to consumers from the use of the Automated Biometric Security or Surveillance System, including, at a minimum, risks that consumers could experience physical, financial, or reputational injury, stigma, or severe emotional distress in connection with Inaccurate Outputs of the Automated Biometric Security or Surveillance System (e.g., if the technology misidentifies a consumer). The System Assessment must include a review of: 7 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 15 of 138 1. The consequences for consumers of Inaccurate Outputs of the Automated Biometric Security or Surveillance System, including actions that Respondents or others intend to or may foreseeably take in whole or in part as a result of such Outputs; 2. Any testing relating to the rate or likelihood of Inaccurate Outputs, the extent to which such testing was conducted using reliable methodologies and under conditions similar to those in which the Automated Biometric Security or Surveillance System will operate, and the results of such testing; 3. Any factors that are likely to affect the accuracy of the type of Automated Biometric Security or Surveillance System deployed, such as any characteristics of Biometric Information, of the context or method in which Biometric Information is captured, or of individuals whose Biometric Information is used in connection with the Automated Biometric Security or Surveillance System (e.g., skin tone or language or dialect spoken), that would increase or decrease the likelihood that its use in connection with the Automated Biometric Security or Surveillance System would result in Inaccurate Outputs; 4. The extent to which the specific components of the Automated Biometric Security or Surveillance System as deployed, including the specific types and models of any devices or software, that any Covered Business uses or will use to capture, transmit, or store Biometric Information could affect the likelihood that the Automated Biometric Security or Surveillance System produces Inaccurate Outputs; 5. Documentation and monitoring of the Automated Biometric Security or Surveillance System’s accuracy that Respondents have conducted pursuant to sub-Provision III.D; 6. The extent to which the Automated Biometric Security or Surveillance System was developed to be used for a similar purpose and under similar conditions to those under which any Covered Business deploys or will deploy the Automated Biometric Security or Surveillance System; 7. The methods by which any algorithms comprising part of the Automated Biometric Security or Surveillance System were developed, including the extent to which such components were developed using machine learning or any other method that entails the use of datasets to train algorithms, and the extent to which these methods increase the likelihood that Inaccurate Outputs will occur or will disproportionately affect consumers depending on their race, ethnicity, gender, sex, age, or disability status. This review should include, at a minimum: 8 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 16 of 138 a. The sources and manner of collection of data that have been used to train or otherwise develop algorithmic components of the Automated Biometric Security or Surveillance System; b. The extent to which the training data are materially similar to the Biometric Information that will be used in connection with deployment of the Automated Biometric Security or Surveillance System in light of factors that are known to affect the accuracy of the type of Automated Biometric Security or Surveillance System deployed; and c. The makeup of any datasets that have been used to train or otherwise develop algorithmic components of the Automated Biometric Security or Surveillance System, including the extent to which the datasets have been representative, in terms of race, ethnicity, gender, sex, age, and disability status, of the population(s) of consumers whose Biometric Information will be used in connection with deployment of the Automated Biometric Security or Surveillance System; 8. The context in which the Automated Biometric Security or Surveillance System is or will be deployed, including the geographical locations of stores deploying the technology, demographic characteristics, including race and ethnicity, of areas surrounding stores where technology is deployed, physical location within stores or sections of stores, such as pharmacies, of system components, and the scale, timing and duration of the deployment (e.g., how long the system will be deployed and whether the system will operate continuously or only under certain circumstances); 9. All policies and procedures governing the operation of the Automated Biometric Security or Surveillance System and its software, algorithms, hardware, or other components; 10. The extent to which Operators receive sufficient and relevant training or are subject to oversight; 11. The extent to which the Automated Biometric Security or Surveillance System is likely to generate Inaccurate Outputs at a higher rate when analyzing or using Biometric Information collected from or about consumers of particular races, ethnicities, sexes, genders, ages, or who have disabilities (or any of these categories in combination), taking into account technical elements of the Automated Biometric Security or Surveillance System and any components thereof, the selection of locations in which to deploy the Automated Biometric Security or Surveillance System, and the context or manner in which any Covered Business has deployed or will deploy the Automated Biometric Security or Surveillance System; and 9 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 17 of 138 12. The extent to which consumers are able to avoid the Automated Biometric Security or Surveillance System without losing access to any Covered Business’s physical retail locations or online services, including by withholding Affirmative Express Consent for, or opting out of, the collection or use of their Biometric Information.\n\nD. Implement, maintain, and document safeguards that are designed to control for the risks Respondents identify in the System Assessment. Each safeguard must be based on the severity of the risk to consumers and the likelihood that the risk could be realized. Such safeguards must also include: 1. Selecting and retaining service providers with duties related to the subject matter of this Order that are capable of performing those duties in a manner consistent with the Program and this Order, and contractually requiring such service providers to (1) comply with the requirements of the Program and this Order and (2) make available to Respondents all information and materials necessary to conduct the System Assessment; 2. Requiring and documenting regular and at least annual training for all Operators, which must cover, at a minimum: a. Methodologies for interpreting or assessing the validity of the Outputs of the Automated Biometric Security or Surveillance System, including for judging whether Outputs are Inaccurate; b. Evaluation of Biometric Information to determine its quality, value, and appropriateness for use in connection with the Automated Biometric Security or Surveillance System, particularly in light of each relevant factor identified pursuant to sub-Provision III.C.3 and the quality standards implemented pursuant to sub-Provision III.D.6.a; c. An overview of the types of human cognitive bias, such as automation bias and confirmation bias, that could foreseeably affect Operators’ interpretations of the Outputs; d. Known limitations of the Automated Biometric Security or Surveillance System, including factors that are known to affect the accuracy of the Outputs of Automated Biometric Security or Surveillance Systems of the type deployed, such as image or sound quality, the method by which Biometric Information to be used in connection with the Automated Biometric Security or Surveillance System is collected, background images or sounds, the passage of time since the capture of a Biometric Information sample, or relevant demographic, physical, or other traits of the individual to whom Biometric Information pertains (such as race, ethnicity, sex, gender, age, or disability, alone or in combination); and 10 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 18 of 138 e. The requirements of this Order; 3. Documenting, for each Output, any Respondent's detennination of whether the Output is Inaccurate and any actions that Operators take in whole or in paii because of the Output; 4. Periodically, and at least annually, reviewing actions taken by any Operators in response to Outputs, updating the content of training for Operators to address systemic Operator enors identified by periodic reviews, and, if there is reason to believe that an Operator's operation of the Automated Biomen·ic Security or Smveillance System increases risk to consumers, or if an Operator fails to comply with the requirements of this Order, terminating such Operator's operation of the Automated Biomen-ic Security or Smveillance System; 5. Developing, implementing, and maintaining policies and procedures designed to ensure that Respondents have a reasonable basis for enrolling each consumer's Biometric Info1mation in any Galle1y; 6. Implementing and maintaining policies and procedures to ensure that samples of BiometI·ic Info1mation used in connection with the Automated Biomeh'ic Security or Smveillance System do not increase the likelihood of Inaccurate Outputs, including by: a. Developing, implementing, and enforcing written quality standards for BiometI·ic Info1mation to be used in connection with the Automated BiometI·ic Security or Smveillance System, taking into account the nature of the Automated BiometI·ic Security or Smveillance System, the manner in which the Biometric Info1mation is captured, and characteristics of Biometric Infonnation that could affect the accuracy of the Automated Biometric Security or Smveillance System; b. To the extent that deployment of the Automated Biomeh'ic Security or Smveillance System entails the creation of a Galle1y, periodically, and at least monthly, reviewing such Galle1y to identify and, as soon as practicable, remove samples of Biomeh'ic Info1mation that (I) have been associated with two or more Inaccurate Outputs, including Outputs that were dete1mined to be Inaccurate based on investigations conducted in response to consumer complaints pursuant to sub-Provision IV.C of this Order; (2) do not meet the quality standards referenced in sub-Provision III.D.6.a; (3) ai·e required to be deleted pursuant to Provision V of this Order, entitled \"Required Retention Limits for Biomen·ic Info1mation;\" or (4) have been enrolled without a reasonable basis or in violation of policies and procedures implemented pursuant to sub-Provision III.D.5; 11 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 19 of 138 c. Periodically, and at least annually, reviewing the means by which Biometric Information to be used in connection with the Automated Biometric Security or Surveillance System is captured, including the extent to which any software or hardware used to collect Biometric Information is functioning properly and are consistently capturing samples of Biometric Information that meet the quality standards developed and implemented pursuant to sub-Provision III.D.6.a and are not otherwise contributing to the generation of Inaccurate Outputs; and 7. Conducting documented testing of the Automated Biometric Security or Surveillance System prior to deployment and at least once every twelve (12) months thereafter. Such testing must be conducted with the Affirmative Express Consent of individuals whose Biometric Information will be used for testing and must: a. Be conducted under conditions that materially replicate the conditions under which the Automated Biometric Security or Surveillance System is actually used, taking into account factors that affect the accuracy of the type of Automated Biometric Security or Surveillance System to be tested, the means by which Biometric Information to be used in connection with the Automated Biometric Security or Surveillance System is captured, and the roles of Operators; b. Determine the rate at which the Automated Biometric Security or Surveillance System’s Outputs are Inaccurate, including by assessing the extent to which the Outputs can be verified using evidence or information other than an Output of an Automated Biometric Security or Surveillance System. For example, if an Output indicates the identity of an individual, the Output is verified if it is corroborated by a review of government- issued identification documents; c. Identify factors that cause or contribute to Inaccurate Outputs; and d. Assess and measure any statistically significant variation in the Automated Biometric Security or Surveillance System’s rate of Inaccurate Outputs depending on demographic characteristics of the consumers whose Biometric Information is analyzed or used, such as race, ethnicity, sex, gender, age, or disability (alone or in combination).\n\nE. Evaluate and adjust the Program in light of any circumstance that Respondents know or have reason to know may materially affect the Program’s effectiveness. At a minimum, every twelve (12) months, each Covered Business must evaluate the effectiveness of the Program in light of the System Assessment and the results of all monitoring, testing, and documentation conducted pursuant to the Program. Respondents must implement modifications to substantially and timely remediate any identified risks that consumers may experience physical, financial, or reputational injury, stigma, or severe emotional 12 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 20 of 138 distress, including in connection with communications of the Outputs to law enforcement or other third parties, taking into account the extent to which such harms are likely to disproportionately affect particular demographics of consumers based on race, ethnicity, gender, sex, age, or disability (alone or in combination);\n\nF. Provide the written System Assessment and Program, and any evaluations thereof or updates thereto, to Respondents’ board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondents responsible for the Program at least once every twelve (12) months; and\n\nG. Not deploy or discontinue deployment of an Automated Biometric Security or Surveillance System if: 1. Respondents do not possess competent and reliable scientific evidence that is sufficient in quality and quantity based on standards generally accepted in the relevant scientific fields, when considered in light of the entire body of relevant and reliable scientific evidence, to substantiate that Outputs of the Automated Biometric Security or Surveillance System are likely to be accurate. For purposes of this Provision III, competent and reliable scientific evidence means tests, analyses, research, or studies that have been conducted and evaluated in an objective manner by qualified persons and are generally accepted in the profession to yield accurate and reliable results; or 2. Respondents have reason to believe, taking into account the System Assessment, the Program, all consumer complaints, and all monitoring, testing, documentation, and evaluations conducted pursuant to the Program, that: a. Respondents’ use of the Automated Biometric Security or Surveillance System creates or contributes to a risk that Inaccurate Outputs will cause consumers to experience substantial physical, financial, or reputational injury, discrimination based on race, ethnicity, gender, sex, age, or disability, stigma, or severe emotional distress to consumers, including in connection with communications of the Outputs to law enforcement or other third parties, taking into account the extent to which such harms are likely to disproportionately affect consumers based on race, ethnicity, gender, sex, age, or disability; and b. The identified risks are not substantially and timely eliminated by modifications to the Program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "IV", "title": "Mandatory Notice and Complaint Procedures for Automated Biometric Security or Surveillance Systems", "category": "affirmative_obligation", "summary": "Before using any Automated Biometric Security or Surveillance System, Respondents must establish and maintain procedures providing consumers with notice of Gallery enrollment and Output-based actions, and a process for submitting and responding to complaints.", "verbatim_text": "A. Provide written notice to all consumers who will have their Biometric Information enrolled in any Gallery used in conjunction with an Automated Biometric Security or Surveillance System, unless Respondents are unable to provide the notice due to safety concerns or the nature of a security incident that forms the basis for enrollment. Respondents shall provide such notice prior to or promptly after enrollment, and the notice shall include: 1. An explanation for the reasonable basis (as described in sub-Provision III.D.5) for enrollment in the Gallery, including a description of any security incident that provided that basis; 2. Instructions about how to obtain a copy of the sample of Biometric Information that was collected in order to enroll the consumer, which Respondents must make available upon request so long as Respondents retain said sample; 3. The length of time for which Respondent will retain the consumer’s Biometric Information in the Gallery; and 4. An email address, online form, mailing address, and telephone number to which consumers can direct complaints or inquiries about their enrollment in the Gallery; the Automated Biometric Security or Surveillance System; or retention of their Biometric Information.\n\nB. Provide written notice to all consumers with respect to whom Respondents, in connection with an Output, take an action that could result in physical, financial, or reputational harm to the consumers, including in connection with communications of the Output to law enforcement or other third parties, unless Respondents are unable to provide the notice due to safety concerns or the nature of a security incident relating to the Output. Respondents shall provide such notice prior to taking, or, if prior notice is infeasible, at the time of taking an action, and the notice shall include: 1. The date, approximate time, and location of the Output; 2. A description of the action or actions taken; 14 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 22 of 138 3. An explanation of how that action relates to the Output; and 4. An email address, online form, mailing address, and telephone number to which consumers can direct complaints or inquiries about the Output; the Automated Biometric Security or Surveillance System that generated the Output; or the use, sharing, or retention of their Biometric Information.\n\nC. Investigate each complaint to (1) determine whether the relevant Output was an Inaccurate Output, and, if so, identify any factors that likely contributed to the generation of an Inaccurate Output; and (2) assess whether Operators responded to the Output in a manner that was appropriate and consistent with the requirements of this Order; and\n\n1. Within seven (7) days of receiving the complaint, providing written confirmation of receipt to the consumer who submitted the complaint. Such written confirmation should be provided using the same means of communication that the consumer used to submit the complaint, or by another means selected by the consumer during the complaint submission process, and should state that Respondents will investigate the consumer’s complaint and provide its conclusions within thirty (30) days;\n\n2. Within thirty (30) days of providing the written confirmation, providing a written response to the consumer who submitted the complaint. Such written response must be provided using the same means of communication as the written confirmation and must (1) state whether the Output was determined to be an Inaccurate Output and the basis for such a determination; and (2) describe in general terms actions taken in response to the complaint.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Consumer Notification" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "V", "title": "Required Retention Limits for Biometric Information", "category": "affirmative_obligation", "summary": "Before implementing any Automated Biometric Security or Surveillance System, Respondents must develop and implement a written retention schedule for each type of consumer Biometric Information, setting out purposes, a deletion timeframe of no greater than five years, and the basis for that timeframe.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, for any Covered Business, in connection with the operation of any retail store, retail pharmacy, or online retail platform must, prior to implementing any Automated Biometric Security or Surveillance System, develop and implement, for each type of Biometric Information from or about consumers of such physical retail location or online retail platform that is collected in whole or in part for use in connection with any Automated Biometric Security or Surveillance System, a written retention schedule setting forth: A. All purposes and business needs for which the Covered Business collects or uses the type of Biometric Information; B. A timeframe for deletion of the Biometric Information that is no greater than five (5) years, except to the extent that retention beyond five years is required by law or Respondents have obtained Affirmative Express Consent for the retention within the 15 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 23 of 138 previous five (5) years, and precludes retention beyond what is reasonably necessary to achieve the purpose or purposes and serve the business needs for which it was collected; and C. The basis for the timeframe for deletion of the Biometric Information, including any foreseeable effect on the likelihood of Inaccurate Outputs of the passage of time since a given sample of the type of Biometric Information was collected or enrolled in a Gallery.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "VI", "title": "Disclosure of Automated Biometric Security or Surveillance Systems", "category": "affirmative_obligation", "summary": "Within 30 days of the effective date, Respondents must post Clear and Conspicuous notices in each retail location and on each website/app/online service disclosing their use of Automated Biometric Security or Surveillance Systems, including types of biometric data collected, outputs generated, purposes, and deletion timeframes.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, for any Covered Business, in connection with the operation of any retail store, retail pharmacy, or online retail platform, must, within thirty (30) days after the effective date of this Order, post Clear and Conspicuous notices disclosing the Covered Business’s use of any Automated Biometric Security or Surveillance System in connection with Biometric Information collected from or about consumers of the physical retail location or online retail platform. Such notices must be posted in each physical retail location, and on each website, mobile application, or online service on or through which Biometric Information from or about consumers is collected or used in whole or in part for the purpose of operating an Automated Biometric Security or Surveillance System, and must include, as to each such location, website, mobile application, or online service: A. The specific types of Biometric Information that are collected in whole or in part for the purpose of operating an Automated Biometric Security or Surveillance System; B. The types of Outputs that are generated by the Automated Biometric Security or Surveillance Systems; C. All purposes for which the Covered Business uses each Automated Biometric Security or Surveillance System or its Outputs, including actions that the Covered Business may take on the basis of Outputs; and D. The timeframe for deletion of each type of Biometric Information used, as established pursuant to Provision V of this Order, entitled “Required Retention Limits for Biometric Information.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Consumer Notification" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "VII", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner the extent to which they maintain and protect the privacy, security, confidentiality, or integrity of Covered Information.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents and Respondents’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication, the extent to which Respondents maintain and protect the privacy, security, confidentiality, or integrity of Covered Information, including, but not limited to, misrepresentations related to: A. Respondents’ privacy and security measures to prevent unauthorized access to Covered Information; 16 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 24 of 138 B. Respondents’ privacy and security measures to honor the privacy choices exercised by consumers; C. Respondents’ collection, maintenance, use, disclosure, or deletion of Covered Information; or D. The extent to which Respondents make or have made Covered Information accessible to any third parties.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "VIII", "title": "Mandated Information Security Program for Covered Businesses", "category": "affirmative_obligation", "summary": "Within 90 days of the effective date, Respondents must establish, implement, and maintain a comprehensive Information Security Program protecting the security, confidentiality, and integrity of Covered Information, including extensive safeguards, vendor management, and ongoing risk assessments.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, for any Covered Business, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must each, within 90 days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Covered Information. To satisfy this requirement, each Covered Business must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Provide the written Information Security Program and any evaluations thereof or updates thereto to the Covered Business’ board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of the Covered Business responsible for the Covered Business’s Information Security Program at least once every twelve (12) months and promptly (not to exceed 30 days) after a Covered Incident affecting 500 or more consumers;\n\nC. Designate a qualified employee or employees, who report(s) directly to the Executive Leadership Team (including the Chief Executive Officer, Chief Information Officer, and Chief Legal Officer) to coordinate and be responsible for the Information Security Program and keep the Executive Leadership Team and Board of Directors informed of the Information Security Program, including all actions and procedures implemented to comply with the requirements of this Order, and any actions and procedures to be implemented to ensure continued compliance with this Order;\n\nD. Assess and document, at least once every twelve (12) months and promptly (not to exceed 30 days) following a Covered Incident affecting 100 or more consumers, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in the (1) unauthorized collection, maintenance, alteration, destruction, use, disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Covered Businesses identify to the security, confidentiality, or integrity of 17 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 25 of 138 Covered Information identified in response to sub-Provision D of this Provision. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, alteration, destruction, use, disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, or other compromise of such information. Such safeguards must also include: 1. Training of all employees, at least once every twelve (12) months, on how to safeguard Covered Information including, for information security personnel, security updates and training sufficient to address relevant security risks, and verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures; 2. Documenting in writing the content, implementation, and maintenance of an incident response plan designed to ensure the identification of, investigation of, and response to the unauthorized access to Covered Information. Respondents shall revise and update this incident response plan to adapt to material changes to their assets or networks; 3. Implementing technical measures to log and monitor all networks and assets for anomalous activity and active threats. Such measures shall require Respondents to determine baseline system activity and identify and respond to anomalous events and unauthorized attempts to access or exfiltrate Covered Information; 4. Policies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures; 5. Implementing data access controls for all assets (including databases) storing Covered Information and technical measures, policies, and procedures to minimize or prevent online attacks resulting from the misuse of valid credentials, including: (a) restricting inbound and outbound connections; (b) requiring and enforcing strong passwords or other credentials; (c) preventing the reuse of known compromised credentials to access Covered Information; (d) implementing automatic password resets for known compromised credentials; and (e) limiting employee access to what is needed to perform that employee’s job function; 6. Requiring multi-factor authentication methods for all employees, contractors, and affiliates in order to access any assets (including databases) storing Covered Information. Such multi-factor authentication methods for all employees, contractors, and affiliates should not include telephone or SMS- based authentication methods and must be resistant to phishing attacks. Respondents may use equivalent, widely adopted industry authentication options that are not multi-factor, if the person responsible for the Information 18 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 26 of 138 Security Program under sub-Provision C of this Provision: (1) approves in writing the use of such equivalent authentication options; and (2) documents a written explanation of how the authentication options are widely adopted and at least equivalent to the security provided by multi-factor authentication; 7. Developing and implementing configuration standards to harden system components against known threats and vulnerabilities. New system components shall not be granted access to any Covered Businesses’ network, resources, or Covered Information until they meet Respondents’ configuration standards; 8. Encryption of, at a minimum, all Social Security numbers, passport numbers, financial account information, tax information, dates of birth associated with a user’s account, Health Information, and user account credentials while in transit or at rest on each Covered Businesses’ computer networks, including but not limited to cloud storage; 9. Policies and procedures to ensure that all networks, systems, and assets with access to Covered Information within the Covered Businesses’ custody or control are securely installed and inventoried at least once every twelve (12) months; 10. Implementing vulnerability and patch management measures, policies, and procedures that (a) require confirmation that any directives to apply patches or remediate vulnerabilities are received and completed and (b) include timelines for addressing vulnerabilities that account for the severity and exploitability of the risk implicated; and 11. Enforcing policies and procedures to ensure the timely investigation of data security events and the timely remediation of critical and high-risk security vulnerabilities.\n\nF. Assess, at least once every twelve (12) months and promptly (not to exceed 30 days) following a Covered Incident affecting 100 or more consumers, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Covered Information, and modify the Information Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards in place at least once every twelve (12) months and promptly (not to exceed 30 days) following a Covered Incident affecting 100 or more consumers, and modify the Information Security Program based on the results as necessary. Such testing and monitoring must include: (1) vulnerability testing of each Covered Business’ network and applications once every four (4) months and promptly (not to exceed 30 days) after a Covered Incident; and (2) penetration testing of each Covered Business’ network(s) and applications at least once every twelve (12) months and promptly (not to exceed 30 days) after a Covered Incident;\n\nH. Evaluate and adjust the Information Security Program in light of any material changes to a Covered Business’ operations or business arrangements, a Covered Incident affecting 100 or more consumers, new or more efficient technological or operational methods to control for the risks identified in sub-Provision D of this Provision, or any other circumstances that a Covered Business or its officers, agents, or employees know or have reason to know may have a material impact on the effectiveness of the Information Security Program or any of its individual safeguards. At a minimum, each Covered Business must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program, if appropriate, based on the results;\n\nI. Select and retain Vendors capable of safeguarding Covered Information they access through or receive from each Covered Business, including by implementing and maintaining a uniform process that is fully documented in writing to conduct risk assessments for each Vendor, and contractually require Vendors to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information. The uniform process must include a review and analysis of the information and documentation obtained about each Vendor pursuant to this Provision. The level of the assessment for each Vendor should be commensurate with the risk it poses to the security of Covered Information;\n\nJ. Require each Vendor agree by contract (upon renewal or new engagement or, in any event, within 180 days of the effective date of this Order) to: 1. Develop and implement policies and procedures for the prompt remediation and investigation of any incident that results in the Vendor or Covered Business notifying, pursuant to an applicable statutory or regulatory requirement, any U.S. federal, state, or local government entity that information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization; and 2. Notify the Covered Business in writing as soon as possible, and in any event no later than seventy-two (72) hours, if the Vendor has reason to believe that any person has accessed, exfiltrated, or otherwise obtained without authorization Covered Information that the Vendor obtained from the Covered Business.\n\nK. Obtain or possess for each Vendor, within 180 days of the effective date of this Order, documentation regarding the Vendor’s information security program that is material to the security of Covered Information within the possession, custody, or control of the Covered Business, including, without limitation, documentation of the Vendor’s cybersecurity risk assessment conducted within the last twelve (12) months. The Covered Business must be in possession of such documentation before it provides the Vendor with access to Covered Information;\n\nL. Determine in writing, at least once every twenty-four (24) months, whether there has been a material change to the Vendor’s information security program. If there has been a 20 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 28 of 138 material change, the Covered Business must obtain or possess new documentation regarding the Vendor’s information security program that is material to the security of Covered Information within the possession, custody, or control of the Covered Business;\n\nM. Maintain in one or more central repositories all documentation about or provided by each Vendor pursuant to sub-Provisions J, K, and L of this Provision, including but not limited to each contract with a Vendor, for a period of five (5) years from when it was obtained or provided. This sub-Provision is in addition to and not in lieu of the Provision entitled Recordkeeping;\n\nN. At least once every twenty-four (24) months, and promptly following a Covered Incident affecting 100 or more consumers involving a Vendor or determination of a material change to a Vendor’s information security program under sub-Provision L of this Provision, conduct written reassessments of each Vendor (or, in the case of a Covered Incident affecting 100 or more consumers, each relevant Vendor) to determine the continued adequacy of their safeguards to control the internal and external risks to the security of Covered Information and document the basis for the Covered Business’s determination as to whether each Vendor’s safeguards are adequate. The level of the assessment for each Vendor should be commensurate with the risk it poses to the security of Covered Information; and\n\nO. Maintain in one or more central repositories all documentation created by the Covered Business pursuant to sub-Provision N of this Provision for a period of five (5) years from when it was created. This sub-Provision is in addition to and not in lieu of the Provision entitled Recordkeeping.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "IX", "title": "Third Party Information Security Assessments for Covered Businesses", "category": "assessment", "summary": "Respondents must obtain initial and biennial independent third-party assessments of their Information Security Program, covering the first 180 days after the Program is established and every two years thereafter for 20 years.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; and (3) retains all documents relevant to each Assessment for 5 years after completion of such Assessment and will provide such documents to the Commission within 10 days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessor on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim.\n\nB. For each Assessment, Respondents must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in their sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the Mandated Information Security Program for Covered Businesses required by Provision VIII of this Order has been put in place for the initial Assessment; and (2) each two-year period thereafter for 20 years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must, for the entire assessment period: 1. Determine whether Respondents have implemented and maintained the Information Security Program required by the Provision entitled Mandated Information Security Program for Covered Businesses; 2. Assess the effectiveness of Respondents’ implementation and maintenance of sub- Provisions A-O of the Provision entitled Mandated Information Security Program for Covered Businesses; 3. Identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; 4. Address the status of gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and 5. Identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of the business’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondents’ management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondents’ management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent any Respondent revises, updates, or adds one or more safeguards required under the Provision entitled Mandated Information Security Program for Covered Businesses in the middle of an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. Each Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondents must submit an unredacted copy of the initial Assessment and a proposed redacted copy suitable for public disclosure of the initial Assessment to the Commission within 10 days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: 22 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 30 of 138 Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Rite Aid Corporation, FTC File No. C-4308.” Respondents must retain an unredacted copy of each subsequent biennial Assessment as well as a proposed redacted copy of each subsequent biennial Assessment suitable for public disclosure until the Order is terminated and must provide each such Assessment to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “Information Security Program Assessment” in red lettering.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "X", "title": "Cooperation with Third-Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondents must fully cooperate with the Assessor by providing all relevant information, disclosing network and IT asset details, and not misrepresenting any material facts to the Assessor.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;\n\nB. Provide or otherwise make available to the Assessor information about Respondents’ networks and all of Respondents’ information technology assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the networks and information technology assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondents have implemented and maintained the Mandated Information Security Program for Covered Businesses; (2) assessment of the effectiveness of the Respondents’ implementation and maintenance of sub-Provisions A-O of the required Mandated Information Security Program for Covered Businesses; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Mandated Information Security Program for Covered Businesses.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "XI", "title": "Annual Certification", "category": "compliance_reporting", "summary": "One year after issuance, and each year thereafter, Respondents must provide the FTC with a sworn certification from a senior executive confirming compliance with the Order, absence of uncorrected/undisclosed material noncompliance, and a description of all qualifying Covered Incidents during the certified period.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from Corporate Respondents’ Chief Executive Officer, ___________, or if Mr./Ms. ______ no longer serves as Respondents’ Chief Executive Officer, President, or such other officer (regardless of title) that is designated in that Respondent’s Bylaws or resolution of the Board of Directors as having the duties of the principal executive officer of Respondent, then a senior corporate manager, or, if no such senior corporate manager exists, a senior officer responsible for Respondents’ 23 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 31 of 138 Information Security Program that: (1) each Covered Business has established, implemented, and maintained the requirements of this Order; (2) each Covered Business is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of all Covered Incidents affecting 100 or more consumers that Respondents verified or confirmed during the certified period. The certification must be based on the personal knowledge of Mr./Ms.________, the senior corporate manager, senior officer, or subject matter experts upon whom Mr./Ms.________, the senior corporate manager, or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Rite Aid Corporation, FTC File No. C-4308.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "XII", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Within 10 days of notifying any U.S. government entity of a Covered Incident affecting 500 or more consumers, Respondents must submit a detailed report to the FTC.", "verbatim_text": "IT IS FURTHER ORDERED that, within 10 days of any notification to a United States federal, state, or local entity of a Covered Incident affecting 500 or more consumers, Respondents, for any Covered Business, must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known; C. A description of each type of information that was affected by the Covered Incident; D. The number of consumers whose information was affected by the Covered Incident; E. The acts that each Covered Business has taken to date to remediate the Covered Incident and protect Covered Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of each materially different notice sent by each Covered Business to consumers or to any U.S. federal, state, or local government entity regarding the Covered Incident.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of 24 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 32 of 138 Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Rite Aid Corporation, FTC File No. C-4308.”", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "XIII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondents must submit acknowledgment of receipt of the Order within 10 days, deliver copies to all principals, officers, directors, subsidiaries, and relevant employees, and obtain signed acknowledgments within 30 days of delivery.", "verbatim_text": "A. Each Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For twenty (20) years after the issuance date of this Order, each Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all of Respondents’ current and future subsidiaries that own, control, or operate one or more stores or online retail platforms; (3) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (4) any business entity resulting from any change in structure as set forth in the Provision entitled Compliance Reports and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondents delivered a copy of this Order, Respondents must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making", "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "XIV", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondents must submit annual compliance reports, compliance notices within 14 days of changes in contact information or corporate structure, and bankruptcy filing notices within 14 days of filing.", "verbatim_text": "A. One year after the issuance date of this Order, each Respondent must submit a compliance report, sworn under penalty of perjury, in which each Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of that Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how that Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission;\n\nB. Each Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in (a) any designated point of contact; or (b) the 25 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 33 of 138 structure of such Respondent or any entity that such Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order;\n\nC. Each Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within fourteen (14) days of its filing;\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature;\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Rite Aid Corporation, FTC File No. C-4308”.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making", "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "XV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must create certain records for 20 years after issuance and retain each for five years, including accounting records, personnel records, consumer complaints, compliance records, System Assessment materials, security representations, Assessor materials, law enforcement subpoenas, and noncompliance records.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints concerning the subject matter of this Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission;\n\nE. For five (5) years after the date of preparation of each System Assessment required by this Order, all materials relied upon to prepare the System Assessment, including all 26 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 34 of 138 plans, test results, reports, studies, reviews, audits, policies, training materials, and assessments, and any other materials concerning Respondents’ compliance with related Provisions of this Order, for the compliance period covered by such System Assessment;\n\nF. A copy of each widely disseminated and materially different representation by Defendants that describes the extent to which Defendants maintains or protects the privacy, security, availability, confidentiality, or integrity of any Covered Information, including any representation concerning a change in any website or other service controlled by Respondents that relates to privacy, security, availability, confidentiality, or integrity of Covered Information;\n\nG. For five (5) years after the date of preparation of each Assessment by the Assessor, as those terms are defined in Provision IX, all materials and evidence that the Assessor considered, reviewed, relied upon or examined to prepare the Assessment, whether prepared by or on behalf of Respondents, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning compliance with related Provisions of this Order, for the compliance period covered by such Assessment;\n\nH. For five (5) years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondents’ compliance with this Order; and\n\nI. For five (5) years from the date created or received, all records, whether prepared by or on behalf of a Respondent, that tend to show any lack of compliance by a Respondent with this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making", "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "XVI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor Respondents' compliance through requests for reports and records, depositions, discovery, direct communications, interviews, and undercover methods, with Respondents obligated to respond within 14 days of written requests.", "verbatim_text": "A. Within fourteen (14) days of receipt of a written request from a representative of the Commission, each Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce records for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with each Respondent. Respondents must permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its 27 Case 2:23-cv-05023-KBH Document 19 Filed 02/26/24 Page 35 of 138 representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making", "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "XVII", "title": "Modification of Original Decision and Order", "category": "affirmative_obligation", "summary": "This Decision and Order supersedes and replaces the Commission's 2010 Decision and Order in In re Rite Aid Corporation, C-4308.", "verbatim_text": "IT IS FURTHER ORDERED that this Decision and Order supersedes the Decision and Order the Commission previously issued in In re Rite Aid Corporation, C-4308, 150 F.T.C. 694 (Nov. 12, 2010).", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making", "Data Security" ], "remedy_types": [ "Other" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "XVIII", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "The Order is effective upon publication on the FTC's website and terminates 20 years from issuance or 20 years from the most recent federal court complaint alleging a violation, whichever is later, with specified exceptions for individual provisions, non-defendant respondents, and dismissed complaints.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate twenty (20) years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any Provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making", "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "docket_number": "2:23-cv-05023" }, { "provision_number": "I", "title": "Prohibition Against False or Misleading Representations About Personal Information", "category": "prohibition", "summary": "Respondent is prohibited from making any false or misleading representation, express or implied, regarding the collection, use, or disclosure of personally identifiable information from consumers.", "verbatim_text": "IT IS ORDERED that Respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the collection of personally identifiable information from or about consumers, shall not make, expressly or by implication, any false or misleading representation regarding the collection, use, or disclosure of personally identifiable information.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "II", "title": "Prohibition on Disclosure of Pre-Order Consumer Information for Marketing", "category": "prohibition", "summary": "Respondent must not sell, rent, or disclose to any third party for marketing purposes any personally identifiable information collected from consumers prior to the date of service of this Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, directly or through any corporation, subsidiary, division, or other device, shall not sell, rent, or disclose to any third party for marketing purposes any personally identifiable information that was collected from consumers through shopping cart software used at a merchant customer’s Web site prior to the date of service of this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "III", "title": "Conditional Prohibition on Disclosure of Post-Order Consumer Information for Marketing", "category": "prohibition", "summary": "Respondent must not sell, rent, or disclose post-Order consumer information for marketing purposes unless it first provided the merchant customer a clear written notice and obtained written certification, or provided a clear disclosure directly to consumers about Respondent's data practices.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, directly or through any corporation, subsidiary, division, or other device, shall not sell, rent, or disclose to any third party for marketing purposes any personally identifiable information collected from consumers through shopping cart or other software used at a merchant customer’s Web site after the date of service of this Order unless, prior to the date such information was collected, Respondent took one of the following two actions: 3 A. Provided to the merchant customer a clear and conspicuous written notice of its information practices and obtained from the merchant customer a written certification stating: (1) that the merchant customer received such notice; and (2) either (a) that its posted privacy policy states that consumers’ information may be sold, rented, or disclosed to third parties, or (b) that it provides a clear and conspicuous disclosure, before any personally identifiable information is collected from consumers through Respondent’s shopping cart or other software, stating that the consumer is leaving the merchant customer’s Web site and entering Respondent’s Web site, and that Respondent’s site is governed by Respondent’s own privacy policy. The written notice to merchants required by this Paragraph shall be labeled \"Important Notice to Merchants from CartManager\" and must: (1) state that Respondent intends to sell, rent, or disclose such information; (2) identify the types or categories of any entities to which such information will be disclosed; (3) advise the merchant customer that it may be liable for any misrepresentations it makes about the use or disclosure of information collected from consumers at its Web site, including through software used at the site; and (4) contain no other information;\n\nB. Provided a clear and conspicuous disclosure on the page(s) through which it collected such information stating: (1) that the consumer is on Respondent’s Web site, and (2) that information provided by the consumer to Respondent will be used, sold, rented, or disclosed to third parties for marketing purposes.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "IV", "title": "Monetary Disgorgement Payment", "category": "affirmative_obligation", "summary": "Respondent must pay $9,101.63 to the United States Treasury as disgorgement within five days of service of this Order, with interest accruing on any default balance.", "verbatim_text": "IT IS FURTHER ORDERED that within five (5) days of the date of service of this Order, Respondent shall pay $9,101.63 to the United States Treasury as disgorgement. Such payment shall be by cashier’s check or certified check made payable to the Treasurer of the United States.\n\nIn the event of any default in payment, which default continues for more than ten (10) days beyond the due date of payment, Respondent shall also pay interest as computed under 28 U.S.C. § 1961, which shall accrue on the unpaid balance from the date of default until the date the balance is fully paid.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years all documents demonstrating compliance with the Order, including privacy statements, merchant notices and certifications, and records of third-party disclosures.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent Vision One and its successors and assigns shall, for a period of five (5) years after the last date of dissemination of any representation covered by this Order, maintain and upon request make available to the Federal Trade Commission for inspection and copying a print or electronic copy of all documents demonstrating their compliance with the terms and provisions of this Order, including, but not limited to: A. A sample copy of each different privacy statement or communication relating to the collection of personally identifiable information containing representations about how personally identifiable information will be used and/or disclosed. Each Web page copy shall be dated and contain the full URL of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting the information on the Web; provided, however, that after creation of any Web page or screen in compliance with this Order, Respondent shall not be required to retain a print or electronic copy of any amended Web page or screen to the extent that the amendment does not affect Respondent’s compliance obligations under this Order;\n\nB. A sample copy of each different document containing the disclosures required by Part III.A. of this Order; a list of all merchant customers who received each different document containing such disclosures; all communications by merchant customers in response to such disclosures, including all written certifications received pursuant to Part III.A. and any complaints received from merchant customers; and a sample copy of each different document containing the disclosures required by Part III.B.; and\n\nC. All invoices, communications, and records relating to the disclosure to third parties of personally identifiable information collected through merchant customer Web sites.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "VI", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the Order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, and obtain signed, dated acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent Vision One and its successors and assigns shall deliver a copy of this Order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of this Order, and shall secure from each such person a signed and dated statement acknowledging receipt of the Order. Respondent shall deliver this Order to such current personnel within thirty (30) days after the date of service of this Order, and to such future personnel within thirty (30) days after the person assumes such\n\nthis Order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "VII", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this Order, including dissolution, sale, merger, bankruptcy filings, or name/address changes.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent Vision One and its successors and assigns shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this Order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which Respondent learns less than thirty (30) days prior to the date such action is to take place, Respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nchange in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which Respondent learns less than thirty (30) days prior to the date such action is to take place, Respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within sixty days of service of this Order, and at such other times as the FTC may require.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent Vision One and its successors and assigns shall, within sixty (60) days after service of this Order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this Order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "IX", "title": "Order Duration and Termination", "category": "duration", "summary": "The Order terminates on April 19, 2025, or twenty years from the most recent date a complaint alleging an Order violation is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This Order will terminate on April 19, 2025, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this Order that terminates in less than twenty (20) years; B. This Order’s application to any respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Part as though the complaint had 6 never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "docket_number": "C-4135" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner, expressly or by implication, the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of personal information collected from consumers.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent maintains and protects the privacy, confidentiality, security, or integrity of any personal information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "docket_number": "C-4187" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program, fully documented in writing, with administrative, technical, and physical safeguards appropriate to the sensitivity of personal information collected.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, Page 2 of 6 or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the development and use of reasonable steps to retain service providers capable of appropriately safeguarding personal information they receive from respondent, requiring service providers by contract to implement and maintain appropriate safeguards, and monitoring their safeguarding of personal information.\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "docket_number": "C-4187" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from a qualified, independent professional covering the first 180 days after service of the order and each two-year period thereafter for ten years.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, using procedures and standards generally Page 3 of 6 accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order for the biennial Assessments.\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by Paragraph II of this order; and\n\nD. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment, as well as all: plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be\n\n(10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "docket_number": "C-4187" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC documents relating to compliance, including documents contradicting compliance for five years and all materials relating to biennial Assessments for three years after preparation of each Assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance, including but not limited to: A. for a period of five (5) years: any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this Page 4 of 6 order; and\n\nB. for a period of three (3) years after the date of preparation of each biennial Assessment required under Paragraph III of this order: all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relating to respondent’s compliance with Paragraphs II and III of this order for the compliance period covered by such biennial Assessment.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "docket_number": "C-4187" }, { "provision_number": "V", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, and employees with managerial responsibilities related to the order's subject matter, within specified timeframes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes\n\nservice of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "docket_number": "C-4187" }, { "provision_number": "VI", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, sale, name change, or bankruptcy filing.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\na bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "docket_number": "C-4187" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 180 days after service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within one hundred and eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "docket_number": "C-4187" }, { "provision_number": "VIII", "title": "Order Duration", "category": "duration", "summary": "This order terminates on March 30, 2027, or twenty years from the most recent date the FTC files a complaint alleging any violation of the order in federal court, whichever is later.", "verbatim_text": "This order will terminate on March 30th, 2027, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes Page 5 of 6 later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Paragraph in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Paragraph. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Paragraph as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "docket_number": "C-4187" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner, expressly or by implication, the extent to which they maintain and protect the privacy, confidentiality, or integrity of personal information collected from consumers.", "verbatim_text": "IT IS ORDERED that respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the collection of personally identifiable information from or about consumers, in or affecting commerce, shall not misrepresent in any manner, 2 expressly or by implication, the extent to which respondents maintain and protect the privacy, confidentiality, or integrity of any personal information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "docket_number": "C-4218" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish, implement, and maintain a comprehensive information security program with specific administrative, technical, and physical safeguards, fully documented in writing, no later than the date of service of the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ size and complexity, the nature and scope of respondents’ activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to, (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, and (3) prevention, detection, and response to attacks, intrusions, or other systems failure;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to retain service providers capable of appropriately safeguarding personal information they receive from respondents, requiring service providers by contract to implement and maintain appropriate safeguards, and monitoring their safeguarding of personal information; and\n\nE. the evaluation and adjustment of respondents’ information security program in light of the results of the testing and monitoring required by subpart C, any material changes to respondents’ operations or business arrangements, or any other circumstances that respondents know or have reason to know may have a material impact on the effectiveness of their information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "docket_number": "C-4218" }, { "provision_number": "III", "title": "Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Respondents must obtain initial and biennial third-party security assessments from a qualified independent professional, covering specific criteria, with the initial assessment provided to the FTC within 10 days of completion.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with their compliance with Part II of this order, respondents shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondents have implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondents’ size and complexity, the nature and scope of respondents’ activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and D. certify that respondents’ security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondents shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within 4 ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondents until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "docket_number": "C-4218" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC compliance-related documents for specified periods, and provide them within 10 days of request.", "verbatim_text": "A. for a period of five (5) years, any documents, whether prepared by or on behalf of either respondent, that contradict, qualify, or call into question respondents’ compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of either respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondents’ compliance with Part II of this order, for the compliance period covered by such Assessment.\n\nRespondent shall provide such documents to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "docket_number": "C-4218" }, { "provision_number": "V", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondents must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, within specified timeframes.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondents shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "docket_number": "C-4218" }, { "provision_number": "VI", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondents must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations, including dissolution, merger, sale, subsidiary creation, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondents and their successors and assigns shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondents learn fewer than thirty (30) days prior to the date such 5 action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "docket_number": "C-4218" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file a written compliance report with the FTC within 180 days after service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondents and their successors and assigns shall, within one hundred and eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which they have complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "docket_number": "C-4218" }, { "provision_number": "VIII", "title": "Order Duration", "category": "duration", "summary": "The order terminates on April 16, 2028, or 20 years from the most recent date the FTC files a federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on April 16, 2028, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent(s) did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent(s) will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "docket_number": "C-4218" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently prohibited from using any monitoring technology to gather information or data from any computer rented to a consumer in connection with covered rent-to-own transactions.", "verbatim_text": "IT IS HEREBY ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual Page 3 of 8 notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from using any monitoring technology to gather information or data from any computer rented to a consumer.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "affirmative_obligation", "summary": "Respondent may only use geophysical location tracking technology if clear and prominent notice is provided and affirmative express consent is obtained from the computer renter, with specific requirements for notice, consent, and icon display.", "verbatim_text": "A. Gathering any information or data from any computer via any geophysical location tracking technology without providing clear and prominent notice to the computer user at the time the computer is rented and immediately prior to each use of the geophysical location tracking technology, and also obtaining affirmative express consent from the computer’s renter at the time the computer is rented;\n\nB. Installing or activating on rented computers geophysical location tracking technology where that technology does not provide clear and prominent notice to the computer user immediately prior to each use of the geophysical location tracking technology; and\n\n1. Clear and Prominent Notice: respondent shall provide a clear and prominent notice to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\n2. Affirmative Express Consent: respondent shall obtain affirmative express consent by giving the computer renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the computer’s renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Part shall\n\n3. Icons: respondent shall provide that the activation of any geophysical location tracking technology be accompanied by the installation of a clear and prominent icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\nProvided that respondent may suspend the notice requirements of this Part and activate geophysical location tracking technology if a) the renter reports that the computer has been stolen or respondent otherwise has a reasonable basis to believe that the computer has been stolen, and b) either the renter or respondent has filed a police report stating that the computer has been stolen. Provided further that respondent shall retain documents establishing (a) and (b). For purposes of this Order, “filing of a police report” means the filing of the renter’s or respondent’s complaint with the police department in any form recognized in the jurisdiction.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent is permanently prohibited from making any false representation or depiction in any notice, prompt screen, or software application that results in gathering information from or about a consumer.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from making or causing to be made any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including without limitation location information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "IV", "title": "No Use of Improperly Obtained Information in Collections", "category": "prohibition", "summary": "Respondent is permanently prohibited from using any information or data obtained in violation of Parts I, II, and III when collecting or attempting to collect a debt pursuant to a covered rent-to-own transaction.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, are hereby permanently restrained and enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any information or data obtained in a manner that does not comply with Parts I, II, and III of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "V", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete all user data previously gathered using non-compliant monitoring or tracking technology, and must encrypt data during transmission from computers to servers.", "verbatim_text": "A. Delete or destroy all user data previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order, unless such action is otherwise prohibited by court order or other legal obligation; and\n\nB. Transfer data or information gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers only if the information collected is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "VI", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent is prohibited from misrepresenting the extent to which it maintains and protects the security, privacy, or confidentiality of personal information collected from or about consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "VII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future personnel with responsibilities related to the order's subject matter, and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this order. Delivery must occur within seven days after the date of service of the order for current personnel. For new personnel, delivery must occur before they assume their responsibilities. From each individual to whom respondent delivers a copy of this\n\nassume their responsibilities. From each individual to whom respondent delivers a copy of this Order, respondent must obtain a signed and dated acknowledgment of receipt of this Order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission, initially within 60 days and at other times as required, and provide notification of corporate changes affecting compliance obligations.", "verbatim_text": "A. Respondent, and its successors and assigns, shall, within sixty (60) days after the date of service of this order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in\n\nwhich they have complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or\n\naddress. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nC. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line Aspen Way Enterprises, Inc., File No. 1123151. Provided, however; that, in lieu of overnight courier, notices may be sent by first class mail, but only if an electronic version of each such notice is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain documents related to compliance with Parts I-VI for five years after the last date of any covered act or practice, and make them available to the FTC for inspection.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – VI of this Order, maintain and upon reasonable notice Page 7 of 8 make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning any monitoring or geophysical tracking technologies sold, licensed, or otherwise provided to any third party, and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order;\n\nC. Contradict, qualify, or call into question respondent’s compliance with this order;\n\nD. Acknowledge receipt of this order obtained pursuant to Part VII.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "X", "title": "Termination of Order", "category": "duration", "summary": "Order will terminate on April 11, 2033, or twenty years from the most recent date the United States or FTC files a complaint alleging order violation, whichever is later, with provisions for extension if complaints are filed.", "verbatim_text": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "docket_number": "C-4392" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently prohibited from using any monitoring technology to gather information or data from any computer rented to a consumer in connection with covered rent-to-own transactions.", "verbatim_text": "IT IS HEREBY ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from using any monitoring technology to gather information or data from any computer rented to a consumer.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "affirmative_obligation", "summary": "Respondent must provide clear and prominent notice and obtain affirmative express consent before using geophysical location tracking technology on rented computers, with specific requirements for notice delivery, consent mechanisms, and desktop icons.", "verbatim_text": "A. Gathering any information or data from any computer via any geophysical location tracking technology without providing clear and prominent notice to the computer user at the time the computer is rented and immediately prior to each use of the geophysical location tracking technology, and also obtaining affirmative express consent from the computer’s renter at the time the computer is rented;\n\nB. Installing or activating on rented computers geophysical location tracking technology where that technology does not provide clear and prominent notice to the computer user immediately prior to each use of the geophysical location tracking technology; and\n\n1. Clear and Prominent Notice: respondent shall provide a clear and prominent notice to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\n2. Affirmative Express Consent: respondent shall obtain affirmative express consent by giving the computer renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the computer’s renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Part shall require respondent to rent a computer to a user who declines to consent to installation or activation of any geophysical tracking technology.\n\n3. Icons: respondent shall provide that the activation of any geophysical location tracking technology be accompanied by the installation of a clear and prominent Page 4 of 8 icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\nProvided that respondent may suspend the notice requirements of this Part and activate geophysical location tracking technology if a) the renter reports that the computer has been stolen or respondent otherwise has a reasonable basis to believe that the computer has been stolen, and b) either the renter or respondent has filed a police report stating that the computer has been stolen. Provided further that respondent shall retain documents establishing (a) and (b). For purposes of this Order, “filing of a police report” means the filing of the renter’s or respondent’s complaint with the police department in any form recognized in the jurisdiction.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent is prohibited from making any false representation or depiction in any notice, prompt screen, or software application that results in gathering information from or about consumers, including location information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from making or causing to be made any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including without limitation location information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "IV", "title": "No Use of Improperly Obtained Information in Collections", "category": "prohibition", "summary": "Respondent is prohibited from using any information or data obtained in a manner that does not comply with Parts I, II, and III when collecting or attempting to collect debts pursuant to covered rent-to-own transactions.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, are hereby permanently restrained and enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any information or data obtained in a manner that does not comply with Parts I, II, and III of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "V", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete all user data previously gathered using non-compliant monitoring or tracking technology and must transmit data only in unreadable, unusable, or indecipherable form.", "verbatim_text": "A. Delete or destroy all user data previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order; and\n\nB. Transfer data or information gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers only if the information collected is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "VI", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent, expressly or by implication, the extent to which it maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "VII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver copies of this order to all current and future principals, officers, directors, and managers with responsibilities related to the order's subject matter and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this order. Delivery must occur within seven days after the date of service of the order for current personnel. For new personnel, delivery must occur before they\n\nservice of the order for current personnel. For new personnel, delivery must occur before they assume their responsibilities. From each individual to whom respondent delivers a copy of this\n\nassume their responsibilities. From each individual to whom respondent delivers a copy of this Order, respondent must obtain a signed and dated acknowledgment of receipt of this Order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission within 60 days and as otherwise required, and must notify the Commission 30 days prior to any corporate changes affecting compliance obligations.", "verbatim_text": "A. Respondent, and its successors and assigns, shall, within sixty (60) days after the date of service of this order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which they have complied with this order. Within ten (10) days of receipt of written notice from\n\nwhich they have complied with this order. Within ten (10) days of receipt of written notice from Page 6 of 8 a representative of the Commission, respondent shall submit additional true and accurate written reports.\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nC. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line B. Stamper Enterprises, Inc., File No. 1123151. Provided, however; that, in lieu of overnight courier, notices may be sent by first class mail, but only if an electronic version of each such notice is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years all documents related to complaints about monitoring or tracking technologies, documents demonstrating compliance with the order, and acknowledgments of receipt of the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – VI of this Order, maintain and upon reasonable notice make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning any monitoring or geophysical tracking technologies sold, licensed, or otherwise provided to any third party, and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order; and\n\nC. Contradict, qualify, or call into question respondent’s compliance with this order;\n\nD. Acknowledge receipt of this order obtained pursuant to Part VII.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "X", "title": "Termination of Order", "category": "duration", "summary": "This order will terminate on April 11, 2033, or 20 years from the most recent date of a federal court complaint alleging violation of the order, whichever comes later.", "verbatim_text": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this Order that terminates in less than twenty (20) years; B. This Order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Part as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "docket_number": "C-4393" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently prohibited from using any monitoring technology to gather information from any computer rented to a consumer in covered rent-to-own transactions.", "verbatim_text": "IT IS HEREBY ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from using any monitoring technology to gather information or data from any computer rented to a consumer.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "affirmative_obligation", "summary": "Respondent must provide clear and prominent notice and obtain affirmative express consent before gathering any information via geophysical location tracking technology, and ensure the technology provides notice immediately prior to each use.", "verbatim_text": "A. Gathering any information or data from any computer via any geophysical location tracking technology without providing clear and prominent notice to the computer user at the time the computer is rented and immediately prior to each use of the geophysical location tracking technology, and also obtaining affirmative express consent from the computer’s renter at the time the computer is rented;\n\nB. Installing or activating on rented computers geophysical location tracking technology where that technology does not provide clear and prominent notice to the computer user immediately prior to each use of the geophysical location tracking technology; and\n\n1. Clear and Prominent Notice: respondent shall provide a clear and prominent notice to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\n2. Affirmative Express Consent: respondent shall obtain affirmative express consent by giving the computer renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the computer’s renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Part shall require respondent to rent a computer to a user who declines to consent to installation or activation of any geophysical tracking technology.\n\n3. Icons: respondent shall provide that the activation of any geophysical location tracking technology be accompanied by the installation of a clear and prominent Page 4 of 8 icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\nProvided that respondent may suspend the notice requirements of this Part and activate geophysical location tracking technology if a) the renter reports that the computer has been stolen or respondent otherwise has a reasonable basis to believe that the computer has been stolen, and b) either the renter or respondent has filed a police report stating that the computer has been stolen. Provided further that respondent shall retain documents establishing (a) and (b). For purposes of this Order, “filing of a police report” means the filing of the renter’s or respondent’s complaint with the police department in any form recognized in the jurisdiction.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent must not make any false representation or depiction in any notice, prompt screen, or software application that results in gathering information from or about a consumer.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from making or causing to be made any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including without limitation location information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "IV", "title": "No Use of Improperly Obtained Information in Collections", "category": "prohibition", "summary": "Respondent must not use information obtained in violation of Parts I, II, or III when collecting debts pursuant to covered rent-to-own transactions.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, are hereby permanently restrained and enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any information or data obtained in a manner that does not comply with Parts I, II, and III of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "V", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete all user data gathered using non-compliant monitoring or tracking technology, and must encrypt data during transmission from computers to servers.", "verbatim_text": "A. Delete or destroy all user data previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order; and\n\nB. Transfer data or information gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers only if the information collected is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "VI", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the security, privacy, or confidentiality of personal information collected from or about consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "VII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this order. Delivery must occur within seven days after the date of service of the order for current personnel. For new personnel, delivery must occur before they\n\nservice of the order for current personnel. For new personnel, delivery must occur before they assume their responsibilities. From each individual to whom respondent delivers a copy of this\n\nassume their responsibilities. From each individual to whom respondent delivers a copy of this Order, respondent must obtain a signed and dated acknowledgment of receipt of this Order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission within 60 days of service and notify the Commission of corporate changes at least 30 days in advance.", "verbatim_text": "A. Respondent, and its successors and assigns, shall, within sixty (60) days after the date of service of this order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which they have complied with this order. Within ten (10) days of receipt of written notice from\n\nwhich they have complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nC. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line C.A.L.M. Ventures, Inc., File No. 1123151. Provided, however; that, in lieu of overnight courier, notices may be sent by first class mail, but only if an electronic version of each such notice is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years all documents related to complaints about monitoring or tracking technologies and documents demonstrating compliance with the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – VI of this Order, maintain and upon reasonable notice make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning any monitoring or geophysical tracking technologies sold, licensed, or otherwise provided to any third party, and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order;\n\nC. Contradict, qualify, or call into question respondent’s compliance with this order; or\n\nD. Acknowledge receipt of this order obtained pursuant to Part VII.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "X", "title": "Termination of Order", "category": "duration", "summary": "The order will terminate on April 11, 2033, or 20 years from the most recent date the FTC files a complaint alleging violation of the order, whichever comes later.", "verbatim_text": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this Order that terminates in less than twenty (20) years; B. This Order if such complaint is filed after the order has terminated pursuant to this Part.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "docket_number": "C-4394" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently prohibited from using monitoring technology to gather information from computers rented to consumers and from providing such technology to third parties.", "verbatim_text": "A. Using any monitoring technology to gather information or data from any computer rented to a consumer; and\n\nB. Licensing, selling, or otherwise providing third parties with monitoring technology for installation or activation on computers rented to consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "affirmative_obligation", "summary": "Respondent may only use geophysical location tracking technology if clear and prominent notice is provided to users and affirmative express consent is obtained from renters, with specific exceptions for stolen computers.", "verbatim_text": "A. Gathering any information or data from any computer via any geophysical location tracking technology without ensuring that the computer user is provided clear and prominent notice at the time the computer is rented and immediately prior to each use of the geophysical location tracking technology, and also ensuring that the computer renter’s affirmative express consent is obtained at the time the computer is rented. For purposes of this section, providing clear and prominent notice to computer users and obtaining affirmative express consent from computer renters means:\n\n1. Clear and Prominent Notice: a clear and prominent notice is provided to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information;\n\n2. Affirmative Express Consent: affirmative express consent is obtained by giving the computer renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the computer’s renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Part shall require that a computer be rented to a user who declines to consent to installation or activation of any geophysical tracking technology;\n\n3. Icons: the activation of any geophysical location tracking technology shall be accompanied by the installation of a clear and prominent icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the Page 4 of 8 computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information;\n\nProvided that the notice requirements of this Part may be suspended and geophysical location tracking technology activated if (a) the renter reports that the computer has been stolen or there is otherwise a reasonable basis to believe that the computer has been stolen, and (b) either the renter or another person has filed a police report stating that the computer has been stolen. Provided further that respondent shall ensure that documents establishing (a) and (b) are retained. For purposes of this Order, “filing of a police report” means the reporting of a complaint with the police department in any form recognized in the jurisdiction;\n\nProvided further that the notice and record-keeping requirements of this Section II shall be satisfied when respondent acts as a licensor if respondent includes in the licensing agreement contractual requirements that: (i) licensees may only activate geophysical location tracking technology if (a) the renter reports that the computer has been stolen or there is otherwise a reasonable basis to believe that the computer has been stolen and (b) either the renter or another person has filed a police report stating that the computer has been stolen, and (ii) documents establishing (a) and (b) are retained by the licensees; and\n\nB. Licensing, selling, or otherwise providing any third party with geophysical location tracking technology for installation or activation on a computer to be rented in a covered rent-to-own transaction, without requiring as a condition of the license, sale, or other provision of the technology that the third party obtain consent and provide notice as provided in Section II.A, above.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent is prohibited from making false representations or deceptions in any notice, prompt, or software application that results in gathering information from or about consumers.", "verbatim_text": "permanently restrained and enjoined from making, or assisting others to make, any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including without limitation location information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "IV", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete previously gathered non-compliant data and ensure that data transmitted from tracking technology is encrypted during transmission.", "verbatim_text": "A. Delete or destroy all user data, if any, previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order, unless such action is otherwise prohibited by court order or other legal obligation; and\n\nB. Transfer data or information, if any, gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers only if such information is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "V", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the security, privacy, or confidentiality of personal information gathered from or about consumers.", "verbatim_text": "indirectly, shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information gathered from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "VI", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this order, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent\n\nshall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position\n\norder, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. From each person to whom respondent delivers a copy of this order,\n\nor responsibilities. From each person to whom respondent delivers a copy of this order, respondent must obtain a signed and dated acknowledgment of receipt of this order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission and notify the Commission of any corporate changes that may affect compliance obligations.", "verbatim_text": "A. Respondent, and its successors and assigns, shall within sixty (60) days after the date of service of this order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in\n\nwhich they have complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, they shall submit additional true and accurate written reports.\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about\n\naddress. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nC. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line DesignerWare, LLC, File No. 1123151. Provided, however; that, in lieu of overnight courier, notices may be sent by first class mail, but only if an electronic version of each such notice is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years documents relating to complaints, compliance, and acknowledgments of this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – V of this Order, maintain and upon reasonable notice make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning any monitoring or geophysical tracking technologies sold, licensed, or otherwise provided to any third party for use in connection with any covered rent-to-own transaction, and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order;\n\nC. Contradict, qualify, or call into question respondent’s compliance with this order; or\n\nD. Acknowledge receipt of this order obtained pursuant to Part VI.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "IX", "title": "Termination of Order", "category": "duration", "summary": "This order will terminate on April 11, 2033, or twenty years from the most recent date the FTC files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "docket_number": "C-4390" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently prohibited from using any monitoring technology to gather information from computers rented to consumers in covered rent-to-own transactions.", "verbatim_text": "IT IS HEREBY ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from using any monitoring technology to gather information or data from any computer rented to a consumer.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "affirmative_obligation", "summary": "Respondent must provide clear and prominent notice and obtain affirmative express consent before using geophysical location tracking technology on rented computers, with specific requirements for notice, consent, and icons.", "verbatim_text": "A. Gathering any information or data from any computer via any geophysical location tracking technology without providing clear and prominent notice to the computer user at the time the computer is rented and immediately prior to each use of the geophysical location tracking technology, and also obtaining affirmative express consent from the computer’s renter at the time the computer is rented;\n\nB. Installing or activating on rented computers geophysical location tracking technology where that technology does not provide clear and prominent notice to the computer user immediately prior to each use of the geophysical location tracking technology; and\n\n1. Clear and Prominent Notice: respondent shall provide a clear and prominent notice to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\n2. Affirmative Express Consent: respondent shall obtain affirmative express consent by giving the computer renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the computer’s renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Section shall\n\n3. Icons: respondent shall provide that the activation of any geophysical location tracking technology be accompanied by the installation of a clear and prominent icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent is prohibited from making any false representation in any notice, prompt screen, or software application that results in gathering information from or about a consumer.", "verbatim_text": "own transaction, are hereby permanently restrained and enjoined from making or causing to be made any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including without limitation location information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "IV", "title": "No Use of Improperly Obtained Information in Collections", "category": "prohibition", "summary": "Respondent is prohibited from using any information obtained in violation of Parts I, II, and III when collecting or attempting to collect a debt pursuant to a covered rent-to-own transaction.", "verbatim_text": "enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any information or data obtained in a manner that does not comply with Parts I, II, and III of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "V", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete all user data previously gathered using non-compliant monitoring or tracking technology and must encrypt data during transmission.", "verbatim_text": "A. Delete or destroy all user data previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order; and\n\nB. Transfer data or information gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers only if the information collected is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "VI", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "verbatim_text": "own transaction shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "VII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future personnel with responsibilities related to the subject matter, and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this order. Delivery must occur within seven days after the date of service of the order for current personnel. For new personnel, delivery must occur before they\n\nservice of the order for current personnel. For new personnel, delivery must occur before they assume their responsibilities. From each individual to whom respondent delivers a copy of this\n\nassume their responsibilities. From each individual to whom respondent delivers a copy of this Order, respondent must obtain a signed and dated acknowledgment of receipt of this Order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission and notify the Commission of corporate changes that may affect compliance obligations.", "verbatim_text": "A. Respondent, and its successors and assigns, shall, within sixty (60) days after the date of service of this order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which they have complied with this order. Within ten (10) days of receipt of written notice from\n\nwhich they have complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about\n\naddress. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years all documents related to complaints, compliance, and acknowledgments of receipt of this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – VI of this Order, maintain and upon reasonable notice make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning any monitoring or geophysical tracking technologies sold, licensed, or otherwise provided to any third party, and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order;\n\nC. Contradict, qualify, or call into question respondent’s compliance with this order; or\n\nD. Acknowledge receipt of this order obtained pursuant to Part VII.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "X", "title": "Termination of Order", "category": "duration", "summary": "This order will terminate on April 11, 2033, or twenty years from the most recent date that the United States or FTC files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "docket_number": "C-4395" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently prohibited from using any monitoring technology to gather information or data from computers rented to consumers in covered rent-to-own transactions.", "verbatim_text": "IT IS HEREBY ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from using any monitoring technology to gather information or data from any computer rented to a consumer.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "affirmative_obligation", "summary": "Respondent may only use geophysical location tracking technology after providing clear and prominent notice and obtaining affirmative express consent, with specific requirements for notice, consent mechanisms, and icon display.", "verbatim_text": "A. Gathering any information or data from any computer via any geophysical location tracking technology without providing clear and prominent notice to the computer user at the time the computer is rented and immediately prior to each use of the geophysical location tracking technology, and also obtaining affirmative express consent from the computer’s renter at the time the computer is rented;\n\nB. Installing or activating on rented computers geophysical location tracking technology where that technology does not provide clear and prominent notice to the computer user immediately prior to each use of the geophysical location tracking technology; and\n\n1. Clear and Prominent Notice: respondent shall provide a clear and prominent notice to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\n2. Affirmative Express Consent: respondent shall obtain affirmative express consent by giving the computer renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the computer’s renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Section shall require respondent to rent a computer to a user who declines to consent to installation or activation of any geophysical tracking technology.\n\n3. Icons: respondent shall provide that the activation of any geophysical location tracking technology be accompanied by the installation of a clear and prominent icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\nProvided that respondent may suspend the notice requirements of this Part and activate geophysical location tracking technology if a) the renter reports that the computer has been stolen or respondent otherwise has a reasonable basis to believe that the computer has been stolen, and b) either the renter or respondent has filed a police report stating that the computer has been stolen. Provided further that respondent shall retain documents establishing (a) and (b). For purposes of this Order, “filing of a police report” means the filing of the renter’s or respondent’s complaint with the police department in any form recognized in the jurisdiction.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent is prohibited from making any false representations in notices, prompts, or software applications that result in gathering information from or about consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from making or causing to be made any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including without limitation location information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "IV", "title": "No Use of Improperly Obtained Information in Collections", "category": "prohibition", "summary": "Respondent is prohibited from using any information or data obtained in violation of Parts I, II, or III when collecting or attempting to collect debts under covered rent-to-own transactions.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, are hereby permanently restrained and enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any information or data obtained in a manner that does not comply with Parts I, II, and III of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "V", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete all user data previously gathered using non-compliant monitoring or tracking technology, and must encrypt data during transmission.", "verbatim_text": "A. Delete or destroy all user data previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order; and\n\nB. Transfer data or information gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers only if the information collected is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "VI", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent is prohibited from misrepresenting the extent to which it maintains and protects the security, privacy, or confidentiality of personal information collected from consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "VII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this order. Delivery must occur within seven days after the date of service of the order for current personnel. For new personnel, delivery must occur before they\n\nservice of the order for current personnel. For new personnel, delivery must occur before they assume their responsibilities. From each individual to whom respondent delivers a copy of this\n\nassume their responsibilities. From each individual to whom respondent delivers a copy of this Order, respondent must obtain a signed and dated acknowledgment of receipt of this Order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission and notify the Commission of corporate changes that may affect compliance obligations.", "verbatim_text": "A. Respondent, and its successors and assigns, shall, within sixty (60) days after the date of service of this order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which they have complied with this order. Within ten (10) days of receipt of written notice from\n\nwhich they have complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nC. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line Red Zone Investment Group, File No. 1123151. Provided, however; that, in lieu of overnight courier, notices may be sent by first class mail, but only if an electronic version of each such notice is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available for inspection various categories of documents for five years after the last date of any covered act or practice.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – VI of this Order, maintain and upon reasonable notice make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning any monitoring or geophysical tracking technologies sold, licensed, or otherwise provided to any third party, and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order;\n\nC. Contradict, qualify, or call into question respondent’s compliance with this order; or\n\nD. Acknowledge receipt of this order obtained pursuant to Part VII.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "X", "title": "Termination of Order", "category": "duration", "summary": "The order will terminate on April 11, 2033, or twenty years from the most recent date the FTC files a complaint alleging violation of the order, whichever comes later.", "verbatim_text": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this Order that terminates in less than twenty (20) years; B. This Order if such complaint is filed after the order has terminated pursuant to this Part.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "docket_number": "C-4396" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently restrained from using any monitoring technology to gather information or data from any computer rented to a consumer in connection with any covered rent-to-own transaction.", "verbatim_text": "IT IS HEREBY ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from using any monitoring technology to gather information or data from any computer rented to a consumer.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "affirmative_obligation", "summary": "Respondent is permanently restrained from gathering information via geophysical location tracking technology without providing clear and prominent notice and obtaining affirmative express consent, subject to specific requirements and exceptions for stolen computers.", "verbatim_text": "A. Gathering any information or data from any computer via any geophysical location tracking technology without providing clear and prominent notice to the computer user at the time the computer is rented and immediately prior to each use of the geophysical location tracking technology, and also obtaining affirmative express consent from the computer’s renter at the time the computer is rented;\n\nB. Installing or activating on rented computers geophysical location tracking technology where that technology does not provide clear and prominent notice to the computer user immediately prior to each use of the geophysical location tracking technology; and\n\n1. Clear and Prominent Notice: respondent shall provide a clear and prominent notice to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\n2. Affirmative Express Consent: respondent shall obtain affirmative express consent by giving the computer renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the computer’s renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Part shall require respondent to rent a computer to a user who declines to consent to installation or activation of any geophysical tracking technology.\n\n3. Icons: respondent shall provide that the activation of any geophysical location tracking technology be accompanied by the installation of a clear and prominent Page 4 of 8 icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\nProvided that respondent may suspend the notice requirements of this Part and activate geophysical location tracking technology if a) the renter reports that the computer has been stolen or respondent otherwise has a reasonable basis to believe that the computer has been stolen, and b) either the renter or respondent has filed a police report stating that the computer has been stolen. Provided further that respondent shall retain documents establishing (a) and (b). For purposes of this Order, “filing of a police report” means the filing of the renter’s or respondent’s complaint with the police department in any form recognized in the jurisdiction.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent is permanently restrained from making any false representation or depiction in any notice, prompt screen, or software application that results in gathering information from or about a consumer.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from making or causing to be made any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including without limitation location information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "IV", "title": "No Use of Improperly Obtained Information in Collections", "category": "prohibition", "summary": "Respondent is permanently restrained from using information obtained in violation of Parts I, II, and III in connection with collecting or attempting to collect a debt or property pursuant to a covered rent-to-own transaction.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, are hereby permanently restrained and enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any information or data obtained in a manner that does not comply with Parts I, II, and III of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "V", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete all user data previously gathered using non-compliant monitoring or tracking technology, and must encrypt data during transmission from computers to servers.", "verbatim_text": "A. Delete or destroy all user data previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order; and\n\nB. Transfer data or information gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers only if the information collected is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "VI", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "VII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers with responsibilities related to the subject matter, and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this order. Delivery must occur within seven days after the date of service of the order for current personnel. For new personnel, delivery must occur before they\n\nservice of the order for current personnel. For new personnel, delivery must occur before they assume their responsibilities. From each individual to whom respondent delivers a copy of this\n\nassume their responsibilities. From each individual to whom respondent delivers a copy of this Order, respondent must obtain a signed and dated acknowledgment of receipt of this Order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission within sixty days after service of the order and at other times as required, and must notify the Commission of corporate changes affecting compliance obligations.", "verbatim_text": "A. Respondent, and its successors and assigns, shall, within sixty (60) days after the date of service of this order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in\n\nwhich they have complied with this order. Within ten (10) days of receipt of written notice from Page 6 of 8 a representative of the Commission, respondent shall submit additional true and accurate written reports.\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nC. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line Showplace, Inc., File No. 1123151. Provided, however; that, in lieu of overnight courier, notices may be sent by first class mail, but only if an electronic version of each such notice is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years after the last date of any act or practice covered by Parts I-VI all documents relating to complaints, compliance, contradictions, or acknowledgments of receipt of the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – VI of this Order, maintain and upon reasonable notice make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning any monitoring or geophysical tracking technologies sold, licensed, or otherwise provided to any third party, and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order;\n\nC. Contradict, qualify, or call into question respondent’s compliance with this order; or\n\nD. Acknowledge receipt of this order obtained pursuant to Part VII.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "X", "title": "Termination of Order", "category": "duration", "summary": "This Order will terminate on April 11, 2033, or twenty years from the most recent date the United States or FTC files a complaint in federal court alleging violation of the Order, whichever comes later, subject to specific conditions.", "verbatim_text": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this Order that terminates in less than twenty (20) years; B. This Order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Part as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "docket_number": "C-4397" }, { "provision_number": "I", "title": "Monitoring Technology Prohibited", "category": "prohibition", "summary": "Respondent is permanently restrained and enjoined from using any monitoring technology to gather information or data from any computer rented to a consumer in connection with any covered rent-to-own transaction.", "verbatim_text": "IT IS HEREBY ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from using any monitoring technology to gather information or data from any computer rented to a consumer.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "II", "title": "Use of Tracking Technology Limited", "category": "prohibition", "summary": "Respondent is permanently restrained and enjoined from gathering information via geophysical location tracking technology without providing clear and prominent notice and obtaining affirmative express consent, with specific notice and consent requirements and exceptions for stolen computers.", "verbatim_text": "A. Gathering any information or data from any computer via any geophysical location tracking technology without providing clear and prominent notice to the computer user at the time the computer is rented and immediately prior to each use of the geophysical location tracking technology, and also obtaining affirmative express consent from the computer’s renter at the time the computer is rented;\n\nB. Installing or activating on rented computers geophysical location tracking technology where that technology does not provide clear and prominent notice to the computer user immediately prior to each use of the geophysical location tracking technology; and\n\n1. Clear and Prominent Notice: respondent shall provide a clear and prominent notice to the user, separate and apart from any “privacy policy,” “data use policy,” “terms of service,” “end-user license agreement,” “lease agreement,” or other similar document, that discloses (1) that geophysical location tracking technology is installed and/or currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\n2. Affirmative Express Consent: respondent shall obtain affirmative express consent by giving the computer renter an equally clear and prominent choice to either agree or not agree to any geophysical location tracking technology, and neither option may be highlighted or preselected as a default setting. Activation of any geophysical location tracking technology must not proceed until the computer’s renter provides affirmative express consent. Notwithstanding the foregoing, nothing in this Part shall require respondent to rent a computer to a user who declines to consent to installation or activation of any geophysical tracking technology.\n\n3. Icons: respondent shall provide that the activation of any geophysical location tracking technology be accompanied by the installation of a clear and prominent Page 4 of 8 icon on the computer on which the technology is installed, such as on the desktop and in the desktop system tray of the computer. Clicking on the icon must clearly and prominently disclose: (1) that geophysical location tracking technology is installed and currently running on the computer; (2) the types of user activity or conduct that is being captured by such technology; (3) the identities or specific categories of entities with whom any data or information that is collected will be shared or otherwise provided; (4) the purpose(s) for the collection, use, or sharing of such data or information; and (5) where and how the user can contact someone for additional information.\n\nProvided that respondent may suspend the notice requirements of this Part and activate geophysical location tracking technology if a) the renter reports that the computer has been stolen or respondent otherwise has a reasonable basis to believe that the computer has been stolen, and b) either the renter or respondent has filed a police report stating that the computer has been stolen. Provided further that respondent shall retain documents establishing (a) and (b). For purposes of this Order, “filing of a police report” means the filing of the renter’s or respondent’s complaint with the police department in any form recognized in the jurisdiction.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "III", "title": "No Deceptive Gathering of Consumer Information", "category": "prohibition", "summary": "Respondent is permanently restrained and enjoined from making or causing to be made any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including location information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction, are hereby permanently restrained and enjoined from making or causing to be made any false representation or depiction in any notice, prompt screen, or other software application appearing on the screen of any computer that results in gathering information from or about a consumer, including without limitation location information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "IV", "title": "No Use of Improperly Obtained Information in Collections", "category": "prohibition", "summary": "Respondent is permanently restrained and enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any information or data obtained in a manner that does not comply with Parts I, II, and III of this Order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, are hereby permanently restrained and enjoined from using, in connection with collecting or attempting to collect a debt, money, or property pursuant to a covered rent-to-own transaction, any information or data obtained in a manner that does not comply with Parts I, II, and III of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "V", "title": "Protection of Data", "category": "affirmative_obligation", "summary": "Respondent must delete or destroy all user data previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order, and must render information collected unreadable during transmission.", "verbatim_text": "A. Delete or destroy all user data previously gathered using any monitoring or geophysical location tracking technology that does not comply with Parts I, II, and III of this Order; and\n\nB. Transfer data or information gathered by any monitoring or geophysical location tracking technology from the computer upon which the technology is installed to respondent’s server(s), and from the respondent’s server(s) to any other computers or servers only if the information collected is rendered unreadable, unusable, or indecipherable during transmission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "VI", "title": "No Misrepresentations About Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, and its officers, agents, servants, employees, and all persons or entities in active concert or participation with it who receive actual notice of this order, by personal service or otherwise, in connection with any covered rent-to- own transaction shall not misrepresent, in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, or confidentiality of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "VII", "title": "Distribution of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter ofthis order, and obtain signed and dated acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future principals, officers, directors, and managers who have responsibilities related to the subject matter of this order. Delivery must occur within seven days after the date of service of the order for current personnel. For new personnel, delivery must occur before they\n\nservice of the order for current personnel. For new personnel, delivery must occur before they assume their responsibilities. From each individual to whom respondent delivers a copy of this\n\nassume their responsibilities. From each individual to whom respondent delivers a copy of this Order, respondent must obtain a signed and dated acknowledgment of receipt of this Order, with any electronic signatures complying with the requirements of the E-Sign Act, 15 U.S.C. § 7001 et seq.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent and its successors and assigns must file compliance reports with the Commission within 60 days after service of this order and at such other times as the Commission may require, and notify the Commission at least 30 days prior to any change in the corporation that may affect compliance obligations.", "verbatim_text": "A. Respondent, and its successors and assigns, shall, within sixty (60) days after the date of service of this order, and at such other times as the Commission may require, file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which they have complied with this order. Within ten (10) days of receipt of written notice from\n\nwhich they have complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.\n\nB. Respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or related entity that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, the respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nC. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line Watershed Development Corp., File No. 1123151. Provided, however; that, in lieu of overnight courier, notices may be sent by first class mail, but only if an electronic version of each such notice is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the Federal Trade Commission for inspection and copying, for five years after the last date of any act or practice covered by Parts I-VI of this Order, any documents that comprise or relate to complaints or inquiries concerning monitoring or geophysical tracking technologies, demonstrate full compliance with the order, contradict compliance, or acknowledge receipt of the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, for five (5) years after the last date of any act or practice covered by Parts I – VI of this Order, maintain and upon reasonable notice make available to the Federal Trade Commission for inspection and copying, any documents, whether prepared by or on behalf of respondent, that: A. Comprise or relate to complaints or inquiries, whether received directly, indirectly, or through any third party, concerning any monitoring or geophysical tracking technologies sold, licensed, or otherwise provided to any third party, and any responses to those complaints or inquiries;\n\nB. Are reasonably necessary to demonstrate full compliance with each provision of this order, including but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order;\n\nC. Contradict, qualify, or call into question respondent’s compliance with this order; or\n\nD. Acknowledge receipt of this order obtained pursuant to Part VII.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "X", "title": "Termination of Order", "category": "duration", "summary": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint in federal court alleging any violation of the Order, whichever comes later, subject to certain exceptions.", "verbatim_text": "This Order will terminate on April 11, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this Order that terminates in less than twenty (20) years; B. This Order if such complaint is filed after the order has terminated pursuant to this Part.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "remedy_types": [ "Order Administration" ], "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "docket_number": "C-4398" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Data Practices", "category": "prohibition", "summary": "Respondents must not misrepresent the extent to which Covered Information is collected, used, disclosed, or shared, or the extent to which users may exercise control over such information.", "verbatim_text": "IT IS ORDERED that respondents and their officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: A. The extent to which Covered Information is collected, used, disclosed, or shared; and\n\nB. The extent to which users may exercise control over the collection, use, disclosure, or sharing of Covered Information collected from or about them, their computers or devices, or their online activities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "II", "title": "Geolocation Information Collection Requirements", "category": "affirmative_obligation", "summary": "Respondents must provide clear and prominent disclosures and obtain affirmative express consent before collecting, transmitting, or allowing transmission of geolocation information from mobile applications.", "verbatim_text": "A. Clearly and prominently, immediately prior to the initial collection of or transmission of such information, and on a separate screen from, any final “end user license agreement,” “privacy policy,” “terms of use” page, or similar document, discloses to the consumer the following: 1. That such application collects, transmits, or allows the transmission of, geolocation information;\n\n2. How geolocation information may be used;\n\n3. Why such application is accessing geolocation information; and\n\n4. The identity or specific categories of third parties that receive geolocation information directly or indirectly from such application; and\n\nB. Obtains affirmative express consent from the consumer to the transmission of such information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "III", "title": "Data Deletion Requirement", "category": "affirmative_obligation", "summary": "Respondents must delete all Covered Information relating to Affected Consumers that was collected prior to the order's entry date.", "verbatim_text": "IT IS FURTHER ORDERED that respondents, within ten (10) days from the date of entry of this Order, shall delete all Covered Information relating to Affected Consumers that is within their possession, custody, or control and was collected at any time prior to the date of entry of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "IV", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC various documents including advertisements, promotional materials, complaints, and compliance documentation for five years.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall, for five (5) years from the entry of this order or from the date of preparation, whichever is later, maintain and upon request make available to the Federal Trade Commission for inspection and copying: A. All advertisements and promotional materials containing any representation covered by this order, including but not limited to respondents’ terms of use, end- user license agreements, frequently asked questions, privacy policies, and other documents publicly disseminated relating to: (a) the collection of data; (b) the use, disclosure or sharing of such data; and (c) opt-out practices and other mechanisms Page 4 of 7 to limit or prevent such collection of data or the use, disclosure, or sharing of data;\n\nB. All materials that were relied upon in disseminating any representation covered by this order;\n\nC. Complaints or inquiries relating to any Covered Application, and any responses to those complaints or inquiries; and\n\nD. Documents that are sufficient to demonstrate compliance with each provision of this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "V", "title": "Order Acknowledgment Requirements", "category": "acknowledgment", "summary": "Respondents must deliver a copy of the order to relevant personnel and obtain signed acknowledgments of receipt for five years.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall for five (5) years from the entry of this order deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondents shall\n\ndeliver this order to current personnel within thirty (30) days after the date of service of this order, and to future personnel within thirty (30) days after the person assumes such position or\n\norder, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "VI", "title": "Corporate Change Notification (Goldenshores Technologies, LLC)", "category": "compliance_reporting", "summary": "Goldenshores Technologies, LLC must notify the Commission at least thirty days prior to any corporate change that may affect compliance obligations.", "verbatim_text": "IT IS FURTHER ORDERED that respondent Goldenshores Technologies, LLC, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In the Matter of Goldenshores Technologies, LLC, File No. 132-3087.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "VII", "title": "Individual Employment Change Notification (Erik M. Geidl)", "category": "compliance_reporting", "summary": "Erik M. Geidl must notify the Commission of discontinuance of current business or employment, or affiliation with any new business or employment, for ten years.", "verbatim_text": "IT IS FURTHER ORDERED that respondent Erik M. Geidl, for a period of ten (10) years after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment. The notice shall include respondent’s new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In the Matter of Goldenshores Technologies, LLC, File No. 132-3087.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file compliance reports with the Commission within sixty days and upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondents, within sixty (60) days after the date of service of this order, shall each file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of their own compliance with this order. Within ten\n\nsetting forth in detail the manner and form of their own compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, they shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "IX", "title": "Order Duration and Termination", "category": "duration", "summary": "The order will terminate on March 31, 2034, or twenty years from the most recent date that a federal complaint alleging violation of the order is filed, whichever comes later.", "verbatim_text": "This order will terminate on March 31, 2034, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "docket_number": "C-4446" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations about Privacy of Covered Information", "category": "prohibition", "summary": "Respondent must not misrepresent, expressly or by implication, the extent to which it collects, uses, discloses, retains, or shares Covered Information, or the extent to which consumers can limit or control such practices.", "verbatim_text": "IT IS ORDERED that Respondent, and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, must not misrepresent, in any manner, expressly or by implication: 3 A. The extent to which Respondent collects, uses, discloses, retains, or shares Covered Information; and\n\nB. The extent to which consumers can limit, control, or prevent Respondent’s collection, use, disclosure, retention, or sharing of Covered Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "docket_number": "C-4612" }, { "provision_number": "II", "title": "Required Disclosure and Opt-Out Mechanism", "category": "affirmative_obligation", "summary": "While Respondent engages in Targeted Advertising, it must place a clear opt-out hyperlink on its homepage, provide a disclosure and opt-out mechanism on the linked page, and describe the technologies used for Targeted Advertising — all within 30 days of service of the order.", "verbatim_text": "A. Place a Clear and Conspicuous hyperlink on the homepage of the Turn website that states “Consumer Opt Out of Targeted Advertising.” When selected, the hyperlink shall take consumers directly to the mechanism required by Part II.B of the order;\n\nB. On the webpage linked from the hyperlink described in II.A, provide a Clear and Conspicuous disclosure that explains what information is collected and used for Targeted Advertising, accompanied by a Clear and Conspicuous mechanism that enables users to opt out of such Targeted Advertising; and\n\nC. Describe the technologies and methods used for Targeted Advertising on its website.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "docket_number": "C-4612" }, { "provision_number": "III", "title": "Requirement to Honor Consumer Controls", "category": "affirmative_obligation", "summary": "Respondent must honor signals indicating activation of a Mobile Operating System control to opt out of or limit Targeted Advertising when Respondent knows or reasonably should know it is receiving such a signal.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, must honor a signal it receives that indicates the activation of a Mobile Operating System control to opt out of or otherwise control or limit Targeted Advertising when: A. Respondent knows or reasonably should know that it is receiving such a signal; and B. Respondent knows or reasonably should know that such signal indicates the activation of a Mobile Operating System control to opt out of or otherwise control or limit Targeted Advertising.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "docket_number": "C-4612" }, { "provision_number": "IV", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order to the Commission within 10 days, deliver copies to relevant personnel, and obtain signed acknowledgments from recipients within 30 days.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 10 years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives having managerial responsibilities for conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reporting. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "docket_number": "C-4612" }, { "provision_number": "V", "title": "Compliance Reporting and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report one year after issuance, notify the Commission within 14 days of structural or contact changes or bankruptcy filings, ensure all sworn submissions comply with 28 U.S.C. § 1746, and submit all filings via the specified email or courier.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (1) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (2) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business; (4) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (5) provide a copy of each Acknowledgments of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Turn Inc., FTC File No. 1523099.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "docket_number": "C-4612" }, { "provision_number": "VI", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified categories of records for 10 years after issuance (retaining each for 5 years), including accounting records, personnel records, consumer complaints, public representations about data practices, and all compliance records.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for 10 years after the issuance date of the Order, and retain each such record for 5 years. Specifically, Respondent must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints or inquiries, whether received directly or indirectly, such as through a third party, concerning: (1) any collection of Covered Information by Respondent; (2) the use, disclosure, or sharing of such Covered Information by Respondent; or (3) opt-out practices or any other mechanism to limit or prevent such collection of Covered Information or the use, disclosure, or sharing of Covered Information collected by Respondent, as well as any responses to such complaints or inquiries;\n\nD. A copy of each publicly disseminated representation by Respondent that describes the extent to which Respondent collects, uses, discloses, retains, or shares Covered Information, including any representation concerning a change in any website or other service controlled by Respondent that relates Respondent’s collection, use, disclosure, retention, or sharing of Covered Information; and\n\nE. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "docket_number": "C-4612" }, { "provision_number": "VII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission may monitor Respondent's compliance by requesting additional reports, records, and interviews; communicating directly with Respondent; and using any other lawful means including undercover methods.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying;\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present; and\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "docket_number": "C-4612" }, { "provision_number": "VIII", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "The Order is effective upon publication on the FTC website and terminates on April 6, 2037, or 20 years from the most recent date a complaint alleging a violation is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on April 6, 2037, or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and 7 C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. If such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "docket_number": "C-4612" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "For twenty years, Defendant must not misrepresent the extent to which it accesses, reviews, or discloses Covered Information, or the extent to which it secures Covered Home Security Products against credential-based online attacks.", "verbatim_text": "IT IS ORDERED that, for twenty years after entry of this Order, Defendant and Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the manufacturing, advertising, promotion, offering, sale, or distribution of any Covered Home Security Product, must not misrepresent in any manner, expressly or by implication: A. The extent to which, or the purposes for which, Defendant or any contractor working on Defendant’s behalf accesses, reviews, or discloses Covered Information; or\n\nB. The extent to which Defendant secures Covered Home Security Products against online attacks resulting from external actors’ misuse of valid authentication credentials of users of Covered Home Security Products.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "II", "title": "Mandated Deletion of Data and Affected Work Product", "category": "affirmative_obligation", "summary": "Defendant must delete Pre-March 2018 Covered Recordings within 30 days, and Face Embeddings and Affected Work Product within 90 days, then provide a sworn written confirmation of deletion within 90 days.", "verbatim_text": "1. Within thirty (30) days of entry of this Order, delete or destroy all Pre- March 2018 Covered Recordings;\n\n2. Within ninety (90) days of entry of this Order, delete or destroy all Face Embeddings collected before March 1, 2018 including through any Pre- March 2018 Covered Recordings; and\n\n3. Within ninety (90) days of entry of this Order, delete or destroy any Affected Work Product unless such deletion is technically infeasible, in which case the Ring Principal Executive Officer must provide a written statement to the Commission within ninety (90) days of entry of this Order, sworn under penalty of perjury, identifying any such Affected Work Product, certifying that such deletion or destruction is technically infeasible, and providing a reasonable explanation for that determination. The written statement must be based on the personal knowledge of the Principal Executive Officer or subject matter experts upon whom the Principal Executive Officer reasonably relies in making the statement.\n\nB. Defendant must, within ninety (90) days of entry of this Order, provide a written statement to the Commission, sworn under penalty of perjury, confirming the deletion or destruction of all Covered Home Security Recordings, Face Embeddings, and Affected Work Product covered by Subprovision II.A above.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "III", "title": "Mandated Privacy and Data Security Program", "category": "affirmative_obligation", "summary": "Within 180 days, Defendant must establish a comprehensive privacy and data security program covering documentation, risk assessments, safeguards, training, access controls, monitoring, testing, service provider oversight, and program evaluation, and maintain it for 20 years.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant must, within one hundred and eighty (180) days of entry of this Order, establish and implement, and thereafter maintain for twenty (20) years after entry of this Order, a comprehensive privacy and data security program (the “Program”) that protects the privacy, security, confidentiality, and integrity of Covered Information. To satisfy this requirement, Defendant must, at a minimum:\n\nA. Document in writing the relevant content, implementation, and maintenance of the Program;\n\nB. Provide the written program and any evaluations thereof or updates thereto to a senior officer responsible for the Program at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Program;\n\nD. Assess and document, at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of a response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner, internal and external risks to the privacy, security, confidentiality, or integrity of 8 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 9 of 31 Covered Information (and, if conducted following a Covered Incident, related to the Covered Incident) that could result in the (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Defendant identifies to the privacy, security, confidentiality, or integrity of Covered Information identified in response to Subprovision III.D. Each safeguard must be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the: (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information. Such safeguards must also include: 1. Not permitting any human review by Defendant’s employees or contractors of any Covered Home Security Recording, unless, prior to such review, Defendant: a) Implements a policy prohibiting such review unless it is: (1) Required by law or legal process (such as a court order or search warrant); (2) In connection with an investigation of suspected or actual illegal activity; (3) To establish, exercise, or defend Defendant’s legal rights; 9 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 10 of 31 (4) Necessary or appropriate to prevent physical or other harm or financial loss; or (5) Otherwise authorized by an Authorized User via Affirmative Express Consent; and b) Requires any employee or contractor in a role that involves accessing Covered Home Security Recording(s) for such human review to attest that the reviewer will only access or view the Covered Home Security Recording for the purpose(s) specified by Defendant and for no other purpose; and c) Requires that any such employees or contractors be trained on how to review Covered Home Security Recordings in accordance with the purpose specified by Defendant. 2. Periodically verifying, at least once every twelve (12) months, that the Defendant is restricting access to Covered Home Security Recordings as required by Subprovision III(E)(1); 3. Training of all employees and contractors whose responsibilities include access to Covered Information, at least every twelve (12) months, on how to safeguard Covered Information; provided, however, that this requirement shall not obligate Defendant to provide training to employees and contractors whose responsibilities only include access to encrypted Covered Information without the ability to decrypt them; 10 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 11 of 31 4. Data access controls for employee or contractor access to all databases and assets storing Covered Home Security Recordings, including by, at a minimum: a) Restricting inbound connections to approved IP addresses or other equivalent or stronger protections; b) Requiring multi-factor authentication methods for all employees, contractors, and affiliates in order to access any assets (including databases) storing Covered Home Security Recordings. Defendant may use equivalent industry authentication options that are not multi-factor, if the person responsible for the Program under Subprovision III.C: (1) approves in writing the use of such equivalent authentication options; and (2) documents a written explanation of how the authentication options are at least equivalent to the security provided by multi-factor authentication; c) Limiting employee or contractor access to Covered Home Security Recordings to what is needed to perform that employee’s or contractor’s job function; and d) Reviewing, at least once every twelve (12) months, employee and contractor access to Covered Home Security Recordings to ensure that the employee or contractor needs continued access to the Covered Home Security Recordings to perform the employee or contractor’s job function; provided, however, that this requirement shall not obligate Defendant to implement data access controls for 11 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 12 of 31 employees and contractors who can only access encrypted Covered Home Security Recordings without the ability to decrypt them; 5. Technical measures to log and monitor employee and contractor access to Covered Information, including each instance in which a Covered Home Security Recording is accessed; provided, however, that this requirement shall not obligate Defendant to log and monitor access by employees and contractors to encrypted Covered Information without the ability to decrypt it; 6. Technical measures to secure Covered Home Security Products from online attacks resulting from the misuse of valid authentication credentials of users of Covered Home Security Products, such as: a) Where passwords are used to secure users’ Ring Accounts, requiring that users use strong passwords to secure their Ring Accounts, and recommending that they use unique passwords; and b) Requiring multi-factor authentication methods be provided as an option for consumers to access Covered Home Security Recordings. Defendant may use equivalent industry authentication options that are not multi-factor, if the person responsible for the Program under Subprovision III.C: (1) approves in writing the use of such equivalent authentication options; and (2) documents a written explanation of how the authentication options are at least equivalent to the security provided by multi-factor authentication; and 12 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 13 of 31 7. Encryption in transit and at rest of all Covered Home Security Recordings in Defendant’s control;\n\nF. Assess, at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner, the sufficiency of any safeguards in place to address the internal and external risks to the privacy, security, confidentiality, or integrity of Covered Information (and, if conducted following a Covered Incident, related to the Covered Incident), and modify the Program as needed based on the results;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner (and, if conducted following a Covered Incident, related to the Covered Incident), and modify the Program as needed based on the results. Such testing and monitoring must include: 1. Vulnerability testing of Defendant’s network(s) once every four (4) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner (and, if conducted following a Covered Incident, related to the Covered Incident); 2. Vulnerability testing of the Covered Home Security Products before the launch of any new Covered Home Security Product or before any material change to any Covered Home Security Product, including any material 13 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 14 of 31 hardware or software update to the Covered Home Security Product and, in the event of a Covered Incident relating to a Covered Home Security Product, within thirty (30) days after completion of response to the Covered Incident or ninety (90) days after the Covered Incident, whichever is sooner; and 3. Penetration testing of Defendant’s access controls described in Subprovision III.E(4) at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner (and, if conducted following a Covered Incident, related to the Covered Incident);\n\nH. Select and retain service providers capable of safeguarding Covered Information they access through or receive from Defendant, and contractually require such service providers to implement and maintain safeguards sufficient to address the internal and external risks to the privacy, security, confidentiality, or integrity of Covered Information; and\n\nI. Evaluate and adjust the Program in light of any changes to Defendant’s operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in Subprovision III.D of this Order, or any other circumstances that Defendant knows or has reason to know may have an impact on the effectiveness of the Program. At a minimum, Defendant must evaluate the Program at least once every twelve (12) months and modify the Program as needed based on the results.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "IV", "title": "Assessments by a Third Party", "category": "assessment", "summary": "Defendant must obtain initial and biennial third-party assessments of its privacy and data security program from qualified, independent assessors, covering the first year and each two-year period thereafter for 20 years, with assessments completed within 60 days after each reporting period ends.", "verbatim_text": "A. The Assessment must be obtained from one or more qualified, objective, independent third-party professionals (“Assessor(s)”) who: (1) use procedures and standards generally accepted in the profession; (2) conduct an independent review of the Program; (3) retain all documents relevant to each Assessment for five (5) years after completion of such Assessment; and (4) will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessor(s) on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim. Defendant may obtain separate assessments for (1) privacy and (2) security, confidentiality, and integrity from multiple Assessors, so long as each of the Assessors meets the qualifications set forth above;\n\nB. For each Assessment, Defendant must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name(s), affiliation(s), and qualifications of the proposed Assessor(s), which the Associate Director shall have the authority to approve in her or his sole discretion;\n\nC. The reporting period for the Assessments must cover: (1) the first year after the entry date of the Order for the initial Assessment; and (2) each two-year period 15 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 16 of 31 thereafter for twenty (20) years after entry of the Order for the biennial Assessments;\n\nD. Each Assessment must, for the entire assessment period: 1. Determine whether Defendant has implemented and maintained the Program required by Provision III of this Order titled Mandated Privacy and Data Security Program; 2. Assess the effectiveness of Defendant’s implementation and maintenance of Subprovisions III.A-I; 3. Identify any gaps or weaknesses in, or instances of material noncompliance with, the Program; 4. Address the status of gaps or weaknesses in, or instances of material non- compliance with, the Program that were identified in any prior Assessment required by this Order; and 5. Identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of the Defendant’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Defendant’s management. The Assessment must be signed by the Assessor and must state that the Assessor conducted an independent review of the Program, and did not rely primarily on assertions or attestations by 16 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 17 of 31 Defendant’s management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Defendant revises, updates, or adds one or more safeguards required under Subprovision III.E of this Order in the middle of an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard;\n\nE. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Defendant must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “FTC v. Ring LLC.” All subsequent biennial Assessments must be retained by Defendant until the Order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "V", "title": "Cooperation with Third-Party Assessor(s)", "category": "affirmative_obligation", "summary": "Defendant must fully cooperate with Assessors by providing all relevant information, granting visibility into networks and IT assets, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege or work product protection;\n\nB. Provide or otherwise make available to the Assessor information about Covered Home Security Products, Defendant’s network(s), and all of Defendant’s IT assets that is relevant to the Assessor’s determination of the scope of the Assessment, and to provide visibility to those portions of the networks and IT assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor(s), and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Defendant has implemented and maintained the Program required by Provision III of this Order titled Mandated Privacy and Data Security Program; (2) assessment of the effectiveness of the implementation and maintenance of Subprovisions III.A-I; or (3) identification of any gaps or weaknesses in, or instances of material non-compliance with, the Program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "VI", "title": "Certifications", "category": "compliance_reporting", "summary": "Starting one year after entry and annually for 20 years, the Ring Principal Executive Officer must certify to the Commission that Defendant has established and maintained the Order's requirements and is unaware of any undisclosed material noncompliance.", "verbatim_text": "IT IS FURTHER ORDERED that, one year after the entry date of this Order, and each year thereafter for twenty (20) years after the entry of this order: 18 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 19 of 31 A. Defendant must provide the Commission with a certification from the Ring Principal Executive Officer that Defendant: 1. Has established, implemented, and maintained the requirements of this Order; and 2. Is not aware of any material noncompliance with the requirements of this Order that has not been disclosed to the Commission. 3. Each certification must be based on the personal knowledge of the Principal Executive Officer or subject matter experts upon whom the Principal Executive Officer reasonably relies in making the certification; and\n\nB. Unless otherwise directed by a Commission representative in writing, Defendant must submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “FTC v. Ring LLC.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "VII", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "For 20 years, Defendant must report Covered Incidents to the Commission within 10 days of notifying any U.S. government entity or determining no notice is needed, including details about the incident, affected consumers, remediation steps, and copies of consumer notices.", "verbatim_text": "IT IS FURTHER ORDERED that, for twenty (20) years after entry of this order, within a reasonable time after Defendant’s discovery of a Covered Incident, but in any event no later than ten (10) days after the Defendant first notifies any United States federal, state, or local entity of a Covered Incident or determines that no such notice is needed, the Defendant must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; 19 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 20 of 31 B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. The number of consumers whose Covered Home Security Recordings were affected by the Covered Incident; D. The acts that Defendant has taken to date to remediate the Covered Incident and protect Covered Home Security Recordings from further exposure or access, and protect affected consumers from identity theft or other harm that may result from the Covered Incident; and E. A representative copy of any materially different notice sent by Defendant to consumers or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The subject line must begin, “FTC v. Ring LLC.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "VIII", "title": "Notices to Customers", "category": "affirmative_obligation", "summary": "Defendant must identify all consumers with Ring accounts before February 1, 2018, and send each a notice (per Attachment A) within 180 days of Order entry, and notify any newly identified eligible customers within 30 days of their identification.", "verbatim_text": "A. Identify all consumers who had Ring accounts before February 1, 2018 (“eligible customers”). Ring must take reasonable efforts to identify such eligible customers, and their contact information. Eligible customers include those identified at any time;\n\nB. Notify all identified eligible customers by emailing each a notice in the form shown in Attachment A. The emailing of the notification letter must not include any other enclosures; and\n\nC. Notify all eligible customers within 180 days after the entry date of this Order and any eligible customers identified thereafter within 30 days of their identification.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "IX", "title": "Monetary Judgment", "category": "affirmative_obligation", "summary": "Judgment of $5,800,000 is entered against Defendant, payable to the Commission within 7 days of Order entry via electronic fund transfer.", "verbatim_text": "A. Judgment in the amount of five million eight hundred thousand dollars ($5,800,000) is entered in favor of the Commission against Defendant;\n\nB. Defendant is ordered to pay to the Commission five million eight hundred thousand dollars ($5,800,000), which, as Defendant stipulates, their undersigned counsel holds in escrow for no purpose other than payment to the Commission; and C. Such payment must be made within seven (7) days of entry of this Order by electronic fund transfer in accordance with instructions previously provided by a representative of the Commission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "X", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Defendant relinquishes all rights to transferred assets, the Complaint's facts may be taken as true in future enforcement proceedings, Defendant must submit its Taxpayer Identification Number, and all money paid may be used for equitable relief or deposited to the U.S. Treasury.", "verbatim_text": "A. Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets;\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission to enforce its 21 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 22 of 31 rights to any payment or monetary judgment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case;\n\nC. The facts alleged in the Complaint establish all elements necessary to sustain an action by or on behalf of the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes;\n\nD. Defendant acknowledges that its Taxpayer Identification Numbers (Social Security Numbers or Employer Identification Numbers), which Defendant must submit, may be used for collecting and reporting on any delinquent amount arising out of this order, in accordance with 31 U.S.C. § 7701; and\n\nE. All money paid to the Commission pursuant to this Order may be deposited into a fund administered by the Commission or its designee to be used for equitable relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other equitable relief (including consumer information remedies) as it determines to be reasonably related to Defendant’s practices alleged in the Complaint. Any money not used for such equitable relief is to be deposited to the U.S. Treasury as disgorgement. Defendant has no right to challenge any actions the Commission or its representatives may take pursuant to this Subprovision.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "XI", "title": "Customer Information", "category": "affirmative_obligation", "summary": "Defendant must provide sufficient customer information to enable the Commission to administer consumer redress, and respond to any written Commission request for redress-related information within 14 days.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant must directly or indirectly provide sufficient customer information to enable the Commission to efficiently administer consumer redress. If a representative of the Commission requests in writing any information related to redress, Defendant must provide it, in the form prescribed by the Commission, within fourteen (14) days.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "XII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Defendant must submit a sworn acknowledgment of receipt within 7 days, deliver copies of the Order to all relevant personnel within 7 days (and to future personnel before they assume responsibilities), and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Defendant, within seven (7) of entry this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For three (3) years after the entry date of this Order, Defendant must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members of Defendant; (2) all employees, agents, and representatives of Defendant managing conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reporting. Delivery must occur within seven (7) days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "XIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendant must submit a sworn compliance report one year after entry, timely compliance notices within 14 days of any structural or contact changes for 10 years, notice of any bankruptcy filing within 14 days, and all sworn submissions must follow the specified format and submission procedures.", "verbatim_text": "A. One year after the entry date of this Order, Defendant must submit a compliance report, sworn under penalty of perjury: 1. Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Defendant; (b) identify all of Defendant’s subsidiaries that collect, maintain, use, or disclose, or provide access to Covered Home Security Recordings by all of their names, telephone numbers, and physical, postal, email, and internet addresses; (c) describe the activities of each such subsidiary, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Defendant is in compliance with each Provision of this Order; and (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. For ten (10) years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in: (a) any designated point of contact; or (b) the structure of Defendant that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary that engages in any acts or practices subject to this Order.\n\nC. Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendant within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “FTC v. Ring LLC.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "XIV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendant must create certain records for 10 years after entry and retain each for 5 years, including accounting records, personnel records, consumer complaints, marketing materials, representations about recording access, and all records demonstrating full compliance with this Order.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant must create certain records for ten (10) years after the entry date of the Order, and retain each such record for five (5) years. Specifically, Defendant must create and retain the following records: A. accounting records showing the revenues from all goods or services sold relating to the subject matter of the Order, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. personnel records showing, for each person who participates in conduct related to the subject matter of this Order, whether as an employee or otherwise, that person’s: name; job title or position; and dates of service;\n\nC. records of all consumer complaints and refund requests related to the subject matter of this Order received through Defendant’s customer service channels, and any response, except to the extent that deletion of such records has been requested by a consumer;\n\nD. a copy of each unique advertisement or other marketing material making a representation subject to this Order;\n\nE. a copy of each widely externally-disseminated representation by Defendant that describes the extent to which, or the purposes for which, Defendant or any employee or contractor working on Defendant’s behalf accesses or reviews any Covered Home Security Recording; and\n\nF. all records necessary to demonstrate full compliance with this Order, including all submissions to the Commission, all notices distributed pursuant to Provision VIII, and all documents related to Defendant’s verifications pursuant to Subprovision III.E.2.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "XV", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Defendant's compliance by requiring additional reports and document production within 14 days of request, communicating directly with and interviewing Defendant's personnel, and using any lawful means including undercover representatives.", "verbatim_text": "A. Within fourteen (14) days of receipt of a written request from a representative of the Commission, Defendant must: submit additional compliance reports or other 26 Case 1:23-cv-01549-JMC Document 12 Filed 06/16/23 Page 27 of 31 requested infonnation, which must be sworn under penalty ofpe1jmy, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Defendant. Defendant must pennit representatives of the Commission to interview any employee or other person affiliated with Defendant who has agreed to such an interview. The person interviewed may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulso1y process, pmsuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "XVI", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification,and enforcement of this Order.", "verbatim_text": "IT IS FURTHER ORDERED that this Comi retains jmisdiction of this matter for pmposes of construction, modification, and enforcement of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "docket_number": "1:23-cv-01549" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner the extent to which they collect, use, maintain, disclose, or delete Covered Information, or the extent to which their Location Data is Deidentified.", "verbatim_text": "IT IS ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active conceit or paiiicipation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the adve1iising, promotion, offering for sale, sale, or distribution of any product or service, must not misrepresent, in any manner, expressly or by implication: A. The extent to which Respondents collect, use, maintain, disclose, or delete any Covered Info1mation; and\n\nB. The extent to which the Location Data that Respondents collect, use, maintain, or disclose is Deidentified.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "II", "title": "Prohibitions on the Use, Sale, or Disclosure of Sensitive Location Data", "category": "prohibition", "summary": "Respondents must not sell, license, transfer, share, disclose, or otherwise use Sensitive Location Data associated with identified Sensitive Locations, subject to narrow exceptions for data conversion or direct consumer relationships with Affirmative Express Consent.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, whether acting directly or indirectly, must not sell, license, transfer, share, disclose, or othe1wise use in any products or services Sensitive Location Data associated with the Sensitive Locations that Respondents have identified within 180 days of the issuance of this Order as paii of the Sensitive Locations Data Program established and maintained pmsuant to Provision III below. Provided, however, that the prohibitions in this Provision II do not apply if Respondents: (i) use Sensitive Location Data to conve1i such data into data that (a) is not Sensitive Location Data or (b) is not Location Data; or (ii) have a direct relationship with the consumer related to the Sensitive Location Data, the consumer has provided Affnmative Express Consent, and the Sensitive Location Data is used to provide a service directly requested by the consumer.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "III", "title": "Sensitive Location Data Program", "category": "affirmative_obligation", "summary": "Respondents must establish and maintain a Sensitive Location Data Program within 180 days, including documented policies, a senior officer responsible, biannual assessments, technical controls, and timely deletion of Sensitive Location Data.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, within 180 days of the issuance of this Order, must establish and implement, and thereafter maintain, a Sensitive Location Data Program to develop a comprehensive list of Sensitive Locations and to prevent the use, sale, licensing, transfer, or disclosme of Sensitive Location Data as provided in Provision II above. To satisfy this requirement, Respondents must, at a minimum:\n\nA. Document in writing the components of the Sensitive Location Data Program as well as the plan for implementing and maintaining the Sensitive Location Data Program;\n\nB. Identify a senior officer, such as a Chief Privacy Officer or Chief Compliance Officer, to be responsible for the Sensitive Location Data Program. The senior officer will be approved by and repo1i directly to the board of directors or a committee thereof or, if no such board or equivalent body exists, to the principal executive officer of Respondents;\n\nC. Provide the written program and any evaluations thereof or updates thereto to Respondents' board of directors or governing body or, if no such board or equivalent body exists, to the principal executive officer of Respondents at least eve1y twelve months;\n\nD. Develop and implement procedmes to identify Sensitive Locations to be used by Respondent in preventing the sale, license, transfer, use, or other sharing or disclosme of Sensitive Location Data as provided in Provision II above. If a building or place is identified as including both a Sensitive Location and a non-Sensitive Location, Respondent may associate Location Data with the non-Sensitive Location only;\n\nE. Assess, update and document, at least once eve1y six months, the accmacy and completeness of Respondents' list of Sensitive Locations. Respondents' assessments must include: 1. Verifying that Respondents' list includes Sensitive Locations known to Respondent; 2. Identifying and assessing methods, somces, products, and services developed by Respondents or offered by third paiiies that identify Sensitive Locations; 3. Updating its list of Sensitive Locations by selecting and using the methods, somces, products, or services developed by Respondents or offered by third paiiies that are accmate and comprehensive in identifying Sensitive Locations; 4. Considering new categories of Sensitive Locations, not enumerated in the definition of Sensitive Locations, such as those based on an announcement by a self-regulato1y association. Respondents must detennine whether to add the newly identified categories to Respondents' list of Sensitive Locations and, as applicable, complete these additions within the time frames specified in Section III.G; and 6 5. Documenting each step of this assessment, including the reasons Respondents selected the methods, sources, products, or services used in updating Respondent's list of Sensitive Locations.\n\nF. Implement policies, procedures, and technical measures designed to prevent Respondents from using, selling, licensing, transfening, or othe1wise sharing or disclosing Sensitive Location Data as provided in Provision II above, and monitor and test the effectiveness of these policies, procedures, and technical measures at least once eve1y six months. Such testing must be designed to verify that Respondents are not using, selling, licensing, transfening, or othe1wise sharing or disclosing Sensitive Location Data.\n\nG. Initiate the process of deleting or rendering non-sensitive, Sensitive Location Data associated with locations included in the list developed pursuant to Subpaiis D and E, within 5 days of adding the location to the list of Sensitive Locations, and complete the process within 90 days of initiation, except where retention is needed to fulfill an allowed purpose as provided in Provision II above. The time period to complete this process may be extended by additional 45 days periods (not to exceed 180 total days) when reasonably necessa1y, provided the Respondents document at each interval, the reasons for the extension and the progress made, and Respondents must not use, provide access to, or disclose Sensitive Location Data during the process of deleting or rendering non sensitive, for any other purpose; and\n\nH. Evaluate and adjust the Sensitive Location Data Program in light of any changes to Respondents' operations or business anangements, or any other circumstance that Respondents know or have reason to know may have an impact on the Sensitive Location Data Program's effectiveness. At a minimum, Respondents must evaluate the Sensitive Location Data Program eve1y twelve months and implement modifications based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "IV", "title": "Other Location Data Obligations", "category": "affirmative_obligation", "summary": "Respondents must establish within 180 days policies, procedures, and technical measures to prevent recipients of their Location Data from associating it with LGBTQ+ service locations, political/social demonstrations, or individuals' private residences, including contractual prohibitions, marking techniques, compliance assessments, and termination of non-compliant relationships.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, within 180 days of the issuance of this Order, must establish and implement, and thereafter maintain policies, procedures, and technical measures designed to prevent recipients of Respondents' Location Data, for any such Location Data received after the issuance of this Order, from (i) associating such data with (a ) locations held out to the public as predominantly providing services to LGBTQ+ individuals such as service organizations, bars and nightlife, (b) locations of public gatherings of individuals during political or social demonstrations, mai·ches and protests, or (ii) using such Location Data to dete1mine the identity or the location of an individual's home, i.e., the location of any individual's private residences (e.g., single family homes, apa1iments, condominiums, townhomes) (together, \"Prohibited Uses\"). Respondents must identify a senior officer, such as a Chief Privacy Officer or Chief Compliance Officer, to be responsible for these policies, procedures, and technical measures. Such policies, procedures, and technical measures shall include:\n\n1. contractual prohibitions against recipients of Respondents' Location Data from reselling, transfening, or disclosing Respondents' Location Data in its Raw Fo1mat to a third party (\"Reselling\"), and from using Respondents' Location Data in whole or in paii to associate a specific individual with the locations identified above.\n\n2. marking techniques, such as seeding, or salting, designed to detect recipients' non-compliance with contractual prohibitions against resale or re-license of Respondents' Location Data;\n\n3. assessing and documenting recipients' compliance at least once eve1y twelve months; and\n\n4. te1minating relationships with recipients for non-compliance.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "V", "title": "Third-Party Incident Reports", "category": "compliance_reporting", "summary": "Within 30 days of determining a Third-Party Incident has occurred, Respondents must submit a report to the Commission including details about the incident, affected data, number of consumers affected, and remediation steps taken.", "verbatim_text": "IT IS FURTHER ORDERED that within 30 days of Respondents' dete1mination that a Third-Pa1iy Incident has occmTed, Respondents must submit a repo1i to the Commission. The repo1i must include, to the extent possible: A. The estimated date range when the Third-Paiiy Incident occmTed; B. A description of the facts relating to the Third-Party Incident, including the causes of the Third-Pa1iy Incident, if known, and paiiicipants; C. A description of each type of info1mation that was affected by the Third-Paiiy Incident; D. The numbers of consumers whose info1mation was affected by the Third-Paiiy Incident; E. The acts Respondents has taken to date to remediate the Third-Pa1iy Incident and protect Covered Info1mation from further exposme or access; and F. Unless othe1wise directed by a Commission representative in writing, Respondents must submit all Third-Paiiy Incident repo1is to the Commission under penalty of pe1jmy as specified in the Section of this Order titled \"Compliance Report and Notices.\"", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "VI", "title": "Limitations on Collection, Use, Maintenance, and Disclosure of Location Data", "category": "prohibition", "summary": "Respondents must not collect or use Location Data where a consumer has opted out via OS privacy settings without documented consent, must not collect Location Data without documented prior consent within 90 days, and must provide Clear and Conspicuous quarterly reminders via Respondents' App.", "verbatim_text": "A. Collect, use, maintain, or disclose Location Data from devices where a consumer has enabled the mobile operating system privacy settings to opt out of, limit, or othe1wise decline targeted adve1iising or tracking, without a record satisfying the requirements in Provision VII.B, documenting the consumer's consent.\n\nB. Within 90 days of the effective date of this Order, collect, use, maintain or disclose an individual's Location Data without a record satisfying the requirements in Provision VII.B, documenting the consumer's consent obtained prior to Respondents' collection or use of Location Data.\n\nC. In connection with any Respondents' App, collect, use, maintain, or disclose a consumer's Location Data, unless the consumer receives a Clear and Conspicuous reminder, at least quaiierly, that the consumer's Location Data is being collected and, if applicable, disclosed, along with instructions for a simple conti-ol to tum off Location Data collection. Any such reminder must be done through a consumer-enabled push notification or to an e-mail address provided by the consumer or, if the consumer has not opted into push notifications and an email address is unavailable, through a notice in the application. Provided, however, that reminders mandated by Provision VI.C are not required when Respondents confnm that a consumer's device is utilizing an operating system version that reminds consumers that their Location Data is being collected or that limits Location Data collection by default for infrequently used apps.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "VII", "title": "Supplier Assessment Program", "category": "affirmative_obligation", "summary": "Respondents must implement a Supplier Assessment Program within 90 days to ensure consumer consent for Location Data collection, including documented procedures, initial and annual assessments of third-party suppliers, consent records, and ceasing use of non-consented Location Data.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, within 90 days of the effective date of this Order, must implement a program designed to ensme that consumers have provided consent for the collection and use of Location Data obtained by Respondents, including by implementing and maintaining a \"Supplier Assessment Program.\" In connection with the Supplier Assessment Program, Respondents must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Supplier Assessment Program; and\n\nB. Conduct an initial assessment either within 30 days of a third party entering into data shai·ing agreements with Respondents (o r, for paiiies with existing data-shai·ing agreements, within 30 days of the effective date of this Order) or within 30 days of the initial date of data collection from such a third paiiy, and thereafter annually, designed to confnm that consumers provide Affnmative Express Consent if feasible, or to confnm that consumers specifically consent to the collection, use, and sale of their Location Data.\n\nC. Create and maintain records of the suppliers' responses obtained by Respondents under the Supplier Assessment Program; and\n\nD. Cease from using, selling, licensing, ti-ansfening, or othe1wise shai·ing or disclosing Location Data for which consumers have not provided consent, as provided in Provision VII.B above.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "VIII", "title": "Disclosures to Consumers", "category": "affirmative_obligation", "summary": "Respondents must provide consumers a Clear and Conspicuous means to request the identity of entities to whom their Location Data has been disclosed, or alternatively offer a deletion mechanism with confirmation to recipients within 90 days.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active conceit or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must provide a Clear and Conspicuous means for consumers to request the identity of any entity, business, or individual to whom their Location Data has been sold, transfe1Ted, licensed, or otheiwise disclosed. Respondents may require consumers to provide Respondents with infonnation reasonably necessaiy to complete such requests and to verify their identity, but must not use, provide access to, or disclose any infoimation collected for such a request for any other pmpose.\n\nProvided however, that the Disclosme requirements in this Provision VIII do not apply if Respondents provide consumers with a Clear and Conspicuous method to delete their Location Data from the commercial databases of all recipients of such Location Data, expressly instruct (o r conn-actually require) such recipients to honor such requests sent or made available to them by Respondents, expressly request ( or contr·actually demand) written confnmation of deletion of the identified Location Data, and provide consumers with written confnmation of such deletion requests or instructions sent to recipients and written confnmation of deletion from recipients (where confnmed), no later than 90 days of the receipt of consumers requests.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "IX", "title": "Withholding and Withdrawing Consent", "category": "affirmative_obligation", "summary": "Respondents must provide a simple, easily-located means for consumers to withdraw consent for Location Data collection and must not unreasonably limit consumers' ability to withhold or withdraw consent through degradation of product quality or functionality.", "verbatim_text": "A. Provide a simple, easily-located means for consumers to withdraw any consent provided in accordance with Provision VII.B (including Affnmative Express Consent) in connection with Location Data. Such means may include a Clear and Conspicuous notice or link to an applicable operating system, device, app peimission or setting, or a consumer app made publicly available (including through the app stores, where peimissible) that automatically opts out mobile device infoimation from use but Respondents must not use, provide access to, or disclose any infoimation collected for such a request for any other pmpose. Provided however, that Respondent may retain such Location Data to prevent, detect, or investigate data secmity incidents, or to protect against malicious, deceptive, fraudulent, or illegal activity directed at the Respondents, for the shortest time reasonably necessaiy to fulfill this pmpose, but Respondents must not use, provide access to, or disclose such Location Data retained for secmity and anti-fraud pmposes, for any other pmpose; and\n\nB. As to Respondents' App, not unreasonably limit a consumer's ability to withhold or withdraw Affnmative Express Consent, such as by degrading the quality or functionality of a product or service as a penalty for withholding or withdrawing consent provided in accordance with Provision VII.B (including Affnmative Express Consent), unless the collection and use of Location Data is technically necessa1y to provide the quality or functionality of the product or service without such degradation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "X", "title": "Obligations When Consent is Withdrawn", "category": "affirmative_obligation", "summary": "Respondents must cease collecting Location Data associated with a specific app and device within 15 days after receiving notice that a consumer has withdrawn their consent.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, and Respondents' officers, agents, employees, and all other persons in active conceit or pa1ticipation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must cease collecting all Location Data associated with a specific app and device within 15 days after Respondents receive notice that the consumer withdraws their consent provided in accordance with Provision VII.B (including Affnmative Express Consent) for such collection from that app and device.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XI", "title": "Location Data Deletion Requests", "category": "affirmative_obligation", "summary": "Respondents must implement and maintain a simple, easily-located means for consumers to request deletion of their Location Data and must delete such data within 30 days of receiving a request.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active conceit or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must implement and maintain a simple, easily-located means for consumers to request that Respondents delete Location Data that Respondents previously collected from a specific mobile device, and delete Location Data within 30 days of receipt of such request unless a shoiter period for deletion is required by law. Respondents may require consumers to provide Respondents with infonnation necessaiy to complete such requests, but must not use, provide access to, or disclose any infoimation collected for a deletion request for any other pmpose.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XII", "title": "Data Retention Limits", "category": "affirmative_obligation", "summary": "Respondents must publish a Clear and Conspicuous data retention schedule on their website within 60 days, submit it to the Commission, and update it prior to collecting any new types of consumer information.", "verbatim_text": "A. Within 60 days of the effective date of this Order, document, adhere to, and make publicly available through a link on the home page of their website(s), in a manner that is Cleai· and Conspicuous, a retention schedule for Covered Infoimation, setting foith: (1) the purpose or pmposes for which each type of Covered Infoimation is collected or used; (2) the specific business needs for retaining each type of Covered Infoimation; and (3) an established timeframe for deletion of each type of Covered Infoimation limited to the time reasonably necessa1y to fulfill the purpose for which the Covered Inf01mation was collected, and in no instance providing for the indefinite retention of any Covered Infonnation; and\n\nB. Within 60 days of the effective date of this Order, Respondents shall provide a written statement to the Commission, pursuant to the Provision entitled Compliance Repoit and Notices, describing the retention schedule for Covered Infoimation made publicly available on its website(s); and\n\nC. Prior to collecting or using any new type of info1mation related to consumers that was not being collected as of the issuance date of this Order, and is not described in retention schedules published in accordance with sub-Provision A of this Provision entitled Limitation on Retention of Location Data, Respondents must update its retention schedule setting forth: (1) the pmpose or pmposes for which the new info1mation is collected; (2) the specific business needs for retaining the new info1mation; and (3) a set timeframe for deletion of the new info1mation that precludes indefinite retention.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XIII", "title": "Deletion", "category": "affirmative_obligation", "summary": "Respondents must delete Historic Location Data collected through their apps and SDK within 60 days (or obtain Affirmative Express Consent or Deidentify within 90 days), notify customers who received such data, and delete all Data Products within 90 days.", "verbatim_text": "A. Within 60 days after the effective date of this Order, delete or destroy all Historic Location Data that Respondents collected through apps that it operates or collected through Respondents' SDK, and provide a written statement to the Commission, pmsuant to Provision XVII, confnming that all such info1mation has been deleted or destroyed. Provided however, Respondents shall have the option to retain Historic Location Data if it has obtained Affnmative Express Consent from the relevant consumer for the retention of Historic Location Data within 90 days after the effective date of this Order, or if within such time period it ensmes such Historic Location Data is Deidentified or rendered non-sensitive in accordance with Provision III above, and provided that the Historic Location Data is subject to the obligations in Provision IV above. Providedf urther, that such Historic Location Data may be retained to prevent, detect, or investigate data secmity incidents, or to protect against malicious, deceptive, fraudulent, or illegal activity directed at the Respondents, for the sho1iest time reasonably necessa1y to fulfill this pmpose, but Respondents must not use, provide access to, or disclose such Historic Location Data retained for secmity and anti-fraud pmposes, for any other pmpose. Respondents will in any event delete such Historic Location Data for any consumer who selects the deletion option;\n\nB. Within 90 days after the effective date of this Order, (i) info1m Respondents' customers that received Historic Location Data within 3 years prior to the issuance date of this Order, of the FTC's requirement in Provision XIII.A that the FTC requires such data to be deleted, Deidentified, or rendered non-sensitive, and (ii) Respondents shall promptly submit, within 10 days of sending to its customers, all such notices to the Commission under penalty of pe1jmy as specified in the Section of this Order titled \"Compliance Repo1i and Notices\"; and\n\nC. Within 90 days after the effective date of this Order, delete or destroy all Data Products, and provide a written statement to the Commission, pmsuant to Provision XVII, confnming such deletion or destruction.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XIV", "title": "Mandated Privacy Program", "category": "affirmative_obligation", "summary": "Respondents must establish and maintain a comprehensive privacy program within 60 days, including written documentation, board reporting, a designated coordinator, annual risk assessments, safeguards, annual employee training, and regular program evaluation.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, and any business that Respondents control directly or indirectly, in connection with the collection, maintenance, use, disclosme of, or provision of access to Covered Info1mation, must, within 60 days of the effective date of this 12 Order, establish and implement, and thereafter maintain, a comprehensive privacy program (the \"Program\") that protects the privacy of such Covered Info1mation. To satisfy this requirement, Respondents must at a minimum do the following:\n\nA. Document in writing the content, implementation, and maintenance of the Program;\n\nB. Provide the written program, and any evaluations thereof or updates thereto to Respondents' board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondents responsible for the Program at least once eve1y 12 months;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Program;\n\nD. Assess and document, at least once eve1y 12 months, internal and external risks to the privacy of Covered Info1mation that could result in the: unauthorized collection, maintenance, use, disclosure of, or provision of access to, Covered Info1mation.\n\nE. Design, implement, maintain, and document safeguards that control for the material internal and external risks Respondents identify to the privacy of Covered Info1mation identified in response to Provision XIV.D. Each safeguard must be based on the volume and sensitivity of Covered Info1mation that is at risk, and the likelihood that the risk could be realized and result in the unauthorized collection, maintenance, use, disclosure of, or provision of access to Covered Info1mation.\n\nF. On at least an annual basis, provide privacy training programs for all employees and independent contractors responsible for handling or who have access to Covered Info1mation, updated to address any identified material internal or external risks and safeguards implemented pursuant to this Order;\n\nE. Test and monitor the effectiveness of the safeguards at least once eve1y 12 months, and modify the Program based on the results; and\n\nF. Evaluate and adjust the Program in light of any changes to Respondents' operations or business airnngements, new or more efficient technological or operational methods to control for the risks identified in Provision XIV.D of this Order, or any other circumstances that Respondents know or have reason to believe may have an impact on the effectiveness of the Program or any of their individual safeguai·ds. At a minimum, Respondents must evaluate the Program at least once eve1y 12 months and modify the Program based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XV", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondents must submit sworn acknowledgments of receipt of this Order within 10 days, deliver copies to key personnel within 10 days (and to future personnel before they assume responsibilities) for 5 years, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Respondents, within 10 days after the effective date of this Order, must submit to the Commission acknowledgments of receipt of this Order sworn under penalty of pe1jmy.\n\nB. For 5 years after the issuance date of this Order, Respondents must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of this Order, and all agents and representatives having managerial responsibilities for the conduct related to the subject matter of this Order; and (3) any business entity resulting from any change in strncture as set forth in Provision XVI titled Compliance Report and Notices. Delive1y must occur within 10 days after the effective date of this Order for cunent personnel. For all others, delive1y must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondents delivered a copy of this Order, Respondents must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XVI", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondents must submit an annual compliance report one year after the issuance date, provide notices within 14 days of any changes to contact points or corporate structure, and submit notice within 14 days of any bankruptcy filing.", "verbatim_text": "A. One year after the issuance date of this Order, each of the Respondents must submit a compliance report, sworn under penalty of pe1jmy, in which the Respondents must: (1) identify the prima1y physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondents; (2) identify all of the Respondents' businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (4 ) describe in detail whether and how the Respondents are in compliance with each Provision of this Order, including a discussion of all of the changes the Respondents made to comply with the Order; and (5) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. The Respondents must submit a compliance notice, sworn under penalty of pe1jmy, within 14 days of any change in the following: (1) any designated point of contact; or (2) the structure of the Respondents or any entity that Respondents have any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidia1y, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. The Respondents must submit notice of the filing of any bankrnptcy petition, insolvency proceeding, or similar proceeding by or against either Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of pe1jmy must be hue and accurate and comply with 28 U.S.C. § 1746, such as by concluding: \"I declare under penalty of pe1jmy under the laws of the United States of America that the foregoing is hue and conect. Executed on: __\" and supplying the date, signato1y's full name, title (if applicable), and signature.\n\nE. Unless othe1wise directed by a Commission representative in writing, all submissions to 14 the Commission pmsuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight comier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bmeau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re X-Mode Social, Inc. & Outlogic, LLC., FTC File No. 212-3038.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XVII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must create and retain specified records for 5 years after the issuance date, including accounting records, personnel records, consumer complaints, law enforcement communications, representations about data practices, consent records, reminder records, supplier assessment records, sensitive location program records, deletion request records, and all records necessary to demonstrate full compliance.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents must create ce1tain records for 5 years after the issuance date of the Order, and retain each such record for 5 years. Specifically, Respondents must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold, the costs incuned in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services, whether as an employee or othe1wise, that person's: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies of all consumer complaints that relate to the collection, use, maintenance, or disclosme of Covered Infonnation, whether received directly or indirectly, such as through a third paity, and any response;\n\nD. For 5 years from the date received, copies of communications from law enforcement, if such communications request infonnation or documents relating to Respondents' compliance with this Order;\n\nE. A copy of each widely disseminated representation by either of the Respondents that describes the extent to which Respondents (i) review data suppliers' compliance and consent frameworks, consumer disclosmes, sample notices, and opt-in controls; (ii) the extent to which Respondents collect, use, maintain, disclose, or delete any Covered Infonnation; and (iii) the extent to which the Location Data that Respondents collect, use, maintain, or disclose is Deidentified;\n\nF. Records showing Affnmative Express Consent for any individual consumers or device from which Respondents have collected Location Data through a Respondent App, the specific notice that individual consumers viewed and consented to, and the time and date of consent;\n\nG. Records showing the content and verifying the distribution of Clear and Conspicuous reminders to individual consumers under Provision VI.C;\n\nH. Records showing the Respondents' implementation of Supplier Assessment Program required by Provision VII;\n\nI. Records showing Respondents' implementation of the Sensitive Location Data Program required by Provision III;\n\nJ. Records showing Respondent's processing of consumer deletion requests as provided in 15 Provision VIII; and\n\nK. All records necessaiy to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XVIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondents' compliance by requesting additional reports and records within 14 days, communicating directly with and interviewing affiliated individuals, and using other lawful means including undercover methods.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the Commission, the Respondents must submit additional compliance reports or other requested info1mation, which must be sworn under penalty of pe1jmy, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondents. Respondents must pe1mit representatives of the Commission to interview anyone affiliated with Respondents who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulso1y process, pmsuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "XIX", "title": "Order Effective Dates", "category": "duration", "summary": "This Order is final and effective upon publication on ftc.gov and terminates 20 years from issuance or 20 years from the most recent date the Commission files a complaint alleging a violation, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission's website (ftc.gov) as a final order. This Order will te1minate 20\n\npublication on the Commission's website (ftc.gov) as a final order. This Order will te1minate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission's seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal comi alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the dmation of: A. Any Provision in this Order that te1minates in less than 20 yeai·s; B. This Order's application to any Respondents that are not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has te1minated pmsuant to this Provision. Provided, further, that if such complaint is dismissed or a federal comi rnles that the Respondents did not violate any provision of the Order, and the dismissal or rnling is either not appealed or upheld on appeal, then the Order will tenninate according to this Provision as though the complaint had never been filed, except that the Order will not te1minate between the date such complaint is filed and the later of the deadline for appealing such dismissal or rnling and the 16 date such dismissal or mling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "docket_number": "C-4802" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Information Collection and Use", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner, expressly or by implication, how personally identifiable information is collected or will be used or disclosed.", "verbatim_text": "IT IS ORDERED that Respondents, in connection with the collection of personally identifiable information from an individual, shall not misrepresent in any manner, expressly or by implication, how personally identifiable information is collected or will be used or disclosed.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "II", "title": "Disclosure Requirements for Noneducational-Related Marketing Use of Student Information", "category": "affirmative_obligation", "summary": "Respondents must not use or disclose students' personally identifiable information for noneducational-related marketing purposes unless they clearly and conspicuously disclose the nature of such use, the types of entities receiving the information, and that the information is personally identifiable — in all privacy statements, communications, and survey instruments.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, in connection with the collection of personally identifiable information from students, shall not use or disclose such information for any noneducational-related marketing purpose, unless they disclose clearly and conspicuously (a) the existence and nature of such noneducational-related marketing purpose; (b) the types or categories of any entities to which the information will be disclosed; and (c) that the information used or disclosed is personally identifiable. Such disclosures shall be made in the following locations:\n\n(1) in all privacy statements published by Respondents that refer or relate to the collection of personally identifiable information from students;\n\n(2) in all communications to students, parents, educators, or educational institutions that refer or relate to the collection of personally identifiable information from students; and\n\n(3) in all questionnaires, survey instruments, or other documents through which Respondents collect personally identifiable information from students.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "III", "title": "Prohibition on Use of Pre-July 30, 2002 Student Data for Marketing", "category": "prohibition", "summary": "Respondents must not use or disclose for any noneducational-related marketing purpose any personally identifiable information collected through surveys distributed prior to July 30, 2002, from any student who was thirteen years or older at the time of collection.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall not use or disclose for any noneducational-related marketing purpose any personally identifiable information collected through surveys distributed prior to July 30, 2002, from any student who was thirteen years or older at the time of collection. For purposes of this Part only, “noneducational-related marketing purpose” shall exclude use or disclosure for the purpose of (a) job recruitment, (b) the provision of student loans, or (c) the provision of standardized test preparation products or services.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "IV", "title": "Deletion of Personally Identifiable Information Collected from Children Under Thirteen", "category": "affirmative_obligation", "summary": "Respondents must delete all personally identifiable information collected through surveys distributed prior to the date of service of this order from any student who was under the age of thirteen at the time of collection.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall delete all personally identifiable information collected through surveys distributed prior to the date of service of this order from any student who was under the age of thirteen at the time of collection.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC upon request, for five years, copies of documents demonstrating compliance, including survey forms, privacy statements, disclosure documents, and records relating to use or disclosure of personally identifiable information for noneducational-related marketing purposes.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents ERCA and SMG, and their successors and assigns, and Respondents Marian Sanjana and Jan Stumacher shall, for a period of five (5) years after the date of issuance of this order, maintain and upon request make available to the Federal Trade Commission for inspection and copying a print or electronic copy of all documents demonstrating their compliance with the terms and provisions of this order, including, but not limited to:\n\nA. a sample copy of each different survey form, privacy statement, or communication relating to the collection of personally identifiable information to students, parents, educators, or educational institutions containing representations about how personally identifiable information will be used or disclosed. Each Web page copy shall be dated and contain the full URL of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting the information on the Web;\n\nB. a sample copy of each different document containing the disclosure required by Part II of this order; and\n\nC. all invoices, communications, and records relating to the use or disclosure of personally identifiable information for any noneducational-related marketing purpose.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "VI", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondents must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities — within thirty days for current personnel and within thirty days of assuming a position for future personnel.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents ERCA and SMG, and their successors and assigns, and Respondents Marian Sanjana and Jan Stumacher shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of this order. Respondents shall deliver this order to such current personnel within thirty (30) days after the date of service of this order, and to such future personnel within thirty (30) days after the person\n\nthe date of service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "VII", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondents ERCA and SMG must notify the Commission at least thirty days prior to any corporate change that may affect compliance obligations, including dissolution, sale, merger, subsidiary creation, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents ERCA and SMG and their successors and assigns shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which a Respondent learns less than thirty (30) days prior to the date such action is to take place, the Respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the\n\nin the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which a Respondent learns less than thirty (30) days prior to the date such action is to take place, the Respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the\n\nobtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "VIII", "title": "Individual Respondents' Business Change Notification", "category": "compliance_reporting", "summary": "Individual Respondents Marian Sanjana and Jan Stumacher must notify the Commission for five years of any discontinuance of current business or employment, or of any new affiliation involving the collection of personally identifiable information for marketing purposes.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents Marian Sanjana and Jan Stumacher, for a period of five (5) years after the date of issuance of this order, shall notify the Commission of the discontinuance of their current business or employment, or of their affiliation with any new business or employment involving the collection of personally identifiable information for use in marketing products or services. The notice shall include Respondent’s new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nresponsibilities. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "IX", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file a written compliance report with the FTC within sixty days of service of this order, and at such other times as the FTC may require, detailing the manner and form in which they have complied.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents ERCA and SMG, and their successors and assigns, and Respondents Marian Sanjana and Jan Stumacher shall, within sixty (60) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which they have complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "X", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on May 6, 2023, or twenty years from the most recent date the United States or the FTC files a federal court complaint alleging any violation of the order, whichever is later, with specific exceptions for shorter-term Parts, non-named Respondents, and post-termination complaints.", "verbatim_text": "This order will terminate on May 6, 2023, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any Respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that a Respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "docket_number": "C-4079" }, { "provision_number": "I", "title": "Ban on Sale of Customer Phone Records", "category": "prohibition", "summary": "Defendants are permanently enjoined from obtaining, marketing, or selling customer phone records and consumer personal information derived from customer phone records, except as permitted by law, regulation, or lawful court order.", "verbatim_text": "I. IT IS THEREFORE ORDERED that Defendants and their agents, servants, salespersons, employees, independent contractors, attorneys, and those persons in active concert or participation with them, whether acting directly or through any sole proprietorship, partnership, limited liability company, corporation, subsidiary, branch, division, or other entity, who receive actual notice of this Order by personal service or otherwise, are hereby restrained and enjoined from obtaining, causing others to obtain, marketing, or selling customer phone Page 3 of 14 Case 6:07-cv-00227-ACC-GJK Document 60 Filed 03/18/2008 Page 4 of 14 records and consumer personal information that is derived from customer phone records; provided, however, that Defendants shall not be prohibited from obtaining customer phone records or consumer personal information that is derived from customer phone records pursuant to any law, regulation, or lawful court order. Nothing in this Order shall be read as an exception to Section I.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "II", "title": "Prohibited Business Activities Regarding Consumer Personal Information", "category": "prohibition", "summary": "Defendants are permanently enjoined from making false or deceptive statements to obtain consumer personal information, and from directing others to obtain such information through deceptive means.", "verbatim_text": "A. Making false or deceptive statements or representations, including but not limited to impersonating any person or entity, directly or by implication, to any person or entity in order to obtain consumer personal information;\n\nB. Requesting any person or entity to obtain consumer personal information relating to any third person, if the person making such a request knows or should know that the person or entity to whom such a request is made will obtain or attempt to obtain such information in violation of Subsection A of Section II.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "III", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "A judgment of $67,000 is entered against Defendants jointly and severally, suspended upon payment of $3,000 to the FTC; funds are to be used for equitable consumer relief, and Defendants must provide tax identification numbers and cooperate with reporting.", "verbatim_text": "A. Judgment is hereby entered against Defendants, jointly and severally, in the amount of SIXTY SEVEN THOUSAND DOLLARS ($67,000.00); provided, however, that this judgment shall be suspended (1) upon the transfer of $3,000 to the FTC or its designated agent; and (2) as long as the Court makes no finding, as provided in Section IV of this Order, that any defendant materially misrepresented or omitted the nature, existence, or value of any asset.\n\nB. Any funds received by the FTC pursuant to this Section III of this Order shall be deposited into a fund administered by the FTC or its agent to be used for equitable relief, including but not limited to consumer redress and any attendant expenses for the administration of any redress funds. In the event that direct redress to consumers is wholly or partially impracticable or funds remain after redress is completed, the FTC may apply any remaining funds for such other equitable relief, including but not limited to consumer information remedies, as the FTC determines to be reasonably related to the practices alleged in the Complaint. Any funds not used for such equitable relief shall be deposited to the U.S. Treasury as equitable disgorgement. Defendants shall have no right to challenge the FTC’s choice of remedies or the manner of distribution.\n\nC. While Defendants do not admit any of the facts alleged in the Complaint other than jurisdictional facts, Defendants agree that the facts as alleged in the Complaint filed in this action shall be taken as true without further proof in any bankruptcy case or subsequent civil litigation pursued by the FTC to enforce its rights pursuant to this Final Order, including but not limited to a nondischargeability complaint in any bankruptcy case. Defendants further stipulate Page 5 of 14 Case 6:07-cv-00227-ACC-GJK Document 60 Filed 03/18/2008 Page 6 of 14 and agree that the facts alleged in the Complaint establish all elements necessary to sustain an action pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S. C. § 523(a)(2)(A).\n\nD. The judgment entered pursuant to this Section III is equitable monetary relief, solely remedial in nature, and not a fine, penalty, punitive assessment, or forfeiture.\n\nE. Defendants acknowledge and agree that any money paid pursuant to this Order is irrevocably paid to the FTC for purposes of settlement between the FTC and Defendants, and they relinquish all rights, title, and interest to such money.\n\nF. Defendants are hereby required, in accordance with 31 U.S.C. § 7701, to furnish to the FTC their tax identification numbers, which shall be used for purposes of collecting and reporting on any delinquent amount arising out of this Order.\n\nG. Pursuant to Section 604(1) of the Fair Credit Reporting Act, 15 U.S.C. § 1681b(1), any consumer reporting agency may furnish a consumer report concerning any Defendant to the FTC, which shall be used for purposes of collecting and reporting on any delinquent amount arising out of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "IV", "title": "Right to Reopen Judgment", "category": "affirmative_obligation", "summary": "If the Court finds that any Defendant materially misrepresented or omitted information in their financial statements submitted to the FTC, the suspended judgment becomes immediately due and payable as to that Defendant.", "verbatim_text": "IV. IT IS FURTHER ORDERED that the FTC’s agreement to this Order is expressly premised on the truthfulness, accuracy, and completeness of Defendants’ financial statements previously submitted to the FTC. If, upon motion by the FTC, the Court finds that the financial statement of any Defendant contains any material misrepresentation or omission, the suspended judgment entered in Section III of this Order shall become immediately due and payable as to that Defendant (less any amounts turned over to the FTC pursuant to Section III(A) of this Order); provided, however, that in all other respects this Order shall remain in full force and effect unless otherwise ordered by the Court; and, further provided, that proceedings instituted Page 6 of 14 Case 6:07-cv-00227-ACC-GJK Document 60 Filed 03/18/2008 Page 7 of 14 under this provision would be in addition to, and not in lieu of, any other civil or criminal remedies as may be provided by law, including any other proceedings that the FTC may initiate to enforce this Order. For purposes of Section IV, Defendants waive any right to contest any of the allegations in the Complaint.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Redress" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "V", "title": "Cooperation with FTC", "category": "affirmative_obligation", "summary": "Defendants must cooperate in good faith with the FTC in connection with this action or related investigations, including appearing for interviews, discovery, and testimony upon written request.", "verbatim_text": "V. IT IS FURTHER ORDERED that Defendants shall, in connection with this action or any subsequent investigations related to or associated with the transactions or the occurrences that are the subject of the FTC’s Complaint, cooperate in good faith with the FTC and appear at such places and times as the FTC shall reasonably request, after written notice, for interviews, conferences, pretrial discovery, review of documents, and for such other matters as may be reasonably requested by the FTC. If requested in writing by the FTC, Defendants shall appear\n\nreasonably requested by the FTC. If requested in writing by the FTC, Defendants shall appear and provide truthful testimony in any trial, deposition, or other proceeding related to or associated with the transactions or the occurrences that are the subject of the Complaint, without the service of a subpoena, provided, however, that Defendants shall be entitled to receive any witness fees and expenses allowable pursuant to Fed. R. Civ. P. 45.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "VI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor Defendants' compliance through written reports, document inspection, depositions, business entry, discovery, and posing as consumers or suppliers, and Defendants must permit FTC representatives to interview personnel.", "verbatim_text": "A. Within ten (10) days of receipt of written notice from a representative of the FTC, Defendants each shall submit additional written reports, which are true and accurate and sworn to under penalty of perjury; produce documents for inspection and copying; appear for deposition; and/or provide entry during normal business hours to any business location in each such Defendant’s possession or direct or indirect control, to inspect the business operation.\n\nB. In addition, the FTC is authorized to use all other lawful means, including but not limited to: 1. obtain discovery from any person, without further leave of court, using the procedures prescribed by Fed. R. Civ. P. 30, 31, 33, 34, 36, and 45; 2. pose as consumers and suppliers to Defendants, their employees, or any other entity managed or controlled in whole or in part by any Defendant, without the necessity of identification or prior notice.\n\nC. Defendants each shall permit representatives of the FTC to interview any employer, consultant, independent contractor, representative, agent, or employee who has agreed to such an interview, relating in any way to any conduct subject to this Order. The person interviewed may have counsel present;\n\nD. Provided however, that nothing in this Order shall limit the FTC’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1, to obtain any documentary material, tangible things, testimony, or information relevant to unfair or deceptive acts or practices in or affecting commerce (within the meaning of 15 U.S.C. § 45(a)(1)).", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "VII", "title": "Compliance Reporting by Defendants", "category": "compliance_reporting", "summary": "For three years from entry of the Order, Defendants must notify the FTC of changes in residence, employment, business structure, and aliases; file periodic sworn compliance reports; and notify the FTC of any bankruptcy filing within 15 days.", "verbatim_text": "A. For a period of three (3) years from the date of entry of this Order, 1. Individual Defendants each shall notify the FTC of the following: a. Any changes in his residence, mailing addresses, and telephone numbers, within fifteen (15) days of the date of such change;\n\nb. Any changes in his employment status (including self- employment), and any change in his ownership in any business entity, within fifteen (15) days of the date of such change. Such notice shall include the name and address of each business that he is affiliated with, employed by, creates, forms, or performs services for; a detailed description of the nature of the business; and a detailed description of his duties and responsibilities in connection with the business or employment; and\n\nc. Any changes in his name or use of any aliases or fictitious names.\n\n2. Defendants shall notify the FTC of any changes in structure of Corporate Defendant or any business entity that any Defendant directly or indirectly controls, or has an ownership interest in, that may affect compliance obligations arising under this Order, including but not limited to incorporation or other organization; a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor entity; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order; or a change in the business name or address, at least thirty (30) days prior to such change; provided, however, that, with respect to any proposed change in the business entity about which a Defendant learns fewer than thirty (30) days prior to the date such action is to take place, such Defendant shall notify the FTC as soon as is practicable after obtaining such knowledge.\n\nB. One hundred and eighty (180) days after the date of entry of this Order and annually thereafter for a period of three (3) years, Defendants each shall provide a written report to the FTC, which is true and accurate and sworn to under penalty of perjury, setting forth in detail the manner and form in which they have complied and are complying with this Order. This report shall include, but not be limited to: 1. for each Individual Defendant: Page 9 of 14 Case 6:07-cv-00227-ACC-GJK Document 60 Filed 03/18/2008 Page 10 of 14 a. his then-current residence address, mailing addresses, and telephone numbers; b. his then-current employment status (including self-employment), including the name, addresses, and telephone numbers of each business that he is affiliated with, employed by, or performs services for; a detailed description of the nature of the business; and a detailed description of his duties and responsibilities in connection with the business or employment; and c. any other changes required to be reported under subparagraph A of Section VII; 2. for all Defendants: a. a copy of each acknowledgment of receipt of this Order obtained pursuant to Section IX; and b. any other changes required to be reported under subparagraph A of Section VII;\n\nC. Defendants shall notify the FTC of the filing of a bankruptcy petition by any Defendant within fifteen (15) days of filing;\n\nD. For the purposes of this Order, Defendants shall, unless otherwise directed by the FTC’s authorized representatives, send all reports and notifications required by this Order to the FTC at the following address: Associate Director, Division of Enforcement Federal Trade Commission 600 Pennsylvania Avenue, N.W., Room NJ2122 Washington, D.C. 20580 RE: FTC v. Action Research Group, Case No. 6:07-cv-227-Orl-22UAM (M.D. Fla.)\n\nE. For purposes of the compliance reporting and monitoring required by this Order, the FTC is authorized to communicate directly with Defendants.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "VIII", "title": "Record Keeping", "category": "recordkeeping", "summary": "For six years from entry of the Order, Defendants must create and retain specified business records including accounting records, personnel records, customer files, complaints, marketing materials, third-party records, and all compliance documentation.", "verbatim_text": "VIII. IT IS FURTHER ORDERED that, for a period of six (6) years from the date of entry of this Order, in connection with any business where any Defendant is the majority owner of the business or directly or indirectly manages or controls the business, each Defendant and their agents, servants, salespersons, employees, independent contractors, attorneys, and those persons in active concert or participation with them, whether acting directly or through any sole proprietorship, partnership, limited liability company, corporation, subsidiary, branch, division, or other entity, who receive actual notice of this Order by personal service or otherwise, are hereby restrained and enjoined from failing to create and retain the following records: A. Accounting records that reflect the cost of goods or services sold, revenues generated, and the disbursement of such revenues;\n\nB. Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person's job title or position; the date upon which the person commenced work; and the date and reason for the person's termination, if applicable;\n\nC. Customer files containing the names, addresses, phone numbers, dollar amounts paid, quantity of goods or services purchased, and description of goods or services purchased, to the extent such information is obtained in the ordinary course of business;\n\nD. Complaints and refund requests (whether received directly, indirectly, or through any third party) and any responses to those complaints or requests;\n\nE. Copies of all sales scripts, training materials, advertisements, or other marketing materials, and records that accurately reflect the time periods during which such materials were used and the persons and business entities that used such materials;\n\nF. To the extent consumer personal information is obtained through the use of any third party, records that accurately reflect the name, address, and telephone number of such third party, including, but not limited to, copies of all contracts and correspondence (other than correspondence that contains consumer personal information) between any Defendant and such third party; and\n\nG. All records and documents necessary to demonstrate full compliance with each provision of this Order, including but not limited to, acknowledgments of receipt of this Order, required by Sections IX and X, and all reports submitted to the FTC pursuant to Section VII.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "IX", "title": "Distribution of Order by Defendants", "category": "acknowledgment", "summary": "For three years from entry of the Order, Defendants must deliver copies of the Order to relevant personnel in any business they own or control, within five days of service for current personnel and prior to assuming responsibilities for new personnel, and obtain signed receipts within 30 days.", "verbatim_text": "A. Corporate Defendant must deliver a copy of this Order to all principals, officers, directors, and managers, and all employees, agents, and representatives who engage in conduct related to the subject matter of the Order. For current personnel, delivery shall be within five (5) days of service of this Order upon Corporate Defendant. For new personnel, delivery shall occur prior to them assuming their responsibilities.\n\nB. Individual Defendant as control person: For any business entity that an Individual Defendant controls, directly or indirectly, or in which such Individual Defendant has a majority ownership interest, such Individual Defendant must deliver a copy of this Order to all principals, officers, directors, and managers, and all employees, agents, and representatives who engage in Page 12 of 14 Case 6:07-cv-00227-ACC-GJK Document 60 Filed 03/18/2008 Page 13 of 14 conduct related to the subject matter of the Order. For current personnel, delivery shall be within five (5) days of service of this Order upon the Individual Defendant. For new personnel, delivery shall occur prior to them assuming their responsibilities.\n\nC. Individual Defendant as employee or non-control person: For any business where an Individual Defendant is not a controlling person of a business but otherwise engages in conduct related to the subject matter of the Order, such Individual Defendant must deliver a copy of this Order to all principals and managers of such business entity before engaging in such conduct.\n\nD. Each Defendant must secure a signed and dated statement acknowledging receipt of the Order, within thirty (30) days of delivery, from all persons receiving a copy of the Order pursuant to this Section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "X", "title": "Acknowledgment of Receipt of Order by Defendants", "category": "acknowledgment", "summary": "Each Defendant must submit a sworn statement acknowledging receipt of this Order to the FTC within five business days of receiving the entered Order.", "verbatim_text": "X. IT IS FURTHER ORDERED that each Defendant, within five (5) business days of receipt of this Order as entered by the Court, must submit to the FTC a truthful sworn statement acknowledging receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "XI", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of this Order.", "verbatim_text": "XI. IT IS FURTHER ORDERED that this Court shall retain jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "docket_number": "C-6:07-cv-227-Orl-22UAM" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it uses, maintains, and protects the privacy, confidentiality, security, or integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent, shall not misrepresent in any manner, expressly or by implication, the extent to which it uses, maintains, and protects the privacy, confidentiality, security, or integrity of personal information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "docket_number": "C-4400" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers by respondent or by any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent. This section may be satisfied through the review and maintenance of an existing program so long as that program fulfills the requirements set forth herein. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of the information security program in light of the results of the testing and monitoring required by subpart C, any material changes to any operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of the information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "docket_number": "C-4400" }, { "provision_number": "III", "title": "Third-Party Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial assessments from a qualified, objective, independent third-party professional to evaluate the security program's compliance with Part II of the order.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nAssessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been\n\ncompleted. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "docket_number": "C-4400" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection all materials related to assessments and compliance with the order.", "verbatim_text": "A. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III of this order, for the compliance period covered by such Assessment;\n\nB. unless covered by IV.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of each document relating to compliance with this order, including but not limited to: 1. all advertisements and promotional materials containing any representations covered by this order, with all materials used or relied upon in making or disseminating the representation; and\n\n2. any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "docket_number": "C-4400" }, { "provision_number": "V", "title": "Order Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver copies of the order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, and obtain signed acknowledgments of receipt.", "verbatim_text": "A. Respondent shall deliver a copy of this order to (1) all current and future principals, officers, directors, and managers, (2) all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and (3) any business entity resulting from any change in structure set forth in Part VI. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nA. Respondent shall deliver a copy of this order to (1) all current and future principals, officers, directors, and managers, (2) all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and (3) any business entity resulting from any change in structure set forth in Part VI. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nthis order, and (3) any business entity resulting from any change in structure set forth in Part VI. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part VI, delivery shall be at least ten (10) days prior to the change in structure.\n\nB. Respondent shall secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "docket_number": "C-4400" }, { "provision_number": "VI", "title": "Change in Corporate Structure Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any change in the company that may affect compliance obligations, including dissolution, merger, sale, bankruptcy, or change in name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in respondent that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "docket_number": "C-4400" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial compliance report with the Commission within sixty days after service of the order, and submit additional reports upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "docket_number": "C-4400" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on April 29, 2033, or twenty years from the most recent date that the United States or the FTC files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on April 29, 2033, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "docket_number": "C-4400" }, { "provision_number": "I", "title": "Disease Claims Require Two Clinical Studies", "category": "prohibition", "summary": "Respondent must not make disease treatment claims for Covered Products unless substantiated by at least two adequate and well-controlled human clinical studies.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product, in or affecting commerce, shall not make any representation, in any manner, expressly or by implication, including through the use of a product name, endorsement, depiction, illustration, trademark, or trade name, that such product is effective in the diagnosis, cure, mitigation, treatment, or prevention of any disease, including, but not limited to, any representation that the product will treat, prevent, mitigate, or reduce the risk of diabetes, heart 3 disease, arthritis, or insomnia, unless the representation is non-misleading and, at the time the representation is made, respondent possesses and relies upon competent and reliable scientific evidence that substantiates that the representation is true. For purposes of this Part I, “competent and reliable scientific evidence” shall consist of at least two adequate and well-controlled human clinical studies of the Covered Product, or of an Essentially Equivalent Product, conducted by different researchers, independently of each other, that conform to acceptable designs and protocols and whose results, when considered in light of the entire body of relevant and reliable scientific evidence, are sufficient to substantiate that the representation is true; provided that, if the respondent represents that such product is effective in the diagnosis, cure, mitigation, treatment, prevention, or the reduction of risk of disease for persons with a particular genetic variation or single nucleotide polymorphism (“SNP”), then studies required under this Part I shall be conducted on human subjects with such genetic variation or SNP. Respondent shall have the burden of proving that a product satisfies the definition of an Essentially Equivalent Product.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "II", "title": "Health Benefit Claims Require Competent and Reliable Evidence", "category": "prohibition", "summary": "Respondent must not make health benefit claims for Covered Products or Covered Assessments unless substantiated by competent and reliable scientific evidence.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product or any Covered Assessment, in or affecting commerce, shall not make any representation, in any manner, expressly or by implication, including through the use of a product name, endorsement, depiction, or illustration, other than representations covered under Part I of this order, about the health benefits, performance, or efficacy of any Covered Product or any Covered Assessment, unless the representation is non-misleading, and, at the time of making such representation, respondent possesses and relies upon competent and reliable scientific evidence that is sufficient in quality and quantity based on standards generally accepted in the relevant scientific fields, when considered in light of the entire body of relevant and reliable scientific evidence, to substantiate that the representation is true. For purposes of this Part II, competent and reliable scientific evidence means tests, analyses, research, or studies that have been conducted and evaluated in an objective manner by qualified persons and are generally accepted in the profession to yield accurate and reliable results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "III", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent the existence, contents, validity, or results of any test or study, or that benefits are scientifically proven.", "verbatim_text": "A. The existence, contents, validity, results, or conclusions of any test, study, or research; or\n\nB. That the benefits of any Covered Product or Covered Assessment are scientifically proven.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "IV", "title": "FDA-Permitted Claims Exception", "category": "acknowledgment", "summary": "Parts I-III do not prohibit representations specifically permitted by FDA regulations or approved drug applications.", "verbatim_text": "A. Nothing in Parts I through III of this order shall prohibit respondent from making any representation for any product that is specifically permitted in labeling for such product by regulations promulgated by the Food and Drug Administration pursuant to the Nutrition Labeling and Education Act of 1990 or permitted under Sections 303-304 of the Food and Drug Administration Modernization Act of 1997; and\n\nB. Nothing in Parts I through III of this order shall prohibit respondent from making any representation for any drug that is permitted in labeling for such drug under any tentative final or final standard promulgated by the Food and Drug Administration, or any new drug application approved by the Food and Drug Administration.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "V", "title": "Prohibition on Providing Means and Instrumentalities", "category": "prohibition", "summary": "Respondent must not provide affiliates or others with materials that enable them to make prohibited representations.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product or any Covered Assessment, in or affecting commerce, shall not provide to any person or entity the means and instrumentalities with which to make, directly or by implication, any representations prohibited by Parts I through III of this order. For purposes of this Part, “means and instrumentalities” shall mean any information, document, or article referring or relating to any Covered Product or any Covered Assessment, including, but not limited to, any advertising, labeling, promotional, or purported substantiation materials, for use by affiliates in their marketing of any Covered Product or any Covered Assessment in or affecting commerce.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "VI", "title": "Affiliate Monitoring and Compliance System", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a system to monitor affiliates' representations and ensure compliance with Parts I-III.", "verbatim_text": "A. Establishing, implementing, and thereafter maintaining a system to monitor and review its affiliates’ representations and disclosures to ensure compliance with Parts I through III of this order. The system shall be implemented as follows:\n\n1. No later than thirty (30) days after the date of service of this order, and, on a semi-annual basis thereafter, respondent shall determine those affiliates that generate the most sales for respondent. For respondent’s top fifty (50) revenue-generating affiliates, respondent shall: (a) Monitor and review each affiliate’s web sites on at least a monthly basis at times not disclosed in advance to its affiliates and in a manner reasonably calculated not to disclose the source of the monitoring activity at the time it is being conducted; and (b) Conduct online monitoring and review of the Internet on at least a monthly basis, including, but not limited to, social networks such as Facebook, microsites such as Twitter, and video sites such as YouTube, for any representations by such affiliates.\n\n2. For the remainder of respondent’s affiliates, no later than thirty (30) days after the date of service of this order, and, on a semi-annual basis thereafter, respondent shall select a random sample of fifty (50) affiliates. Respondent shall: (a) Monitor and review each of these randomly selected affiliates’ web sites on at least a monthly basis at times not disclosed in advance to its affiliates and in a manner reasonably calculated not to disclose the source of the monitoring activity at the time it is being conducted; and (b) Conduct online monitoring and review of the Internet on at least a monthly basis, including, but not limited to, social networks such as Facebook, microsites such as Twitter, and video sites such as YouTube, for any representations by such affiliates.\n\nB. Within seven (7) days of reasonably concluding that an affiliate has made representations that the affiliate knew or should have known violated Parts I, II, or III of this order, respondent shall terminate the affiliate from any affiliate program and cease payment to the affiliate; provided, however, that nothing in this subpart shall prevent respondent from honoring respondent’s payment obligation to an affiliate pursuant to a contract executed by the affiliate and respondent prior to the date of service of the order; and\n\nC. Creating, and thereafter, maintaining, and within fourteen (14) days of receipt of a written request from a representative of the Federal Trade Commission, making available for inspection and copying, reports sufficient to show compliance with this Part of the order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Other" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "VII", "title": "Prohibition Against Privacy Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of Personal Information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, advertising, labeling, promotion, offering for sale, sale, or distribution of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of Personal Information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "VIII", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive information security program to protect Personal Information with administrative, technical, and physical safeguards.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Personal Information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the Personal Information respondent collects from or about consumers, including:\n\nA. The designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. The identification of material internal and external risks to the security, confidentiality, and integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding Personal Information received from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. The evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subpart C, any 7 material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "IX", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments for twenty years.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part VIII of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments.\n\nIT IS FURTHER ORDERED that, in connection with its compliance with Part VIII of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments.\n\nA. Set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. Explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of its activities, and the sensitivity of the Personal Information collected from or about consumers;\n\nC. Explain how the safeguards that have been implemented meet or exceed the protections required by Part VIII of this order; and\n\nD. Certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of Personal Information is protected and has so operated throughout the reporting period.\n\nreporting period to which the Assessment applies. The respondent shall provide its initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been completed. All subsequent biennial Assessments shall be retained by respondent until the order\n\ncompleted. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission in writing, the initial", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "X", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to current and future principals, officers, directors, and managerial employees, and obtain signed acknowledgments.", "verbatim_text": "successors and assigns, shall deliver a copy of this order to all current and future principals, officers, directors, Scientific Advisory Board members, and licensees, and to employees having managerial responsibilities with respect to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent\n\nmanagerial responsibilities with respect to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent foruTM International Corporation, and its successors and assigns, shall deliver this order to\n\nforuTM International Corporation, and its successors and assigns, shall deliver this order to current personnel within thirty (30) days after the date of service of this order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "XI", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC various records including Assessment materials and advertising substantiation.", "verbatim_text": "A. For a period of three (3) years after the date of preparation of each Assessment required under Part IX of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including, but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts VIII and IX of this order, for the compliance period covered by such Assessment;\n\nB. Unless covered by Part XI.A, for a period of five (5) years after the last date of dissemination of any representation covered by this order, maintain and upon reasonable notice make available to the Commission for inspection and copying: 1. All advertisements and promotional materials containing the representation, including, but not limited to, all marketing and training materials distributed to licensees and affiliates;\n\n2. All materials that were relied upon in disseminating the representation; and\n\n3. All tests, reports, studies, surveys, demonstrations, or other evidence in respondent’s possession or control that contradict, qualify, or call into question the representation, or the basis relied upon for the representation, including complaints and other communications with consumers or with governmental or consumer protection organizations.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "XII", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least thirty days prior to corporate changes that may affect compliance obligations.", "verbatim_text": "successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent foruTM International Corporation, and its successors and assigns, learns less than thirty (30) days prior to the date such action is to take place, respondent foruTM International Corporation, and its successors and assigns, shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nbankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent foruTM International Corporation, and its successors and assigns, learns less than thirty (30) days prior to the date such action is to take place, respondent foruTM International Corporation, and its successors and assigns, shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "XIII", "title": "Compliance Reports", "category": "compliance_reporting", "summary": "Respondent must file an initial compliance report within sixty days and submit additional reports upon FTC request.", "verbatim_text": "successors and assigns, within sixty (60) days after service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its own compliance with this order. Within ten (10) days of receipt of written notice from a\n\nits own compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "XIV", "title": "Order Termination", "category": "duration", "summary": "The order will terminate on May 8, 2034, or twenty years from the most recent date the FTC files a complaint alleging violation, whichever comes later.", "verbatim_text": "This order will terminate on May 8, 2034, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. 10 Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456 and C-4457" }, { "provision_number": "I", "title": "Prohibition on Disease Treatment Claims Without Substantiation", "category": "prohibition", "summary": "Respondent must not make representations that Covered Products are effective in treating or preventing disease unless substantiated by at least two adequate and well-controlled human clinical studies.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product, in or affecting commerce, shall not make any representation, in any manner, expressly or by implication, including through the use of a product name, endorsement, depiction, illustration, trademark, or trade name, that such product is effective in the diagnosis, cure, mitigation, treatment, or prevention of any disease, including, but not limited to, any 3 representation that the product will treat, prevent, mitigate, or reduce the risk of diabetes, heart disease, arthritis, or insomnia, unless the representation is non-misleading and, at the time the representation is made, respondent possesses and relies upon competent and reliable scientific evidence that substantiates that the representation is true. For purposes of this Part I, “competent and reliable scientific evidence” shall consist of at least two adequate and well-controlled human clinical studies of the Covered Product, or of an Essentially Equivalent Product, conducted by different researchers, independently of each other, that conform to acceptable designs and protocols and whose results, when considered in light of the entire body of relevant and reliable scientific evidence, are sufficient to substantiate that the representation is true; provided that, if the respondent represents that such product is effective in the diagnosis, cure, mitigation, treatment, prevention, or the reduction of risk of disease for persons with a particular genetic variation or single nucleotide polymorphism (“SNP”), then studies required under this Part I shall be conducted on human subjects with such genetic variation or SNP. Respondent shall have the burden of proving that a product satisfies the definition of an Essentially Equivalent Product.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "II", "title": "Prohibition on Health Benefit Claims Without Substantiation", "category": "prohibition", "summary": "Respondent must not make representations about health benefits, performance, or efficacy of Covered Products or Covered Assessments unless substantiated by competent and reliable scientific evidence.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product or any Covered Assessment, in or affecting commerce, shall not make any representation, in any manner, expressly or by implication, including through the use of a product name, endorsement, depiction, or illustration, other than representations covered under Part I of this order, about the health benefits, performance, or efficacy of any Covered Product or any Covered Assessment, unless the representation is non-misleading, and, at the time of making such representation, respondent possesses and relies upon competent and reliable scientific evidence that is sufficient in quality and quantity based on standards generally accepted in the relevant scientific fields, when considered in light of the entire body of relevant and reliable scientific evidence, to substantiate that the representation is true. For purposes of this Part II, competent and reliable scientific evidence means tests, analyses, research, or studies that have been conducted and evaluated in an objective manner by qualified persons and are generally accepted in the profession to yield accurate and reliable results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "III", "title": "Prohibition on Misrepresentations About Scientific Evidence", "category": "prohibition", "summary": "Respondent must not misrepresent the existence, contents, validity, results, or conclusions of any test, study, or research, or that benefits are scientifically proven.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product or any Covered Assessment, in or affecting commerce, shall not misrepresent, in any manner, directly or indirectly, expressly or by implication, including through the use of endorsements: 4 A. The existence, contents, validity, results, or conclusions of any test, study, or research; or\n\nB. That the benefits of any Covered Product or Covered Assessment are scientifically proven.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "IV", "title": "Safe Harbor for FDA-Approved Claims", "category": "acknowledgment", "summary": "Parts I-III do not prohibit representations specifically permitted by FDA regulations or approved drug applications.", "verbatim_text": "A. Nothing in Parts I through III of this order shall prohibit respondent from making any representation for any product that is specifically permitted in labeling for such product by regulations promulgated by the Food and Drug Administration pursuant to the Nutrition Labeling and Education Act of 1990 or permitted under Sections 303-304 of the Food and Drug Administration Modernization Act of 1997; and\n\nB. Nothing in Parts I through III of this order shall prohibit respondent from making any representation for any drug that is permitted in labeling for such drug under any tentative final or final standard promulgated by the Food and Drug Administration, or any new drug application approved by the Food and Drug Administration.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "V", "title": "Prohibition on Providing Means and Instrumentalities", "category": "prohibition", "summary": "Respondent must not provide licensees or affiliates with materials that would enable them to make prohibited representations.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product or any Covered Assessment, in or affecting commerce, shall not provide to any person or entity the means and instrumentalities with which to make, directly or by implication, any representations prohibited by Parts I through III of this order. For purposes of this Part, “means and instrumentalities” shall mean any information, document, or article referring or relating to any Covered Product or any Covered Assessment, including, but not limited to, any advertising, labeling, promotional, or purported substantiation materials, for use by licensees or affiliates in their marketing of any Covered Product or any Covered Assessment in or affecting commerce.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "VI", "title": "Affiliate Monitoring and Compliance Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a system to monitor affiliates' representations, including monthly reviews of top 50 affiliates and random samples, and terminate non-compliant affiliates within 7 days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, in connection with the manufacturing, advertising, labeling, promotion, offering for sale, sale, or distribution of any product or service, in or affecting commerce, shall take steps sufficient to ensure compliance with Parts I through III of this order. Such steps shall include, at a minimum: 5 A. Establishing, implementing, and thereafter maintaining a system to monitor and review its affiliates’ representations and disclosures to ensure compliance with Parts I through III of this order. The system shall be implemented as follows:\n\n1. No later than thirty (30) days after the date of service of this order, and, on a semi-annual basis thereafter, respondent shall determine those affiliates that generate the most sales for respondent. For respondent’s top fifty (50) revenue-generating affiliates, respondent shall:\n\n(a) Monitor and review each affiliate’s web sites on at least a monthly basis at times not disclosed in advance to its affiliates and in a manner reasonably calculated not to disclose the source of the monitoring activity at the time it is being conducted; and\n\n(b) Conduct online monitoring and review of the Internet on at least a monthly basis, including, but not limited to, social networks such as Facebook, microsites such as Twitter, and video sites such as YouTube, for any representations by such affiliates.\n\n2. For the remainder of respondent’s affiliates, no later than thirty (30) days after the date of service of this order, and, on a semi-annual basis thereafter, respondent shall select a random sample of fifty (50) affiliates. Respondent shall:\n\n(a) Monitor and review each of these randomly selected affiliates’ web sites on at least a monthly basis at times not disclosed in advance to its affiliates and in a manner reasonably calculated not to disclose the source of the monitoring activity at the time it is being conducted; and\n\n(b) Conduct online monitoring and review of the Internet on at least a monthly basis, including, but not limited to, social networks such as Facebook, microsites such as Twitter, and video sites such as YouTube, for any representations by such affiliates.\n\nB. Within seven (7) days of reasonably concluding that an affiliate has made representations that the affiliate knew or should have known violated Parts I, II, or III of this order, respondent shall terminate the affiliate from any affiliate program and cease payment to the affiliate; provided, however, that nothing in this subpart shall prevent respondent from honoring respondent’s payment obligation to an affiliate pursuant to a contract executed by the affiliate and respondent prior to the date of service of the order; and\n\nC. Creating, and thereafter, maintaining, and within fourteen (14) days of receipt of a written request from a representative of the Federal Trade Commission, making available for inspection and copying, reports sufficient to show compliance with this Part of the order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Other" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "VII", "title": "Prohibition on Privacy and Security Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of Personal Information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, licensee, affiliate, trade name, or other device, in connection with the manufacturing, advertising, labeling, promotion, offering for sale, sale, or distribution of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of Personal Information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "VIII", "title": "Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive written information security program with administrative, technical, and physical safeguards to protect Personal Information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, partnership, subsidiary, division, trade name, or other device, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Personal Information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the Personal Information respondent collects from or about consumers, including:\n\nA. The designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. The identification of material internal and external risks to the security, confidentiality, and integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding Personal Information received from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. The evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subpart C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "IX", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments for 20 years from qualified professionals (CISSP, CISA, or GIAC) and submit initial assessment to FTC within 10 days of completion.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part VIII of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments.\n\nIT IS FURTHER ORDERED that, in connection with its compliance with Part VIII of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments.\n\nA. Set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. Explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of its activities, and the sensitivity of the Personal Information collected from or about consumers;\n\nC. Explain how the safeguards that have been implemented meet or exceed the protections required by Part VIII of this order; and\n\nD. Certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of Personal Information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. The respondent shall provide its initial\n\nreporting period to which the Assessment applies. The respondent shall provide its initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been\n\ncompleted. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission in writing, the initial Assessment, and any subsequent Assessments requested, shall be sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 8 20580. The subject line must begin: In the Matter of GeneLink, Inc., FTC File No. 112 3095. Provided, however, that in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of any such notice is contemporaneously sent to the Commission at Debrief@ftc.gov.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "X", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all principals, officers, directors, Scientific Advisory Board members, licensees, and managers, and secure signed acknowledgments.", "verbatim_text": "IT IS FURTHER ORDERED that respondent GeneLink, Inc., and its successors and assigns, shall deliver a copy of this order to all current and future principals, officers, directors, Scientific Advisory Board members, and licensees, and to employees having managerial responsibilities with respect to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent GeneLink, Inc., and its successors and assigns, shall deliver this order to current personnel within thirty (30) days after the date of service of this order, and to future personnel within thirty (30) days after\n\nIT IS FURTHER ORDERED that respondent GeneLink, Inc., and its successors and assigns, shall deliver a copy of this order to all current and future principals, officers, directors, Scientific Advisory Board members, and licensees, and to employees having managerial responsibilities with respect to the subject matter of this order, and shall secure from each such person a signed and dated statement acknowledging receipt of the order. Respondent GeneLink, Inc., and its successors and assigns, shall deliver this order to current personnel within thirty (30) days after the date of service of this order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "XI", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available for FTC inspection assessment materials for 3 years and advertising materials and substantiation for 5 years after last dissemination.", "verbatim_text": "IT IS FURTHER ORDERED that respondent GeneLink, Inc., and its successors and assigns, shall maintain and, upon request, make available to a representative to the Commission for inspection and copying: A. For a period of three (3) years after the date of preparation of each Assessment required under Part IX of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including, but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts VIII and IX of this order, for the compliance period covered by such Assessment;\n\nB. Unless covered by Part XI.A, for a period of five (5) years after the last date of dissemination of any representation covered by this order, maintain and upon reasonable notice make available to the Commission for inspection and copying: 1. All advertisements and promotional materials containing the representation, including, but not limited to, all marketing and training materials distributed to licensees and affiliates;\n\n2. All materials that were relied upon in disseminating the representation; and\n\n3. All tests, reports, studies, surveys, demonstrations, or other evidence in that respondent’s possession or control that contradict, qualify, or call into question the representation, or the basis relied upon for the representation, including complaints and other communications with consumers or with governmental or consumer protection organizations.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "XII", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations, including dissolution, merger, bankruptcy, or name/address changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent GeneLink, Inc., and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent GeneLink, Inc., and its successors and assigns, learns less than thirty (30) days prior to the date such action is to take place, respondent GeneLink, Inc., and its successors and assigns, shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin: In the Matter of GeneLink, Inc., FTC File No. 112 3095.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "XIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial compliance report within 60 days and submit additional reports within 10 days upon FTC request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent GeneLink, Inc., and its successors and assigns, within sixty (60) days after service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its own compliance with this order. Within ten (10) days of receipt of written notice from a representative of the\n\nwith this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "XIV", "title": "Order Duration and Termination", "category": "duration", "summary": "The order will terminate on May 8, 2034, or 20 years from the most recent date the FTC files a complaint alleging violation, whichever is later.", "verbatim_text": "This order will terminate on May 8, 2034, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. 10 Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "docket_number": "C-4456" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any self-regulatory or standard-setting organization.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.15_american_international_mailing", "company_name": "American International Mailing, Inc.", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3051-american-international-mailing-inc-matter", "docket_number": "C-4526" }, { "provision_number": "II", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection documents relating to compliance with this order for a period of five years from the date of preparation or dissemination.", "verbatim_text": "A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.15_american_international_mailing", "company_name": "American International Mailing, Inc.", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3051-american-international-mailing-inc-matter", "docket_number": "C-4526" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives having responsibilities relating to the subject matter of this order, and must secure signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.15_american_international_mailing", "company_name": "American International Mailing, Inc.", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3051-american-international-mailing-inc-matter", "docket_number": "C-4526" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any change in the corporation that may affect compliance obligations arising under this order, including dissolution, assignment, sale, merger, creation or dissolution of subsidiaries, bankruptcy filing, or change in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.15_american_international_mailing", "company_name": "American International Mailing, Inc.", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3051-american-international-mailing-inc-matter", "docket_number": "C-4526" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file with the Commission a true and accurate report setting forth in detail the manner and form of its compliance with this order within sixty days after service, and must submit additional reports within ten days of written notice from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.15_american_international_mailing", "company_name": "American International Mailing, Inc.", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3051-american-international-mailing-inc-matter", "docket_number": "C-4526" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on May 20, 2035, or twenty years from the most recent date that the United States or the Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on May 20, 2035, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.15_american_international_mailing", "company_name": "American International Mailing, Inc.", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3051-american-international-mailing-inc-matter", "docket_number": "C-4526" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any self-regulatory or standard-setting organization.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework, the U.S.-Swiss Safe Harbor Framework, and the TRUSTe privacy programs.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.15_tes_franchising", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "docket_number": "C-4525" }, { "provision_number": "II", "title": "Prohibition Against Misrepresentations About Alternative Dispute Resolution", "category": "prohibition", "summary": "Respondent must not misrepresent its participation in, or the rules, processes, policies, or costs of, any alternative dispute resolution process or service.", "verbatim_text": "IT IS FURTHER ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the respondent’s participation in, or the rules, processes, policies, or costs of, any alternative dispute resolution process or service, including, but not limited to, arbitration, mediation, or other independent recourse mechanism.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.15_tes_franchising", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "docket_number": "C-4525" }, { "provision_number": "III", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection all documents relating to compliance with this order for a period of five years.", "verbatim_text": "A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.15_tes_franchising", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "docket_number": "C-4525" }, { "provision_number": "IV", "title": "Acknowledgment of Receipt of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part V, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.15_tes_franchising", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "docket_number": "C-4525" }, { "provision_number": "V", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least 30 days prior to any change in the corporation that may affect compliance obligations, including dissolution, merger, bankruptcy, or change in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nUnless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re TES Franchising, LLC., FTC File No. 152 3015.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.15_tes_franchising", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "docket_number": "C-4525" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission within 60 days of service of the order and submit additional reports upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.15_tes_franchising", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "docket_number": "C-4525" }, { "provision_number": "VII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on May 20, 2035, or 20 years from the most recent date that the United States or Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on May 20, 2035, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.15_tes_franchising", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "docket_number": "C-4525" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Encryption and Security", "category": "prohibition", "summary": "Respondent must not misrepresent the encryption capabilities, regulatory compliance assistance, or privacy and security protections of any product or service that collects or stores Personal Information.", "verbatim_text": "IT IS ORDERED that Respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the labeling, advertising, promotion, offering for sale, sale, or distribution of any product or service designed to collect or store Personal Information, in or affecting commerce, shall not misrepresent, in any matter, expressly or by implication: A. whether or to what extent the product or service offers industry-standard encryption;\n\nB. the ability of the product or service to help customers meet regulatory obligations related to privacy or security; or\n\nC. the extent to which a product or service maintains the privacy, security, confidentiality, and integrity of Personal Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "II", "title": "Customer Notification About Dentrix G5 Encryption", "category": "affirmative_obligation", "summary": "Respondent must clearly and conspicuously notify Affected Customers that Dentrix G5 uses a less complex encryption algorithm than AES, the NIST-recommended industry standard, following specific identification, mailing, and reporting procedures.", "verbatim_text": "A. Respondent must identify all Affected Customers who purchased Dentrix G5 prior to January 2014 (“eligible customers”). 1. Such eligible customers, and their contact information, must be identified to the extent such information is in Respondent’s possession, custody, or control. 3 2. Eligible customers include those identified at any time through the eligibility period, which runs for one (1) year after the date of service of this order.\n\nB. Respondent must notify all identified eligible customers by mailing each a notice: 1. The letter must be in the form shown in Attachment A. 2. The envelope containing the letter must be in the form shown in Attachment B. 3. The mailing of the notification letter must not include any other enclosures. 4. The mailing must be sent by first-class mail, postage prepaid, address correction service requested with forwarding and return postage guaranteed. For any mailings returned as undeliverable, Respondent must use standard search methodologies such as re-checking Respondent’s records and the Postal Service’s National Change of Address database and re-mailing to the corrected address within eight days.\n\nC. Respondent must notify all eligible customers within sixty (60) days after service of this order and any eligible customers identified thereafter within thirty (30) days of their identification.\n\nD. Respondent must establish a toll-free telephone number and an email address dedicated to responding to inquiries about the order and must respond promptly and accurately to such inquiries.\n\n1. Respondent must submit a report, within one hundred and twenty (120) days after the date of service of this order, annually thereafter, and at the conclusion of the program summarizing its compliance to date, including: the total number of eligible customers identified, notices mailed, and notices re-mailed, the number of mailings returned as undeliverable, and efforts taken to locate the customers for whom mailings were returned and deliver them the notice, as well as the number of calls and emails received and their disposition. For customers for whom mailings were returned as undeliverable, Respondent shall make reasonable efforts to locate and notify those customers.\n\n2. If a representative of the Commission requests any information regarding the notice program, including any of the underlying customer data, Respondent must submit it within ten (10) days of the request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "III", "title": "Monetary Payment to the Commission", "category": "affirmative_obligation", "summary": "Respondent must pay $250,000 to the Commission within eight days of the effective date of the order via electronic fund transfer.", "verbatim_text": "A. Respondent must pay to the Commission $250,000, which Respondent stipulates its undersigned counsel holds in escrow for no purpose other than payment to the Commission.\n\nB. Such payment must be made within eight (8) days of the effective date of this order by electronic fund transfer in accordance with instructions provided by a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "IV", "title": "Administration of Consumer Redress Fund", "category": "affirmative_obligation", "summary": "Money paid to the Commission may be used for consumer redress or related relief; default on payment accrues interest and accelerates the full amount due; each day of nonpayment is a separate violation subject to civil penalty.", "verbatim_text": "A. All money paid to the Commission pursuant to this order may be deposited into a fund administered by the Commission or its designee to be used for relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to Affected Customers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other relief (including consumer information remedies) as it determines to be reasonably related to Respondent’s practices alleged in the complaint. Any money not used is to be deposited to the U.S. Treasury. Respondent may, upon request, be notified whether the money has been deposited to the U.S. Treasury, but has no right to challenge any activities pursuant to this provision. No portion of any payment under this Part shall be deemed a payment of any fine, penalty, or punitive assessment.\n\nB. In the event of default on any obligation to make payment under this order, interest, computed as if pursuant to 28 U.S.C. § 1961(a), shall accrue from the date of default to the date of payment. In the event such default continues for ten (10) days beyond the date that payment is due, the entire amount will immediately become due and payable.\n\nC. Each day of nonpayment is a violation through continuing failure to obey or neglect to obey a final order of the Commission and thus will be deemed a separate offense and violation for which a civil penalty shall accrue.\n\nD. Respondent acknowledges that its Taxpayer Identification Number, which Respondent has previously provided to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this order, in accordance with 31 U.S.C. § 7701.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "V", "title": "Provision of Customer Information for Redress", "category": "affirmative_obligation", "summary": "Respondent must provide sufficient customer information to enable the Commission to efficiently administer consumer redress, and must supply any requested redress-related information within fourteen days.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must directly or indirectly provide sufficient customer information to enable the Commission to efficiently administer consumer redress to all Affected Customers. Respondent represents that it has provided this redress information to the Commission. If a representative of the Commission requests in writing any\n\ninformation to the Commission. If a representative of the Commission requests in writing any 5 information related to redress, Respondent must provide it, in the form prescribed by the Commission representative, within fourteen (14) days.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "VI", "title": "Recordkeeping of Advertising and Promotional Materials", "category": "recordkeeping", "summary": "Respondent must maintain all advertisements, supporting materials, and contradictory evidence related to any covered representation for five years after last dissemination, and make them available to the Commission upon request.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent shall, for five (5) years after the last date of dissemination of any representation covered by this order, maintain and upon request make available to the Commission for inspection and copying: A. All advertisements and promotional materials containing the representation; B. All materials that were relied upon in disseminating the representation; and C. All tests, reports, studies, surveys, demonstrations, or other evidence in its possession or control that contradict, qualify, or call into question the representation, or the basis relied upon for the representation, including complaints and other communications with consumers or with governmental or consumer protection organizations.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "VII", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to current and future principals, officers, directors, managers, and employees with relevant managerial responsibilities, and obtain signed acknowledgments of receipt within thirty days of delivery.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent shall deliver a copy of this order to all current and for the next five (5) years future principals, officers, directors, and managers, and to all current and future employees having managerial responsibilities with respect to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part VIII, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging\n\nchange in structure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "VIII", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days before any corporate change that may affect compliance obligations under the order, including dissolution, merger, sale, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including but not limited to a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that with respect to any proposed change in the corporation about which Respondent learns less than thirty (30) days prior to the date such action is to take place, Respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission in writing, all\n\nknowledge. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer 6 Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must be: In re Henry Schein Practice Solutions, Inc..", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "IX", "title": "Compliance Reporting to the Commission", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report within sixty days of service of the order, and additional reports within ten days of written notice from a Commission representative.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, Respondent shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "X", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on May 20, 2036, or twenty years from the most recent date a complaint alleging a violation of the order is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on May 20, 2036, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any Respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part.\n\nProvided further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as thought the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "docket_number": "C-4575" }, { "provision_number": "I", "title": "Prohibition against Misrepresentations about Privacy and Security", "category": "prohibition", "summary": "Respondent and all persons acting with it must not misrepresent in any way the extent to which it maintains and protects the security of Covered Devices or the privacy, security, confidentiality, or integrity of Personal Information.", "verbatim_text": "IT IS ORDERED that Respondent, Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication, the extent to which Respondent maintains and protects: (1) the security of a Covered Device; or (2) the privacy, security, confidentiality, or integrity of Personal Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "II", "title": "Mandated Device Security and Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive Security Program protecting Covered Devices and Personal Information, satisfying numerous specific sub-requirements including documentation, risk assessments, safeguards, training, testing, and service provider oversight.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must not transfer, sell, share, collect, maintain, or store Personal Information or manufacture or sell Covered Devices unless it establishes and implements, and thereafter maintains, a comprehensive Security Program (“Security Program”) that protects: (1) the security of Covered Devices; and (2) the security, confidentiality, and integrity of Personal Information. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Security Program;\n\nB. Provide the written program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Security Program at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Security Program;\n\nD. Assess and document, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, internal and external risks to the security of Covered Devices and to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Respondent identifies to the security of Covered Devices and to the security, confidentiality, or integrity of Personal Information identified in response to sub-Provision II.D. Each safeguard must be based on (1) the sensitivity of the Covered Device’s function, and (2) the volume and sensitivity of the Personal Information that is Page 3 of 10 at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information.\n\n1. Training of all of Respondent’s employees, at least once every 12 months, on how to safeguard Personal Information;\n\n2. Technical measures to monitor all of Respondent’s networks, Covered Devices, and all systems and assets within those networks to identify data security events, including unauthorized attempts to exfiltrate Personal Information from those networks; and\n\n3. Data access controls for all databases storing Personal Information, including by, at a minimum, (a) restricting inbound connections to approved IP addresses, (b) requiring authentication to access them, and (c) limiting employee access to what is needed to perform that employee’s job function.\n\nF. Assess, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security of Covered Devices and the security, confidentiality, or integrity of Personal Information, and modify the Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, and modify the Security Program based on the results. Such testing and monitoring must include: (1) vulnerability testing of Respondent’s network once every four months and promptly (not to exceed 30 days) after a Covered Incident; and (2) penetration testing of Respondent’s network at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;\n\nH. Select and retain service providers capable of safeguarding Covered Devices and Personal Information they access through or receive from Respondent, and contractually require service providers to implement and maintain safeguards for Covered Devices and Personal Information; and\n\nI. Evaluate and adjust the Security Program in light of any changes to Respondent’s operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in Part II.D., or any other circumstances that Respondent knows or has reason to know may have an impact on the effectiveness of the Security Program. At a minimum, Respondent must evaluate the Security Program at least once every 12 months and modify the Security Program based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "III", "title": "Device and Information Security Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments by a qualified, independent Assessor covering the Security Program, with specific requirements for Assessor qualifications, reporting periods, content, and submission to the FTC.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Security Program; and (3) retains all documents relevant to each Assessment for five years after completion of such Assessment and provides such documents to the Commission within ten days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or any similar claim.\n\nB. For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name and affiliation of the person selected to conduct the Assessment, which the Associate Director shall have the authority to approve in his sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each two year period thereafter for 20 years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must, for the entire assessment period,: (1) determine whether Respondent has implemented and maintained the Security Program required by Provision II of this Order, titled Mandated Device Security and Information Security Program; (2) assess the effectiveness of Respondent’s implementation and maintenance of sub- Provisions II.A-I; (3) identify any gaps or weaknesses in, or instances of material noncompliance with, the Security Program; and (4) identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor and must state that the Assessor conducted an independent review of the Information Security Program, and did not rely solely on assertions or attestations by Respondent’s management. To the extent that Responded revises, updates, or adds one or more safeguards required under Part II of this Order in the middle of an Assessment period, the Assessment shall assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. Each Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit the initial Assessment to the Commission within ten days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Tapplock, FTC File No. 192 3011, Docket No. C-4718.” All subsequent biennial Assessments must be retained by Respondent until the order is terminated and provided to the Associate Director for Enforcement within ten days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "IV", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondent must provide the Assessor with all relevant information and materials, and must not withhold material facts or misrepresent any facts material to the Assessor's determinations.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege; and\n\nB. Not withhold any material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondent has implemented and maintained the Security Program required by Provision II of this Order, titled Mandated Device Security and Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions II.A-I; or (3) identification of any gaps or weaknesses in the Security Program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "V", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondent must submit annual certifications from a senior corporate manager or officer attesting to compliance with the Order, awareness of any material noncompliance, and describing any Covered Incidents, submitted to the FTC via specified channels.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Security Program that: (1) Respondent has established, implemented, and maintained the requirements of this Order; (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of a Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “Tapplock, Inc., FTC File No. 192 3011, Docket No. C-4718.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "VI", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit an acknowledgment of receipt of the Order to the FTC within ten days, deliver copies of the Order to relevant personnel and business successors for 20 years, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Respondent, within ten days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives with responsibilities related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in Provision VII of this Order titled Compliance Reports and Notices. Delivery must occur within ten days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "VII", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must file a sworn compliance report one year after issuance, submit compliance notices within 14 days of certain changes in structure or contact information, notify the FTC of any bankruptcy filing within 14 days, and ensure all sworn submissions meet the specified format and delivery requirements.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (1) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (2) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (4) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (5) provide a copy of each Page 7 of 10 Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “Tapplock, Inc., FTC File No. 192 3011, Docket No. C-4718.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specific categories of records for 20 years after the Order's issuance, with each record retained for five years, covering financial records, personnel records, consumer complaints, marketing materials, security representations, Assessment materials, law enforcement communications, and all compliance records.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each unique advertisement or other marketing material making a representation subject to this Order;\n\nE. A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, confidentiality, security, or integrity of any Personal Information or the security of any Covered Device, including any representation concerning a change in any website or other service controlled by Respondent that relates to the privacy, confidentiality, security, or integrity of Personal Information or the security of Covered Devices;\n\nF. For five years after the date of preparation of each Assessment required by this Order, all materials and evidence that the Assessor considered, reviewed, relied upon or examined to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment;\n\nG. For five years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondent’s compliance with this Order;\n\nH. For five years from the date created or received, all records, whether prepared by or on behalf of Respondent, that tend to show any lack of compliance by Respondent with this Order; and\n\nI. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC has the right to monitor Respondent's compliance by requesting additional reports and records, communicating directly with and interviewing Respondent's affiliates, and using all other lawful means including undercover investigations.", "verbatim_text": "A. Within ten days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "X", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC's website and terminates on May 18, 2040, or 20 years from the most recent date a complaint is filed in federal court alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate May 18, 2040, or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any Provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "docket_number": "C-4718" }, { "provision_number": "I", "title": "Prohibition against Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner how it collects, uses, discloses, maintains, or deletes Covered Information, or how it protects the privacy, security, and integrity of that information.", "verbatim_text": "A. The extent to which Respondent collects, uses, discloses, maintains, or deletes any Covered Information;\n\nB. The extent to which consumers can control the collection, use, disclosure, maintenance, or deletion of Covered Information;\n\nC. The extent to which Respondent accesses or permits access to Covered Information;\n\nD. The extent to which, purposes for which, or duration of time during which Respondent retains any Covered Information following a consumer’s deletion or deactivation of a user account with Respondent; or\n\nE. The extent to which Respondent otherwise protects the privacy, security, availability, confidentiality, or integrity of any Covered Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "docket_number": "C-4743" }, { "provision_number": "II", "title": "Notice and Affirmative Express Consent Provision", "category": "affirmative_obligation", "summary": "Before using Biometric Information collected from a User to create a Face Embedding or train/develop/alter any face recognition model or algorithm, Respondent must clearly disclose all purposes for which it will use the information and obtain affirmative express consent from the User.", "verbatim_text": "A. Clearly and Conspicuously disclose to the User from whom Respondent has collected the Biometric Information, separate and apart from any “privacy policy,” “terms of use” page, or other similar document, all purposes for which Respondent will use, and to the extent applicable, share, the Biometric Information; and\n\nB. Obtain the affirmative express consent of the User from whom Respondent collected the Biometric Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "docket_number": "C-4743" }, { "provision_number": "III", "title": "Deletion", "category": "affirmative_obligation", "summary": "Respondent must delete or destroy photos, videos, Face Embeddings, and Affected Work Product collected from certain Users within specified timeframes after the Order's issuance, and provide sworn written statements to the Commission confirming such deletion.", "verbatim_text": "A. Within thirty (30) days after the issuance date of this Order, delete or destroy all photos and videos that Respondent collected from Users who requested deactivation of their Ever accounts on or before the issuance date of this Order, and provide a written statement to the Commission, sworn under penalty of perjury, confirming that all such information has been deleted or destroyed;\n\nB. Within ninety (90) days after the issuance of this Order, delete or destroy all Face Embeddings derived from Biometric Information Respondent collected from Users who have not, by that date, provided express affirmative consent for the creation of the Face Embeddings, and provide a written statement to the Commission, sworn under penalty of perjury, confirming that all such information has been deleted or destroyed; and\n\nC. Within ninety (90) days after the issuance of this Order, delete or destroy any Affected Work Product, and provide a written statement to the Commission, sworn under penalty of perjury, confirming such deletion or destruction.\n\napplicable to the safeguarding of evidence in pending litigation. In each written statement to the Commission required by this provision, Respondent shall describe in detail any relevant information that Respondent retains on any of these bases and the specific government agency, law, regulation, court order, or other legal obligation that prohibits Respondent from deleting or\n\ndestroying such information. Within thirty (30) days after the obligation to retain the information has ended, Respondent shall provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that Respondent has deleted or destroyed such information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making", "Privacy" ], "remedy_types": [ "Data Deletion", "Algorithmic Destruction" ], "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "docket_number": "C-4743" }, { "provision_number": "IV", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of this Order, deliver copies to relevant personnel and successors, and collect signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the issuance date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For ten (10) years after the issuance date of this Order Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives having managerial responsibilities for conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "docket_number": "C-4743" }, { "provision_number": "V", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report one year after the Order's issuance, provide timely notices of changes in contact information or business structure, and notify the Commission of any bankruptcy filings.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (b) identify all of the Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, what Covered Information is collected, and the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (a) any designated point of contact or (b) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Everalbum, Inc., FTC File No. 1923172.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "docket_number": "C-4743" }, { "provision_number": "VI", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified categories of records for 10 years after the Order's issuance, retaining each record for at least 5 years.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security, availability, confidentiality, or integrity of any Covered Information, including any representation concerning a change in any website, mobile app, or other service controlled by Respondent that relates to privacy, security, availability, confidentiality, or integrity of Covered Information; and\n\nE. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "docket_number": "C-4743" }, { "provision_number": "VII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor Respondent's compliance by requesting reports and records, communicating directly with and interviewing Respondent's personnel, and using other lawful means including undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "docket_number": "C-4743" }, { "provision_number": "VIII", "title": "Order Effective Dates", "category": "duration", "summary": "This Order is effective upon publication on ftc.gov and terminates 20 years from its issuance date, or 20 years from the most recent date the Commission files a complaint alleging a violation, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its 7 publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate twenty (20) years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; B. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "docket_number": "C-4743" }, { "provision_number": "I", "title": "Prohibited Misrepresentations", "category": "prohibition", "summary": "Respondent and those acting with it must not make any misrepresentation about product reviews or endorsements, including about whether reviews reflect all purchasers' views, whether reviews are unedited, whether reviews are presented regardless of rating, or how reviews factor into overall ratings.", "verbatim_text": "IT IS ORDERED that Respondent, and Respondent's officers, agents, employees; and attorneys, and all other persons in active concert or participation with any ofthem, who receive actual notice ofthis Order, whether acting directly or indirectly, in connection with the advertising, promotion, offering for sale, or sale ofany product must not make any misrepresentation, expressly or by implication, about product reviews or endorsements ofthe product, including any misrepresentation: A. That product reviews on Respondent's website accurately reflect the views ofall purchasers who submitted reviews ofRespondent's products on the website;\n\nB. That product reviews or endorsements ofany products are unedited;\n\nC. That product reviews or endorsements ofany products are presented regardless ofthe endorser's opinion or rating; or\n\nD. About bow product reviews factor into any composite or overall rating ofa product.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "II", "title": "Product Review Display", "category": "affirmative_obligation", "summary": "Respondent must display all consumer-submitted reviews for products currently for sale on its websites, including previously withheld reviews, subject to limited exceptions for off-topic, unlawful, or inappropriate content.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must display, on each ofits websites disp1aying product reviews, all reviews for products currently offered for sale that are or were submitted by consumers to such website, including all reviews that Respondent or its agents previously withheld from public view. Provided that Respondent: (a) is not required to display reviews that are unrelated to Respondent's products and unrelated to Respondent's customer service, delivery, returns, or exchanges; (b) is not required to display reviews that contain unlawful, profane, obscene, vulgar, or sexually explicit content, or content that is inappropriate with respect to race, gender, sexuality, or ethnicity, so long as the criteria for withholding reviews is applied uniformly to all reviews submitted to such website; and (c) is not required to offer the opportunity to submit reviews for any or every product offered for sale on such website.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "III", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Respondent must pay $4,200,000 to the Commission within 8 days of the effective date of the Order by electronic fund transfer.", "verbatim_text": "A. Respondent must pay to the Commission $4,200,000 as monetary relief.\n\nB. Such payment must be made within 8 days ofthe effective date ofthis Order by electronic fund transfer in accordance with instructions provided by a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "IV", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Respondent relinquishes all rights to transferred assets, agrees that complaint facts may be used in future litigation, and acknowledges rules governing use of paid funds, default interest, civil penalties for nonpayment, and reporting of its taxpayer ID.", "verbatim_text": "A. Respondent relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pw-suant to this Order and may not seek the return ofany assets.\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalfofthe Commission to enforce its rights to any payment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.\n\nC. The facts alleged in the Complaint establish all elements necessary to sustain an action by or on behalfofthe Commission pursuant to Section 523(a)(2)(A) ofthe Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.\n\nD. All money paid to the Commission pursuant to this Order may be deposited into a fund administered by the Commission or its designee to be used for relief, including consumer redress and any attendant expenses for the administration ofany redress fund. Ifa representative ofthe Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other relief (including consumer information remedies) as it determines to be reasonably related to Respondent's practices alleged in the Complaint. Any money not used is to be deposited to the U.S. Treasury. Respondent has no right to challenge any activities pursuant to this Provision.\n\nE. In the event ofdefault on any obligation to make payment under this Order, interest, computed as ifpursuant to 28 U.S.C. § 1961(a), shall accrue .from the date ofdefault to the date ofpayment. In the event such default continues for 10 days beyond the date that payment is due, the entire amount will immediately become due and payable.\n\nF. Each day ofnonpayment is a violation through continuing failure to obey or neglect to obey a final order ofthe Commission and thus will be deemed a separate offense and violation for which a civil penalty shall accrue.\n\nG. Respondent acknowledges that its Taxpayer Identification Number (Employer Identification Number), which Respondent has previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out ofthis Order, in accordance with 31 U.S.C. § 7701.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "V", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt to the Commission within 10 days, deliver copies of the Order to relevant personnel within 10 days (and to future personnel before they assume responsibilities), and obtain signed acknowledgments from recipients within 30 days.", "verbatim_text": "A. Respondent, within 10 days after the effective date ofthis Order, must submit to the Commission an acknowledgment ofreceipt ofthis Order sworn under penalty ofperjury.\n\nB. Respondent must deliver a copy ofthis Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter ofthe Order and all agents and representatives who participate in conduct related to the subject matter ofthe Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within 10 days after the effective date ofthis Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy ofthis Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment ofreceipt ofthis Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "VI", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report 90 days after the Order is issued, and must submit sworn notices within 14 days of any change in contact points, business structure, or bankruptcy filings; all submissions must follow specified formatting and delivery requirements.", "verbatim_text": "A. Ninety days after the issuance date ofthis Order, Respondent must submit a compliance report, sworn under penalty ofperjury, in which Respondent must: 1. Identify the primary physical, postal, and email address and telephone number, as designated points ofcontact, which representatives ofthe Commission may use to communicate with Respondent; 2. Identify all of Respondent's businesses by all oftheir names, telephone numbers, and physical, postal, email, and Internet addresses; 3. Describe the activities ofeach business, including the goods and services offered, the means ofadvertising, marketing, and sales; 4. Describe in detail whether and how tlie Respondent is in compliance with each 7 Provision ofthis Order, including a discussion ofall ofthe changes the Respondent made to comply with the Order; and 5. Provide a copy ofeach Acknowledgment ofthe Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty ofperjury, within 14 days ofany change in the following: 1. Any designated point ofcontact; or 2. The structure ofRespondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution ofthe entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice ofthe filing ofany bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days ofits filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: \"I declare under penalty ofperjury under the laws ofthe United States of America that the foregoing is true and correct. Executed on: __\" and supplying the date, signatory's full name, title (ifapplicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, al] submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight coUiier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Fashion Nova, LLC.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "VII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for 10 years and retain each for 5 years, including accounting records, personnel records, consumer complaints, compliance records, marketing materials, product reviews submitted, and records showing any lack of compliance.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for 10 years after the issuance date ofthe Order, and retain each such record for 5 years, unless otherwise specified below. Specifically, Respondent must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person's: name; addresses; telephone numbers; job title or position; dates ofservice; and (ifapplicable) the reason for termination;\n\nC. Copies or records ofall consumer or other complaints relating to customer reviews, whether received directly or indirectly, such as through a third party, and any response;\n\nD. All records necessary to demonstrate full compliance with each provision ofthis Order, including all submissions to the Commission;\n\nE. A copy ofeach unique advertisement or other marketing material making a representation subject to this Order and a copy ofeach product review submitted to Respondent; and\n\nF. For 5 years from the date created or received, all records, whether prepared by or on behalfofRespondent, that tend to show any lack ofcompliance by Respondent with this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "VIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission has broad rights to monitor compliance, including requesting additional reports and records within 10 days, interviewing Respondent's personnel, and using undercover methods without prior notice.", "verbatim_text": "A. Within 10 days ofreceipt ofa written request from a representative ofthe Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty ofperjury, and produce records for inspection and copymg.\n\nB. For matters concerning this Order, representatives ofthe Commission are authorized to communicate directly with Respondent. Respondent must pe1mit representatives ofthe Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity ofidentification or prior notice. Nothing in this Order limits the Commission's lawful use ofcompulsory process, pursuant to Sections 9 and 20 ofthe FTC Act, 15 U.S.C. §§ 49, 57b-l.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "IX", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC's website and terminates 20 years from issuance or 20 years from the most recent federal court complaint alleging a violation, whichever is later, with limited exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date ofits publication on the Commission's website (fie.gov) as a final order. This Order will terminate 20\n\npublication on the Commission's website (fie.gov) as a final order. This Order will terminate 20 years from the date ofits issuance (which date may be stated at the end ofthis Order, near the Commission's seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation ofthis Order, whichever comes later;provided, however, that the filing of such a complaint will not affect the duration of: 9 A. Any Provision in this Order that tenninates in less than 20 years; B. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will te1minate according to th.is Provision as though the complaint bad never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such djsmissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "docket_number": "C-4759" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner how it maintains, uses, deletes, or discloses Covered Information, the extent to which it protects that information, or the scope of any unauthorized incident or disclosure.", "verbatim_text": "A. The extent to which Respondent maintains, uses, Deletes, or discloses any Covered Information;\n\nB. The extent to which Respondent protects the privacy, security, availability, confidentiality, or integrity of any Covered Information; or\n\nC. The extent of any Covered Incident or unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of Covered Information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "II", "title": "Mandated Data Deletion", "category": "affirmative_obligation", "summary": "Respondent must delete or destroy customer backup files containing Covered Information not needed for service delivery within 90 days, confirm deletion in writing, and refrain from retaining Covered Information beyond what is necessary.", "verbatim_text": "A. Within 90 days after the Order Effective Date, Delete or destroy Respondent customer backup files containingCovered Information that is not being retained in connection with providing products or services to Respondent’s customers unless otherwise requested by Respondent’s customers, and provide a written statement to the Commission, pursuant to the Provision entitled Compliance Reports and Notices, confirming that all such data has been Deleted or destroyed, specifically enumerating which types of information were Deleted or destroyed; and\n\nB. Refrain from maintaining any Covered Information not necessary for the purpose(s) for which such information is stored and/or maintained by Respondent.\n\npending litigation. In each written statement to the Commission required by this provision, such Respondent shall describe in detail any Covered Information that Respondent retains on any of these bases and the specific government agency, law, regulation, court order, or other legal obligation that prohibits Respondent from deleting or destroying such information. Within thirty (30) days after the obligation to retain the information has ended, Respondent shall provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that Respondent has deleted or destroyed such information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Data Deletion" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "III", "title": "Data Retention Limits", "category": "affirmative_obligation", "summary": "Respondent must document and publicly post a retention schedule for customer backup files containing Covered Information within 90 days, and report that schedule to the Commission in writing.", "verbatim_text": "A. Within 90 days of the Order Effective Date, document, make publicly available on its website(s), and adhere to a retention schedule for Respondent customer backup files containing Covered Information, setting forth: (1) the purpose or purposes for which Covered Information is maintained by Respondent; (2) the specific business needs for Respondent retaining such Covered Information; and (3) a set timeframe for Deletion of Covered Information that precludes indefinite retention of any Covered Information. For clarity, the requirements of this Provision III.A shall additionally apply to the databases containing the Covered Information of former customers and customers who migrate to a different Respondent product; and\n\nB. Within 90 days after the Order EffectiveDate, provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, describing the retention schedule for Respondent customer backup files containing Covered Information made publicly available on its website(s).", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "IV", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program within 90 days of the Order Effective Date, meeting at minimum fourteen detailed sub-requirements covering documentation, governance, risk assessment, safeguards, testing, and service provider oversight.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, and any business that Respondent controls directly, or indirectly in connection with the maintenance, use, or disclosure of, or provision of access to, Covered Information, must, within ninety (90) days of the Order Effective Date, establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, confidentiality, and integrity of such Covered Information (“Information Security Program”). Delayed Update Customers are exempt from the initial 90- day timing requirement, but Respondent will assist Delayed Update Customers,upon their approval, to update their software in a timely manner. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Provide the written Information Security Program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Information Security Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;\n\nD. Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30)days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in: (1) the Page 7 of 17 unauthorized storage, maintenance, alteration, use, or disclosure of, or provision of access to, Covered Information; or (2)the misuse, loss, theft, and unauthorized alteration, destruction, or other compromise of Covered Information;\n\nE. Design, implement, maintain, and document safeguards within Respondent’s control that control for the internal and external risks Respondent identifies to the security, confidentiality, or integrity of Covered Information identified in response to sub- Provision D. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in: (1)the unauthorized storage, maintenance, use, or disclosure of, or provision of access to, Covered Information; or (2) the misuse, loss, theft, and unauthorized alteration, destruction, or other compromise of Covered Information. Such safeguards must also include: 1. A written information security policy and accompanying written standards or procedures that describe, at a minimum: (a)how Respondent implements each of the safeguards identified in this sub-Provision; and (b)how Respondent assesses and enforces compliance with these safeguards and any other controls it identifies in the policy and accompanying standards and procedures; 2. Standards, procedures, and policy provisions mandating security education that address internal or external risks Respondent identifies under sub-Provision D of this Provision, and that includes, at a minimum: (a) training for Respondent’s employees about Respondent’s security policy, standards, and procedures, including the requirements of this Order and the process for submitting complaints and concerns, to be conducted when an employee begins employment or takes on a new role, and on at least an annual basis thereafter; and (b) training in secure software development principles, including secure engineering and defensive programming concepts, for developers, engineers, system administrators, and other employees that design, implement, and operate Respondent’s products or services or that are otherwise responsible for the security of Covered Information; 3. Policy provisions and, to the extent possible, technical measures requiring Respondent’s employees or contractors, or third parties to secure any accounts with access to a Respondent’s information technology infrastructure by: (a)using strong, unique passwords; and (b) preventing password reuse and password rotation through implementing appropriate tools; 4. Requiring multi-factor authentication methods for all employees and contractors of Respondent and its affiliates in order to access any assets (including databases) storing Covered Information. Such multi-factor authentication methods for all Page 8 of 17 employees and contractors of Respondent and its affiliates shall not include telephone or SMS-based authentication methods and must be resistant to phishing attacks. Respondent may use widely adoptedindustry authentication options that provide at least equivalent security as the multi-factor authentication options required by this sub-Provision, if approved in writing by the Commission; 5. Requiring multi-factor authentication methods for all Respondent’s customers, except for those customers who use enterprise single sign on solutions within their organizations to access Respondent products and for Delayed Update Customers. However, Respondent shall make available an update for multi-factor authentication methods for Delayed Update Customers; 6. Technical measures, standards, procedures, and policy provisions to: (a) log and monitor access to repositories of Covered Information; (b)limit access to Covered Information by, at a minimum, limiting Respondent employee and service provider access to what is needed to perform that employee’s or service provider’s job function; (c) grant and audit varying levels of access based on an employee’s need to know; and (d) periodically monitor and terminate employee and contractor accounts following inappropriate usage or termination of employment; 7. Technical measures, standards, procedures, and policy provisions to control access to Respondent’s customer databases containing Covered Information, including, at a minimum: (a) for Respondent’s and its affiliates’ employees and contractors, restrictions of inbound connections to those originating from approved IP addresses, such as corporate VPN; (b) requiring connections to be authenticated and encrypted; and (c) periodic audits of account permissions; 8. Technical measures, standards, procedures, and policy provisions relating to Covered Information which: (a) monitor and log transfers or exfiltration of Covered Information from Respondent’s network boundaries; (b) monitor and log data security events and other anomalous activity; and (c)verify the effectiveness of monitoring and logging; 9. Technical measures to safeguard against unauthorized access to Covered Information, including: (a)an intrusion prevention or detection system; (b) file integrity monitoring tools; (c)data loss prevention tools; (d)properly configured firewalls; and (e)properly configured physical or logical segmentation of networks, systems and databases; Page 9 of 17 10.Authentication procedures designed to prevent one customer’s credentials from accessing another customer’s data or other unauthorized areas in Respondent’s networks; 11.Technical measures, procedures, and policy provisions to systematically inventory assets (including databases) storing Covered Information and Delete Respondent customer backup files containing Covered Information that is no longer necessary; 12.Encryption of, at a minimum, fields in Respondent’s products designed to store Social Security numbers, passport numbers, tax ID information, driver’s license or other government-issued identification numbers; bank account, credit card, or debit card information, dates of birth associated with a consumer, Medical Information associated with a consumer, and user account credentials on Respondent’s computer networks, including but not limited to cloud storage; 13.Technical measures, procedures, and policy provisions to address the maintenance of any new type of information related to consumers that was not being maintained as of the issuance data of this Order, including: (a) the purposes or purposes for which the new information is maintained; (b) the specific business needs for maintaining the new information; and (c) encryption of sensitive consumer information; and 14.Enforcing policies and procedures consistent with this Order designed to ensure the timely investigation of data security events and the timely remediation of critical and high-risk security vulnerabilities relating to Covered Information.\n\nF. Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the security, confidentiality, or integrity of Covered Information, and modify the Information Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards specified in this Provision at least once every twelve (12) months and promptly (not to exceed 30 days) following a Covered Incident and modify the Information Security Program based on the results. Such testing and monitoring must include vulnerability scanning of Respondent’s network(s) containing Covered Information once every four months and promptly (not to exceed 30 days) after a Covered Incident, and penetration testing of Respondent’s network(s) containing Covered Information at least once every twelve (12) months and promptly (not to exceed 30 days) after a Covered Incident;\n\nH. Select and retain service providers capable of safeguarding Covered Information they access through or receive from Respondent, and contractually require service providers to Page 10 of 17 implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information; and\n\nI. Evaluate and adjust the Information Security Program in light of any material changes to Respondent’s operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in sub- Provision IV.D of this Order, or any other circumstances that Respondent knows or has reason to know may have an impact on the effectiveness of the Information Security Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "V", "title": "Information Security Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party assessments of its Information Security Program from a qualified, independent Assessor approved by the FTC, with specific reporting periods, completion deadlines, and submission requirements.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; (3)retains all documents relevant to each Assessment for five (5) years after completion of such Assessment: and (4)will provide such documents to the Commission within ten (10)days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessor on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney product protection, attorney-client privilege, statutory exemption, or any similar claim. Respondent may satisfy the requirements to obtain Assessments through the use of assessments that are also intended to meet the requirements of other regulatory mandates to which Respondent is subject, provided that such assessments meet the requirements of the Information Security Program set forth in this Order.\n\nB. For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in their sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) at least the first 180 days after the Information Security Program is established for the initial Assessment; and (2) each 2-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must, for the entire assessment period: (1) determine whether Respondent has implemented and maintained the Information Security Program required by Provision IV of this Order, titled Mandated Information Security Program; (2) assess the effectiveness of Respondent’s implementation and maintenance of sub-Provisions IV.A-I; (3) identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; (4) address the status of gaps or weaknesses in, or instances of material non-compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and (5)identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondent’s management, and state the number of hours that each member of the Assessor’s assessment team worked on the Assessment. To the extent that Respondent revises, updates, or adds one or more safeguards required under Provision IVof this Order during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. The initial Assessment must be completed within one hundred and twenty (120) days after the end of the reporting period for the initial Assessment. Each subsequent biennial Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director forEnforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania AvenueNW,Washington, DC 20580. The subject line must begin, “In re Blackbaud, FTC File No.2023181.” All subsequent biennial Assessments must be retained by Respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "VI", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondent must fully cooperate with the third-party Assessor by providing all relevant information, network/IT asset visibility, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.\n\nB. Provide or otherwise make available to the Assessor information about Respondent’s network(s) and all of Respondent’s IT assets that maintain Covered Information so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s) and IT assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication,any fact material to the Assessor’s: (1) determination of whether Respondent has implemented and maintained the Information Security Program required by Provision IVof this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions IV.A-I; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "VII", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondent's Chief Information Security Officer must annually certify to the FTC that the Order's requirements have been established, implemented, and maintained, and that all material noncompliance has been corrected or disclosed, including a description of all Covered Incidents during the certified period.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from Respondent’s Chief Information Security Officer responsible for Respondent’s Information Security Program that: (1) Respondent has established, implemented, and maintained the requirements of this Order; (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of all Covered Incidents during the certified period. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,Washington, DC 20580. The subject line must begin, “In re Blackbaud, FTC File No.2023181.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "VIII", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Within 10 days of notifying any U.S. government entity of a Covered Incident, Respondent must submit a detailed report to the FTC including dates, facts, types of information affected, number of customers affected, remediation steps taken, and copies of notices sent.", "verbatim_text": "IT IS FURTHER ORDERED that, within ten (10) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondent must submit a repo1i to the Commission. The repo1i must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occuned; B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. A description of each type of infonnation that was affected by the Covered Incident; D. The number of Respondent's customers affected by the Covered Incident; E. The acts that Respondent has taken to date to remediate the Covered Incident and protect Covered Infonnation from fmiher exposure or access, and protect affected individuals from identity theft or other haim that may result from the Covered Incident; and F. A representative copy of any materially different notice sent by Respondent to its customers, or to any U.S. federal, state, or local government entity.\n\nUnless othe1wise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, \"In re Blackbaud Inc, FTC File No. 2023181.\"", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "IX", "title": "Order Acknowledgements", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order, deliver copies to all relevant officers, employees, and agents, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within 10 days after the Order Effective Date, must submit to the Commission an acknowledgment ofreceipt of this Order sworn under penalty of pe1jmy.\n\n8. For 20 years after issuance ofthis Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, and directors; (2) all employees having managerial responsibilities for cybersecurity, privacy, and the collection, use, or disclosure of Covered Info1mation, and all agents and representatives who paiiicipate in cybersecurity, privacy, and the collection, use, or disclosure of Covered Info1mation; and (3) any business entity resulting from any change in strncture as set fo1ih in Provision X. Page 14 of 17 Delive1y must occur within 10 days of the Order Effective Date for current personnel. For all others, delive1y must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "X", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report one year after the Order's issuance, notify the Commission within 14 days of structural or contact changes for 20 years, and notify the Commission within 14 days of any bankruptcy filing.", "verbatim_text": "A. One year after issuance of this Order, Respondent must submit a compliance repo1i, sworn under penalty of pe1jmy. Respondent must: (a) identify the primaiy physical, postal, and email address and telephone nlllllber, as designated points of contact, which representatives of the Commission may use to collllllunicate with Respondent; (b) identify all of Respondent's businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of adve1iising, marketing, and sales; (d ) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and ( e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. For 20 years after issuance of this Order, Respondent must submit a compliance notice, sworn under penalty of pe1jmy, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of any entity that Respondent has any ownership interest in or contl'ols directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidia1y, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit to the Commission notice of the filing of any bankrnptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of pe1jmy must be tiue and accurate and comply with 28 U.S.C. § 1746, such as by concluding: \"I declare under penalty of pe1jmy under the laws of the United States of America that the foregoing is tiue and correct. Executed on: __\" and supplying the date, signato1y's full name, title (if applicable), and signature.\n\nE. Unless othe1wise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by Page 15 of 17 overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: \"In re Blackbaud, Inc.\"", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "XI", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specific records for 5 years, generated over a 20-year period, including accounting records, personnel records, consumer complaints, compliance documents, and copies of advertising materials related to privacy and data security.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold;\n\n8. Personnel records showing, for each person providing services relating to Covered Info1mation, whether as an employee or othe1wise, that person's: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for te1mination;\n\nC. Records of all consumer complaints regarding security, privacy, or identity theft related to Covered Information whether received directly or indirectly, such as through a third party, and any response;\n\nD. All records necessa1y to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nE. A copy of each widely disseminated, unique adve1iisement or other marketing material that references or othe1wise relates to Respondent's privacy and data security practices.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "XII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondent's compliance through requests for reports and documents, depositions, direct communication with Respondent's personnel, and other lawful means including undercover activity.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance repo1is or other requested infonnation, which must be sworn under penalty of pe1jmy; appear for depositions and produce documents for inspection and copying. The Commission is also authorized to obtain discove1y, without fuiiher leave of comi, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.\n\nB. For matters concerning this Order, the Commission is authorized to communicate directly with Respondent. Respondent must pennit representatives of the Commission to interview any employee or other person affiliated with Page 16 of 17 Respondent who has agreed to such an interview. The person interviewed may have counsel present.\n\nC. The Commission may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "XIII", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "The Order becomes effective upon publication on the FTC's website and terminates 20 years from issuance, or 20 years from the most recent date a complaint is filed in federal court alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order (the “Order Effective Date”).\n\nThis Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "docket_number": "C-4804" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondent must not materially misrepresent the extent to which it collects, uses, maintains, discloses, or deletes Location Data, or the extent to which that Location Data is Deidentified.", "verbatim_text": "IT IS ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not materially misrepresent, in any manner, expressly or by implication: 4 A. The extent to which Respondent collects, uses, maintains, discloses, or deletes any Location Data; and\n\nB. The extent to which Location Data that Respondent collects, uses, maintains, or discloses is Deidentified.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "II", "title": "Prohibition on the Sale or Licensing of Location Data", "category": "prohibition", "summary": "Respondent must not sell or license Location Data in exchange for any valuable consideration.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must not sell or license Location Data in exchange for any valuable consideration.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "III", "title": "Prohibition on Products or Services Categorizing or Targeting Consumers Based on Sensitive Location Data", "category": "prohibition", "summary": "Respondent must not use, sell, license, transfer, or otherwise share any products or services that categorize or target consumers based on Sensitive Location Data associated with identified Sensitive Locations, except as necessary to comply with Provision IV.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must not use, sell, license, transfer, or otherwise share any products or services that categorize or target consumers based on Sensitive Location Data associated with locations Respondent has identified pursuant to Subpart IV.D., provided however, Respondent may use such data as necessary to comply with Provision IV.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "IV", "title": "Sensitive Location Data Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a Sensitive Location Data Program within 90 days to prevent use, sale, licensing, transfer, or sharing of products or services that categorize or target consumers based on Sensitive Location Data.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within 90 days of the issuance of this Order, must establish and implement, and thereafter maintain, a Sensitive Location Data Program to prevent the Respondent from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on Sensitive Location Data (“Sensitive Location Data Program”). To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the components of the Sensitive Location Data Program as well as the plan for implementing and maintaining the Sensitive Location Data Program;\n\nB. Identify a qualified employee or employees, who report(s) directly to an executive, such as the Chief Executive Officer, Chief Compliance Officer, or Chief Legal Officer, to coordinate and be responsible for the Sensitive Location Data Program, and keep the executive and the Board of Directors informed of the Sensitive Location Data Program, including all actions and procedures implemented to comply with the requirements of this order, and any actions and procedures to be implemented to ensure continued compliance with this Order.\n\nC. Provide the written program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent body exists, to the principal executive officer of Respondent at least every twelve months;\n\nD. Develop procedures to identify, using methods, sources, products and services developed by Respondent or offered commercially by third parties, Sensitive Locations in each geographic region in which Respondent collects or otherwise obtains Location Data. If a building or place is identified as including both a Sensitive Location and a non-Sensitive Location, Respondent may associate Location Data with the non-Sensitive Location only;\n\nE. Assess, at least once every six months, the accuracy and completeness of Respondent’s list of Sensitive Locations. Such assessments must include: 1. Verifying that Respondent’s list includes Sensitive Locations known to Respondent; 2. Identifying and assessing methods, sources, products, and services developed by Respondent or offered by third parties that identify Sensitive Locations; 3. Updating its list of Sensitive Locations by selecting and using the methods, sources, products, or services developed by Respondent or offered by third parties that are accurate and comprehensive in identifying Sensitive Locations; and 4. Documenting each step of this assessment, including the reasons Respondent selected the methods, sources, products, or services used in updating Respondent’s list of Sensitive Locations.\n\nF. Implement policies, procedures, and technical measures to prevent Respondent from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on Sensitive Location Data.\n\nG. Monitor and test the effectiveness of the policies, procedures, and technical measures at least annually; and\n\nH. Evaluate and adjust the Sensitive Location Data Program in light of any changes to Respondent’s operations or business arrangements, or any other circumstance that Respondent knows or has reason to know may have an impact on the Sensitive Location Data Program’s effectiveness. At a minimum, Respondent must evaluate the Sensitive Location Data Program every twelve months and implement modifications based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "V", "title": "Other Limitations on Collection, Use, Maintenance, and Disclosure of Location Data Absent Affirmative Express Consent", "category": "prohibition", "summary": "Respondent must not collect, use, maintain, or disclose a consumer's Location Data through any Respondent App without documented Affirmative Express Consent and without providing a Clear and Conspicuous reminder at least every six months.", "verbatim_text": "A. In connection with any Respondent App, collect, use, maintain, or disclose a consumer’s Location Data without a record satisfying the requirements in Subpart XVI.F documenting the consumer’s Affirmative Express Consent obtained prior to Respondent’s collection or use of Location Data;\n\nB. In connection with any Respondent App, collect, use, maintain, or disclose a consumer’s Location Data, unless the consumer receives a Clear and Conspicuous reminder, at least every six months that the consumer’s Location Data is being collected and, if applicable, disclosed, along with instructions for a simple control to turn off Location Data collection. Any such reminder must be done through a consumer-enabled push notification or to an e-mail address provided by the consumer or, if the consumer has not opted into push notifications and an email address is unavailable, through a notice in the app. Provided, however, that reminders mandated by Subpart V.B are not required when Respondent confirms that a consumer’s device is utilizing an operating system version that reminds consumers that their Location Data is being collected or that limits Location Data collection by default for infrequently used apps.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "VI", "title": "SDK Supplier Assessment Program", "category": "affirmative_obligation", "summary": "Respondent must implement and maintain an SDK Supplier Assessment Program within 90 days to ensure consumers have consented to the collection and use of Location Data obtained through Respondent's SDK.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within 90 days of the effective date of this Order, must implement and maintain an “SDK Supplier Assessment Program” designed to ensure that consumers have provided consent for the collection and use of Location Data obtained by Respondent through Respondent’s SDK. In connection with the SDK Supplier Assessment Program, the Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the SDK Supplier Assessment Program; and\n\nB. Conduct an assessment of each third party providing Location Data to Respondent through Respondent’s SDK within thirty (30) days of such third party entering into a data- sharing agreement with Respondent (or, for parties with existing data-sharing agreements, within thirty (30) days of the implementation of the SDK Supplier Assessment Program), and thereafter annually, designed to confirm that consumers provide Affirmative Express Consent if available, or to confirm that consumers specifically consent to the collection, use and sale of their Location Data.\n\nC. Create and maintain records of the third parties’ responses obtained by Respondents under the SDK Supplier Assessment Program.\n\nD. Refrain from using, selling, licensing, transferring or otherwise sharing or disclosing any Location Data provided to Respondent through Respondent’s SDK after implementation of the SDK Supplier Assessment Program for which Respondent was unable to confirm that consumers have provided consent, as provided in Subpart VI.B above.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "VII", "title": "Withholding and Withdrawing Affirmative Express Consent", "category": "affirmative_obligation", "summary": "Respondent must provide consumers with a simple means to withdraw Affirmative Express Consent and must not unreasonably limit a consumer's ability to withhold or withdraw consent.", "verbatim_text": "A. Provide a simple, easily-located means for consumers to withdraw any Affirmative Express Consent provided to Respondent in connection with Location Data that is no more burdensome than the means by which the consumer provided consent. Such means may include a prominent notice with instructions, link to a webpage that sets out instructions, or link to an applicable operating system, device or app permission or setting; and\n\nB. Not unreasonably limit a consumer’s ability to withhold or withdraw Affirmative Express Consent, such as by degrading the quality or functionality of a product or service as a penalty for withholding or withdrawing such Affirmative Express Consent, unless the collection and use of Location Data is technically necessary to provide the quality or functionality of the product or service without such degradation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "VIII", "title": "Obligations When Affirmative Express Consent is Withdrawn", "category": "affirmative_obligation", "summary": "Respondent must cease collecting all Location Data from a specific Respondent App on a device within 7 days after receiving notice that the consumer has withdrawn Affirmative Express Consent.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must cease collecting all Location Data associated with a specific Respondent App on a device within 7 days after Respondent receives notice that the consumer has withdrawn their Affirmative Express Consent for such collection from that app and device using the means that Respondent provided under Subpart VII.A.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "IX", "title": "Location Data Deletion Requests", "category": "affirmative_obligation", "summary": "Respondent must implement and maintain a simple means for consumers to request deletion of their Location Data and must delete such data within 30 days of the request.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondents’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must implement and maintain a simple, easily-located means for consumers to request that Respondent delete Location Data that Respondent previously collected from a specific mobile device, and delete Location Data within 30 days of receipt of such request unless a shorter period for deletion is required by law. Respondent may require consumers to provide Respondent with information necessary to complete such requests, but must not use, provide access to, or disclose any information collected for a deletion request for any other purpose. Respondent may implement such deletion requests by Deidentifying the Location Data.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "X", "title": "Data Retention Limits", "category": "affirmative_obligation", "summary": "Respondent must document, adhere to, and publish a retention schedule for Covered Information within 60 days, report it to the Commission, and update the schedule before collecting any new types of Covered Information.", "verbatim_text": "A. Within 60 days of the effective date of this Order, document, adhere to, and make publicly available from a link on the Respondent Apps or the home page of its website(s), a retention schedule for Covered Information, setting forth: (1) the business purpose or purposes for which each type of Covered Information is collected and used; (2) the specific business purpose(s) for retaining each type of Covered Information; and (3) an established timeframe for deletion of each type of Covered Information limited to the shortest time reasonably necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information; and\n\nB. Within 60 days of the effective date of this Order, Respondent shall provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, describing the retention schedule for Covered Information made publicly available on its website(s) and app(s); and\n\nC. Prior to collecting any new type of Covered Information that was not being collected as of the issuance date of this Order, and is not described in retention schedules published in accordance with Subpart A of this Provision entitled Data Retention Limits, Respondent must update its retention schedule setting forth: (1) the purpose or purposes for which the new information is collected and used; (2) the specific business needs for retaining the new information; and (3) a set timeframe for deletion of the new information that precludes indefinite retention.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "XI", "title": "Notice to Consumers", "category": "affirmative_obligation", "summary": "Within 45 days of the effective date, Respondent must provide notice to each consumer whose Location Data it collected and used through any Respondent App without a record of Affirmative Express Consent, via email and in-app notice.", "verbatim_text": "IT IS FURTHER ORDERED that, within 45 days of the effective date of this Order, Respondent must provide a notice to each consumer whose Location Data it collected and used through any Respondent App, where the Respondent does not have a record of the consumer’s Affirmative Express Consent. A. The notice must be delivered through: (1) an email notice (if Respondent previously collected an email address from the user); and (2) a notice in the app itself.\n\nB. Email notices sent by Respondent must contain the information set forth in Attachment A.\n\nC. Notices in the app itself must contain the following: “InMarket has settled with the Federal Trade Commission, the nation’s consumer protection agency, to resolve their allegations that we collected, used and stored your location data without disclosing our marketing and analytics uses. As part of the settlement, we have changed our practices to improve transparency and control for consumers. To learn more— [Link to text of Attachment A posted on www.inmarket.com.]”.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "XII", "title": "Deletion", "category": "affirmative_obligation", "summary": "Respondent must delete Historic Location Data collected through Respondent Apps within 90 days, delete or Deidentify Historic Location Data collected from third parties within 120 days, and delete audience segments created using Historic Location Data within 120 days, unless prohibited by law.", "verbatim_text": "A. Within 90 days after the effective date of this Order, delete or destroy all Historic Location Data that Respondent collected through Respondent Apps, and provide a written statement to the Commission, pursuant to Subpart XV.E, confirming that all such information has been deleted or destroyed. Provided, however, Respondent shall have the option to request Affirmative Express Consent from the relevant consumer for the retention of Historic Location Data from a specific device. Within 30 days of Respondent’s request, Respondent will delete such Historic Location Data for any device where a consumer does not provide Affirmative Express Consent, or does not respond to the request within 30 days after the request is provided; 9 and\n\nB. Within 120 days after the effective date of this Order, delete, Deidentify or render non- sensitive (by, for example, ensuring that the Location Data is not associated with any Sensitive Location identified through the Sensitive Location Data Program under Subpart IV.D) all Historic Location Data that Respondent collected from a third party, and provide a written statement to the Commission, pursuant to subpart XV.E., confirming that all such information has been deleted, Deidentified or rendered non-sensitive.\n\nC. Within 120 days after the effective date of this Order, delete or destroy all audience segments created using Historic Location Data, and provide a written statement to the Commission, pursuant to Subpart XV.E., confirming such deletion or destruction.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "XIII", "title": "Mandated Privacy Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive privacy program within 60 days of Order issuance that includes documented safeguards, risk assessments, training, and regular evaluations.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, and any business that Respondent controls directly or indirectly, in connection with the collection, maintenance, use, disclosure of, or provision of access to Covered Information, must, within 60 days of issuance of this Order, establish and implement, and thereafter maintain, a comprehensive privacy program (the “Program”) that protects the privacy of such Covered Information. To satisfy this requirement, Respondent must at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Program;\n\nB. Provide the written program, and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for the Program at least once every 12 months;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Program;\n\nD. Assess and document, at least once every 12 months, internal and external risks to the privacy of Covered Information that could result in the: unauthorized collection, maintenance, use, disclosure of, or provision of access to such Covered Information;\n\nE. Design, implement, maintain, and document safeguards that control for the material internal and external risks Respondent identifies to the privacy of Covered Information identified in response to Subpart XIII.D. Each safeguard must be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized collection, maintenance, use, disclosure of, or provision of access to Covered Information.\n\nF. On at least an annual basis, provide privacy and data security training programs for all employees and independent contractors responsible for handling or who have access to Covered Information, updated to address any identified material internal or external risks and safeguards implemented pursuant to this Order.\n\nG. Test and monitor the effectiveness of the safeguards at least once every 12 months, and modify the Program based on the results;\n\nH. Evaluate and adjust the Program in light of any changes to Respondent’s operations or business arrangements, new or more efficient technological or operational methods to control for the risks identified in Subpart XIII.D of this Order, or any other circumstances that Respondent knows or has reason to believe may have an impact on the effectiveness of the Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Program at least once every 12 months and modify the Program if needed based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "XIV", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt of the Order within 10 days, deliver copies to current and future relevant personnel, and obtain signed acknowledgments from each recipient within 30 days of delivery.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of this Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "XV", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must file a sworn annual compliance report one year after issuance, submit sworn notices within 14 days of changes to contact information or business structure, and notify the Commission within 14 days of any bankruptcy filing.", "verbatim_text": "A. One year after the issuance date of this Order, the Respondent must submit a compliance report, sworn under penalty of perjury, in which the Respondent must: (1) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (2) identify all of the Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (4) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (5) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. The Respondent must submit a compliance notice, sworn under penalty of perjury, within 1 14 days of any change in the following: (1) any designated point of contact; or (2) the structure of the Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. The Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against it within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on:” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re InMarket Media, LLC, FTC File No. 202-3088.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "XVI", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified categories of records for 20 years after Order issuance and retain each such record for 5 years, covering financials, personnel, consumer complaints, law enforcement communications, privacy representations, consent records, and reminder distribution records.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies of all consumer complaints that relate to the collection, use, maintenance, or disclosure of Covered Information, whether received directly or indirectly, such as through a third party, and any response;\n\nD. For 5 years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondent’s compliance with this Order;\n\nE. A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security and confidentiality of any Covered Information, including any representation concerning a material change in any website or other service controlled by Respondent that relates to the privacy, security, and confidentiality of Covered Information;\n\nF. Records showing Affirmative Express Consent for any individual consumer or device from which Respondent has collected Location Data through a Respondent App, the specific notice that individual consumers viewed and consented to, and the time and date of consent;\n\nG. Records showing the content and verifying the distribution of the Clear and Conspicuous reminders to individual consumers under Subpart V.B; records showing Respondent’s implementation of the SDK Supplier Assessment Program required by Provision VI; records showing Respondent’s implementation of the Sensitive Location Data Program required by Provision IV; and\n\nH. All other records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "XVII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting additional reports and records, interviewing affiliated personnel, and using all other lawful means including undercover methods.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, the Respondent must submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "XVIII", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov as a final order and terminates 20 years from the date of issuance, or 20 years from the most recent date a complaint alleging any violation is filed in federal court, whichever comes later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and 1 C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "docket_number": "C-4803" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner the extent to which they protect the security or availability of any Hosting Service, Covered Information, or their participation in any privacy or security program.", "verbatim_text": "IT IS ORDERED that Respondents, and Respondents’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service must not misrepresent in any manner, expressly or by implication: A. the extent to which they protect the security, confidentiality, integrity, or availability of any Hosting Service;\n\nB. the extent to which they use reasonable or appropriate measures to protect any Managed Hosting Service from unauthorized access;\n\nC. the extent to which they utilize any security technology or technique, including monitoring, to protect any Managed Hosting Service;\n\nD. the extent to which they protect the security, confidentiality, integrity, or availability of any Covered Information; or\n\nE. the extent to which Respondents are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including the E.U.- U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "II", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish, implement, and maintain a comprehensive information security program within 90 days, satisfying numerous specific sub-requirements covering documentation, risk assessment, safeguards, monitoring, testing, and vendor management.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, and any business that Respondents control, directly or indirectly, in connection with the operation of, or provision of access to, any Hosting Service, must, within 90 days after the effective date of this order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Hosting Service and Covered Information. To satisfy this requirement, Respondents must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Provide the written program and any material evaluations thereof or material updates thereto to Respondents’ boards of directors, or a relevant committee thereof, or governing bodies or, if no such board or equivalent governing body exists, to a senior officer of each Respondent responsible for that Respondent’s Information Security Program at least once every 12 months and promptly (not to exceed 120 days) following a Covered Incident;\n\nC. Designate a qualified employee to coordinate and be responsible for the Information Security Program;\n\nD. Assess and document, and update at least once every 12 months and promptly (not to exceed 120 days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of any Hosting Service or Covered Information that could result in (1) unauthorized access to any Hosting Service; (2) the unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or the (3) misuse, loss, theft, alteration, destruction, or other compromise of such information. Respondents must document such an assessment of Managed Hosting Services separately from any other service or environment;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Respondents identify to the security, confidentiality, or integrity of any Hosting Service or Covered Information identified in response to sub-Provision II.D of this section. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in (1) unauthorized access to any Hosting Service; (2) the unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or the (3) misuse, loss, theft, alteration, destruction, or other compromise of such information. Respondents must also assume, in designing such safeguards: (1) a high likelihood of unauthorized access to the Hosting Service, due to the number of websites hosted on the Hosting Service; (2) a high risk of harm to customers of the Hosting Service and to users of websites operated by customers of the Hosting Service should unauthorized access to the Hosting Service occur; (3) customers operating websites in the Hosting Service are likely to maintain or collect sensitive information in or through the Hosting Service; and (4) a high risk of unauthorized access to sensitive information maintained on the Hosting Service or collected by customers of the Hosting Service, through websites they operate, should unauthorized access to the Hosting Service occur;\n\nF. Within 90 days of the issuance date of this order, implement, maintain, and document the following security measures: 1. Implement and maintain centralized system component inventories, including of hardware, software, and firmware elements, that track the out-of-date and vulnerable versions of each Respondent-managed software program, operating system file, and firmware that is installed on any tracked asset, and create an alert for each asset that is using an out-of-date or vulnerable version;\n\n2. Employ automated tools and mechanisms, such as a security incident and event manager (“SIEM”) or equivalent program, to support near real-time analysis of events;\n\na. Create and retain system audit logs and records collected by Respondents to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity; and\n\nb. Conduct and document, and update at least once every 12 months, an evaluation that considers, at a minimum, (i) industry standards regarding log collection and analysis to support event detections; (ii) event detections available in any SIEM in use by Respondents and the logs necessary to support such detections; and (iii) Covered Incidents from the previous 12 months in order to determine if additional detections are needed and, if so, which logs Respondents should collect and analyze to support such detections;\n\n4. Require that all logins by employees, contractors, and third-party affiliates of Respondents to any Respondent-managed secure shell (“SSH”) be authenticated using a method, such as certificates or public/private key pairs, in which at least one component of the credential transmitted to the relying party is not static across multiple authentications, unless such credential is short-lived. In the alternative, Respondents may use widely-adopted industry authentication options that provide at least equivalent security as the authentication method required by the preceding sentence, if the person responsible for the Information Security Program under sub- Provision II.C: (a) approves in writing the use of such equivalent authentication options; and (b) documents a written explanation of how the authentication options are widely adopted and at least equivalent to the security provided by multi-factor authentication;\n\nG. Within 180 days of the issuance date of this order, implement, maintain, and document the following security measures: 1. Disconnect from the Hosting Service environment all hardware assets with Respondent-managed software installed that is no longer supported by a vendor, a Respondent, or other party through the provision of software updates or patches to address vulnerabilities, such as software that is considered end-of-life, or, if disconnection is infeasible, temporarily implement appropriate controls to mitigate threats and document a plan to disconnect the asset or software that includes an appropriate timeline;\n\n2. Use technical measures to detect and prevent anomalous changes to Respondent- managed critical operating system and application files by comparing such files to known baselines, such as file hash values, or, where such baselines are not available, by relying on methods such as non-signature-based technologies, including techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. In the alternative, Respondents may use immutable deployments to prevent unauthorized modifications of any system and application files managed by Respondents that are not monitored using such technical measures;\n\n3. Require at least one multi-factor authentication method for all employees of Respondents and staff of contractors and third-party affiliates in order to access and maintain access (such as through a single sign-on authentication method) to any Hosting Service supporting tool or asset, including connecting to any database. Each such multi-factor authentication method shall not include telephone call or SMS- based authentication methods and must be resistant to phishing attacks. In the alternative, Respondents may use widely-adopted industry authentication options that provide at least equivalent security as the multi-factor authentication options required by the preceding sentences, if the person responsible for the Information Security Program under sub-Provision II.C: (a) approves in writing the use of such equivalent authentication options; and (b) documents a written explanation of how the authentication options are widely adopted and at least equivalent to the security provided by multi-factor authentication;\n\n4. Require at least one multi-factor authentication method, or widely-adopted industry authentication option that provides at least equivalent security, be provided as an option for customers to authenticate into any Respondent-developed Hosting Service administration tool or database, excluding any SSH or machine-to-machine-only interface, such as an application programming interface (“API”), that does not support multi-factor authentication, including offering customers at least one method that does not require the customer to provide a telephone number, such as by integrating authentication applications or allowing the use of security keys. Any information collected by Respondents from customers for the purpose of enabling multi-factor authentication may only be used for authentication purposes and no other purpose; and\n\n5. Protect any API developed by Respondents that provides access to any Hosting Service configuration or administration or Covered Information by, at a minimum: a. Using technical controls to require connections to the API to use HTTPS or an equivalently secure transfer protocol for all requests; b. Requiring that all requests to any such API that provides access to Covered Information, including any Hosting Service administration tool that can access Covered Information, be authenticated using a method that protects authenticity at the session level and includes appropriate protections against session hijacking and the insertion of false information into sessions; c. Using appropriate rate-limiting for connections to the API; and d. Monitoring inbound and outbound API communications traffic, to detect attacks and indicators of potential attacks;\n\nH. Assess, at least once every 12 months and promptly (not to exceed 120 days) following a Covered Incident, the sufficiency of any safeguards and security measures in place to address the internal and external risks to the security, confidentiality, or integrity of Hosting Services and Covered Information, and modify the Information Security Program as needed based on the results;\n\nI. Test and monitor the effectiveness of the safeguards and security measures at least once every 12 months and promptly (not to exceed 120 days) following a Covered Incident, and modify the Information Security Program as needed based on the results. Such testing and monitoring must include vulnerability scanning of Respondents’ network(s) at least once daily, penetration testing of Respondents’ network(s) at least once every 12 months, and, in the event of a Covered Incident, a security assessment or penetration testing of affected systems promptly (not to exceed 120 days) following the Covered Incident;\n\nJ. Select and retain service providers capable of safeguarding Hosting Services and Covered Information they access through or receive from Respondents, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Hosting Services and such Covered Information;\n\nK. Evaluate and adjust the Information Security Program as needed in light of any changes to Respondents’ operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in sub- Provision II.D of this Order, or any other circumstances that Respondents know or have reason to know may have an impact on the effectiveness of the Information Security Program or any of its individual safeguards or security measures. At a minimum, Respondents must evaluate the Information Security Program at least once every 12 months and modify the Information Security Program as needed based on the results; and\n\nL. Either during the due diligence process of the acquisition of any entity (“Acquired Entity”) that would become part of any Hosting Service or following such acquisition, Respondents must assess the Acquired Entity’s safeguards and independently test the effectiveness of the safeguards to protect from unauthorized access any Hosting Service of which the Acquired Entity would become a part. Respondents shall not integrate any of the Acquired Entity’s application or information systems into any Respondent’s network until (1) all material risks to the security, confidentiality, and integrity of any Hosting Service identified in such a test are remediated; and (2) such application or information system meets the requirements of this Provision. Provided, however, that Respondents shall have 90 days after integrating any application or information system of an Acquired Entity into its networks to implement the requirements of sub-Provision II.G.4 with respect to such application or system.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "III", "title": "Information Security Assessments by a Third Party", "category": "assessment", "summary": "Respondents must obtain initial and biennial third-party assessments of their Information Security Program from a qualified, independent assessor approved by the FTC, covering the first 12 months and each subsequent 2-year period for 20 years.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; (3) designates all documents relevant to each Assessment for retention for 5 years after completion of such Assessment, and (4) provides any such documents to the Commission within 10 days of receipt of a written request from a representative of the Commission. If the Assessor had access to a document by an electronic means controlled by Respondents, such as a fileshare or repository, to which the Assessor no longer has access, the Assessor must identify the document for production by Respondents as it existed at the time the Assessor had access to it. No document may be withheld from the Commission by the Assessor, or by any Respondent if previously provided to the Assessor, on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory protection, or any similar claim.\n\nB. For each Assessment, Respondents must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in her or his sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 12 months after the issuance date of the Order for the initial Assessment; and (2) each 2-year period thereafter for 20 years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must, for the entire assessment period: (1) determine whether Respondents have implemented and maintained the Information Security Program required by Provision II of this Order, titled Mandated Information Security Program; (2) assess the effectiveness of Respondents’ implementation and maintenance of sub- Provisions II.A-L; (3) identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; (4) address the status of gaps or weaknesses in, or instances of material non-compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and (5) identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondents’ management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondents’ management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Respondents revise, update, or add one or more safeguards required under Provision II of this Order during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.\n\nE. Each Assessment must be completed within 90 days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondents must submit the initial Assessment to the Commission within 10 days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re GoDaddy Inc., C-####.” All subsequent biennial Assessments must be retained by Respondents until the order is terminated and provided to the Associate Director for Enforcement within 10 days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right- hand corner of each page, with the words “DPIP Assessment” in red lettering.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "IV", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondents must fully cooperate with the third-party Assessor by providing all relevant information, network access, and disclosing all material facts without misrepresentation.", "verbatim_text": "A. Provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;\n\nB. Provide or otherwise make available to the Assessor information about Respondents’ network(s) and all of Respondents’ IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s) and IT assets deemed in scope; and\n\nC. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondents have implemented and maintained the Information Security Program required by Provision II of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub- Provisions II.A-L; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "V", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondents must submit an annual certification from a senior executive officer attesting to compliance with the Order, absence of uncorrected material noncompliance, and a description of all Covered Incidents during the certified period.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior executive officer of each Respondent with responsibility over information security that: (1) Respondent has established, implemented, and maintained the requirements of this Order; (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of all Covered Incidents during the certified period. The certification must be based on the personal knowledge of the senior executive officer or any senior corporate manager, senior officer, or subject matter experts upon whom the senior executive officer relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re GoDaddy Inc., C- ####.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "VI", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Within 10 days of notifying any U.S. government entity of a Covered Incident, the affected Respondent must submit a detailed report to the Commission describing the incident, affected information, and remediation steps taken.", "verbatim_text": "IT IS FURTHER ORDERED that, within 10 days of any notification to a United States federal, state, or local entity of a Covered Incident, the Respondent that experienced such Covered Incident must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. A description of each type of information that was affected by the Covered Incident; D. The number of consumers or businesses whose information, account, or website was affected by the Covered Incident; E. The acts that Respondent has taken to date to remediate the Covered Incident and protect Hosting Services and Covered Information from further exposure or access, and protect affected individuals and businesses from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of any materially different notice sent by Respondent to consumers or businesses or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re GoDaddy Inc., C-####.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "VII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondents must acknowledge receipt of the Order, deliver copies to all principals, officers, and relevant employees and agents, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Each Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after the issuance date of this Order, each Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur within 10 days of when they assume their responsibilities.\n\nC. From each individual or entity to which a Respondent delivered a copy of this Order, that Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order, which may be obtained through a Digital Signature. Digital Signature means the result of a cryptographic transformation of data that is properly implemented to provide the services of origin authentication, data integrity, and signer non-repudiation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "VIII", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondents must submit a sworn compliance report one year after issuance, provide timely notices of changes in contact information or corporate structure within 14 days, and notify the Commission of any bankruptcy filings within 14 days.", "verbatim_text": "A. One year after the issuance date of this Order, each Respondent must submit a compliance report, sworn under penalty of perjury, in which each Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (b) identify all of that Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales, and the involvement of any other Respondent; (d) describe in detail whether and how that Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Each Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of any Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Each Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re GoDaddy Inc., C-####.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must create and retain for 5 years specific records related to Hosting Services, including financial records, personnel records, consumer complaints, marketing materials, security representations, Assessment documents, and all compliance records.", "verbatim_text": "A. accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. records of all written or electronic consumer complaints stored in any Respondent’s applicable system of record, in connection with Hosting Services, concerning information security, data privacy, or any privacy or security program sponsored by a government or self-regulatory or standard-setting organization of which any Respondent is a member, whether received directly or indirectly, such as through a third party, and any written or electronic response;\n\nD. a copy of each materially different advertisement or other marketing material making a representation subject to this Order;\n\nE. a copy of each widely disseminated, materially different representation by Respondents that describes the extent to which Respondents maintain or protect the privacy, security and confidentiality of any Hosting Services and Covered Information, including any representation concerning a change in any service controlled by Respondents that relates to the privacy, security, and confidentiality of any Hosting Service or Covered Information;\n\nF. for 5 years after the date of preparation of each Assessment required by this Order, all relevant documents, including each document designated by the Assessor, as each existed at the time the Assessor had access to it; all documents relied upon to prepare the Assessment, even if prepared by a third party on behalf of Respondents, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments; and any other documents concerning Respondents’ compliance with related Provisions of this Order; and\n\nG. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "X", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondents' compliance through written requests for reports and records, direct communications with Respondents, interviews of affiliated individuals, and all other lawful means including undercover posing.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, each Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with each Respondent. Respondents must permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "XI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates 20 years from issuance, or 20 years from the most recent federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "docket_number": "C-202-3133" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner the extent to which they maintain and protect the privacy, confidentiality, or security of personal information collected from or about consumers, in connection with any online advertising, marketing, or sale of products or services.", "verbatim_text": "IT IS ORDERED that Respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the online advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which Respondents maintain and protect the privacy, confidentiality, or security of any personal information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "docket_number": "C-4110" }, { "provision_number": "II", "title": "Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards, including risk identification, safeguard design, and ongoing evaluation.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the online advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to Respondents’ size and complexity, the nature and scope of Respondents’ activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the evaluation and adjustment of Respondents’ information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to Respondents’ operations or business arrangements, or any other circumstances that Respondents know or have reason to know may have a material impact on the effectiveness of their information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "docket_number": "C-4110" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondents must obtain biannual independent third-party security assessments for ten years after service of the order, with the first assessment due within 180 days, and submit the first assessment and supporting materials to the FTC within 10 days of preparation.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents obtain an assessment and report (an “Assessment”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, within one hundred and eighty (180) days after service of the order, and biannually thereafter for ten (10) years after service of the order that: A. sets forth the specific administrative, technical, and physical safeguards that Respondents have implemented and maintained during the reporting period; B. explains how such safeguards are appropriate to Respondents’ size and complexity, the nature and scope of Respondents’ activities, and the sensitivity of the personal information collected from or about consumers; C. explains how the safeguards that have been implemented meet or exceed the protections required by Paragraph II of this order; and D. certifies that Respondents’ security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and, for biannual reports, has so operated throughout the reporting period.\n\nEach Assessment shall be prepared by a person qualified as a Certified Information System Security Professional (CISSP) or holding Global Information Assurance Certification from the SysAdmin, Audit, Network, Security Institute, or by a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nRespondents shall provide the first Assessment, as well as all: plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of Respondents, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biannual\n\n20580, within ten (10) days after the Assessment has been prepared. All subsequent biannual Assessments shall be retained by the Respondents until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "docket_number": "C-4110" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC copies of compliance-related documents, including advertisements and security-related materials, for specified retention periods of five years and three years respectively.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance, including but not limited to: A. for a period of five (5) years: 1. a sample copy of each different print, broadcast, cable, or Internet advertisement, promotion, information collection form, Web page, screen, email message, or other document containing any representation regarding Respondents’ online collection, use, and security of personal information from or about consumers. Each Web page copy shall be dated and contain the full URL of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting the information on the Web. Provided, however, that after creation of any Web page or screen in compliance with this order, Respondents shall not be required to retain a print or electronic copy of: (1) any amended Web page or screen to the extent that the amendment does not affect Respondents’ compliance obligations under this order; or (2) any Web page or screen that contains a hypertext link to Respondents’ privacy policy, but otherwise does not relate to Respondents’ compliance obligations under this order.\n\n2. any documents, whether prepared by or on behalf of Respondents, that contradict, qualify, or call into question Respondents’ compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each biannual Assessment required under Paragraph III of this order: all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of Respondents, relating to Respondents’ compliance with Paragraphs II and III of this order for the compliance period covered by such biannual Assessment.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "docket_number": "C-4110" }, { "provision_number": "V", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondents must deliver a copy of this order to all current and future principals, officers, directors, managers, and employees with managerial responsibilities related to the order's subject matter within 30 days.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of this order. Respondents shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "docket_number": "C-4110" }, { "provision_number": "VI", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondents must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, sale, bankruptcy filing, or change of name or address.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall notify the Commission at least thirty (30) days prior to any change in either corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition following the dismissal or closing of the current bankruptcy cases; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in either corporation about which either Respondent learns less than thirty (30) days prior to the date such action is to take place, Respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "docket_number": "C-4110" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file an initial written compliance report with the FTC within 180 days after service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall, within one hundred and eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which they have complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "docket_number": "C-4110" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on May 28, 2024, or twenty years from the most recent date the FTC files a federal court complaint alleging a violation of the order, whichever is later, with specific carve-outs for dismissed complaints.", "verbatim_text": "This order will terminate on May 28, 2024, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Paragraph in this Order that terminates in less than twenty (20) years; B. this Order’s application to any Respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the Order has terminated pursuant to this Paragraph. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondents did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Paragraph as 6 though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "docket_number": "C-4110" }, { "provision_number": "1", "title": "Prohibition on Trading Customer Phone Records", "category": "prohibition", "summary": "The injunction prohibits Accusearch from trading in customer phone records unless clearly permitted by law, regulation, or lawful court order.", "verbatim_text": "(1) Trading in “customer phone records” unless doing so would be “clearly permitted by any law, regulation, or lawful court order,” Aplts. App., Vol. 5 at 1607; and", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.09_accusearch_dba_abika.com_and_jay_patel", "company_name": "Accusearch, Inc.", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3126-accusearch-inc-dba-abikacom-jay-patel", "docket_number": "06-CV-00105-WFD" }, { "provision_number": "2", "title": "Prohibition on Trading Consumer Personal Information Without Consent", "category": "prohibition", "summary": "The injunction prohibits Accusearch from trading in consumer personal information without the express written permission of the consumer, unless lawfully obtained from publicly available information.", "verbatim_text": "(2) Trading in other “consumer personal information without the express written permission of [the consumer], unless [the] consumer personal information was lawfully obtained from publically available information,” id. at 1608.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.09_accusearch_dba_abika.com_and_jay_patel", "company_name": "Accusearch, Inc.", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3126-accusearch-inc-dba-abikacom-jay-patel", "docket_number": "06-CV-00105-WFD" }, { "provision_number": "3", "title": "Disgorgement of Profits", "category": "affirmative_obligation", "summary": "Accusearch was ordered to disgorge $199,692.71 in profits earned from the sale of telephone-record information.", "verbatim_text": "disgorge $199,692.71 in profits garnered from the sale of telephone records. We address Accusearch’s contentions in turn.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "06.09_accusearch_dba_abika.com_and_jay_patel", "company_name": "Accusearch, Inc.", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3126-accusearch-inc-dba-abikacom-jay-patel", "docket_number": "06-CV-00105-WFD" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner, expressly or by implication, the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of consumers' personal information.", "verbatim_text": "IT IS ORDERED that respondent, and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, limited liability company, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "docket_number": "C-4259" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to its size, complexity, activities, and the sensitivity of personal information collected.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, limited liability company, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards.\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subpart C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "docket_number": "C-4259" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial assessments from a qualified, independent third-party professional covering security safeguards, with the initial assessment submitted to the FTC within 10 days of preparation and subsequent assessments retained and provided upon request.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with their compliance with Part II of this order, respondent, and its officers, agents, representatives, and employees, shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first year after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by the Part II of this order; and D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "docket_number": "C-4259" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC compliance-related documents for five years and all materials relied upon to prepare each assessment for three years after preparation of that assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and, upon request, make available to the Federal Trade Commission for inspection and copying: A. for a period of five (5) years, a print or electronic copy of each document relating to compliance, including, but not limited to, documents, prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including, but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III of this order, for the compliance period covered by such Assessment.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "docket_number": "C-4259" }, { "provision_number": "V", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future subsidiaries, principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, within sixty days of service or assumption of such role.", "verbatim_text": "IT IS FURTHER ORDERED that respondent CVS Caremark Corporation shall deliver a copy of this order to all its current and future subsidiaries (including LLCs and each store that is owned, controlled, or operated by respondent or an LLC), current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within sixty (60) days after service of this order, and to such future subsidiaries and personnel within sixty (60) days after the respondent acquires the subsidiary or the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "docket_number": "C-4259" }, { "provision_number": "VI", "title": "Compliance Notification of Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least thirty days prior to any change that may affect its compliance obligations, such as dissolution, merger, sale, bankruptcy, or name/address change, with expedited notice if less than thirty days' advance knowledge.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in respondent that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary (including an LLC), parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in respondent’s name or address. Provided, however, that, with respect to any proposed change in respondent about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "docket_number": "C-4259" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within ninety days of service of this order, and at such other times as the FTC may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within ninety (90) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "docket_number": "C-4259" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on June 18, 2029, or twenty years from the most recent date the FTC files a complaint alleging any violation of the order in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on June 18, 2029, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "docket_number": "C-4259" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to its size, complexity, and the sensitivity of personal information collected.", "verbatim_text": "IT IS ORDERED that respondent, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in 2 the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "06.10_dave_buster_s_in_the_matter_of", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "docket_number": "C-4291" }, { "provision_number": "II", "title": "Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party assessments from a qualified independent professional covering the first 180 days and each two-year period thereafter for ten years, and submit the initial assessment to the FTC within 10 days of completion.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part I of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by the Part I of this order; and\n\nD. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.10_dave_buster_s_in_the_matter_of", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "docket_number": "C-4291" }, { "provision_number": "III", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain compliance-related documents for five years and all materials relied upon to prepare each assessment for three years after the date of preparation, and make them available to the FTC upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying: A. for a period of five (5) years, a print or electronic copy of each document relating to compliance, including but not limited to documents, prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each Assessment required under Part II of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts I and II of this order, for the compliance period covered by such Assessment.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.10_dave_buster_s_in_the_matter_of", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "docket_number": "C-4291" }, { "provision_number": "IV", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all current and future principals, officers, directors, and managers with relevant responsibilities within thirty days of service or assumption of duties.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers at corporate headquarters, regional offices, and at each store having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nservice of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.10_dave_buster_s_in_the_matter_of", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "docket_number": "C-4291" }, { "provision_number": "V", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least thirty days prior to any corporate change that may affect compliance obligations, including dissolution, merger, sale, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nAll notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.10_dave_buster_s_in_the_matter_of", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "docket_number": "C-4291" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within ninety days after service of the order and at such other times as the FTC may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within ninety (90) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.10_dave_buster_s_in_the_matter_of", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "docket_number": "C-4291" }, { "provision_number": "VII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on May 20, 2030, or twenty years from the most recent date the FTC files a complaint alleging a violation of the order in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on May 20, 2030, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. 5 Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.10_dave_buster_s_in_the_matter_of", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "docket_number": "C-4291" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Defendants are permanently restrained from misrepresenting, or assisting others in misrepresenting, key facts about their business including location, product qualities, warranties, pricing, compliance program membership, and cancellation/refund policies.", "verbatim_text": "18 A. Defendants’ location, including but not limited to any 19 misrepresentation that Defendants are physically located in or operate 20 from the United Kingdom or European Union;\n\n21 B. The qualities, quantities, or characteristics, of any goods sold, 22 including color, brand, or model name or number;\n\n23 C. The existence and/or validity of any manufacturers’ warranty;\n\n24 D. The total price for goods sold;\n\n25 E. The extent to which Defendants are members of, adhere to, comply 26 with, are certified by, are endorsed by, or otherwise participate in any 27 privacy, security, or any other compliance program sponsored by any 28 government or third party; or,\n\n1 F. Defendants’ policies concerning cancellation, exchange, or refund.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "II", "title": "Ban on Use of Foreign Website Designations", "category": "prohibition", "summary": "Defendants are permanently prohibited from selling goods over the Internet using any website domain name, extension, or suffix associated with a country other than the United States, unless actually located and doing business in that foreign country.", "verbatim_text": "4 IT IS FURTHER ORDERED that Defendants and their successors, 5 assigns, officers, agents, servants, employees, and attorneys, and those persons or 6 entities in active concert or participation with any of them who receive actual 7 notice of this Order by personal service, facsimile transmission, email, or 8 otherwise, whether acting directly or through any corporation, subsidiary, division, 9 trade name, or other device, in connection with the advertising, marketing, 10 promotion, offering for sale or sale of any goods or services over the Internet, in or 11 affecting commerce, are hereby restrained and enjoined from, or from assisting 12 others in, selling goods over the Internet using any Website domain name, 13 extension, or suffix associated with a country other than the United States, 14 including but not limited to, e.g., “.ca,” “.uk,” “.de,” “.be,” “.eu,” or “.cn,” unless 15 the individual or business making the sale is located within the foreign country 16 corresponding to the domain name, extension, or suffix and conducts substantially 17 all of its business activities therein.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "III", "title": "Ban on Credit or Debit Card Charges Before Readiness to Ship", "category": "prohibition", "summary": "Defendants are permanently prohibited from charging consumer credit cards, debit cards, gift cards, or bank accounts for goods until they have actually obtained the goods and are ready to ship them.", "verbatim_text": "20 IT IS FURTHER ORDERED that Defendants and their successors, 21 assigns, officers, agents, servants, employees, and attorneys, and those persons or 22 entities in active concert or participation with any of them who receive actual 23 notice of this Order by personal service, facsimile transmission, email, or 24 otherwise, whether acting directly or through any corporation, subsidiary, division, 25 trade name, or other device, in connection with the advertising, marketing, 26 promotion, offering for sale or sale of any goods, in or affecting commerce, are 27 hereby restrained and enjoined from charging consumer credit cards, debit cards, 28 gift cards, or bank accounts for such goods until and unless the individual or 5 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 6 of 17 Page ID #:1250 1 business making the sale has obtained the goods and is ready to ship them.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "IV", "title": "Compliance with Mail Order Rule", "category": "affirmative_obligation", "summary": "Defendants are permanently enjoined from violating any provision of the Mail Order Rule, including specific requirements around shipping time disclosures, delay options, revised shipping dates, renewed delay options, cancellation notices, and prompt refunds.", "verbatim_text": "13 A. Violating Section 435.1(a)(1) of the Rule by soliciting a customer 14 order for merchandise unless, at the time of the solicitation, 15 Defendants have a reasonable expectation that the ordered 16 merchandise can be shipped within the time limits clearly and 17 conspicuously disclosed in the solicitation;\n\n18 B. Violating Section 435.1(b)(1) of the Rule by failing to timely offer to 19 the buyer, clearly and conspicuously and without prior demand, an 20 option either to consent to a delay in shipping or to cancel the order 21 and receive a prompt refund;\n\n22 C. Violating Section 435.1(b)(1) of the Rule by failing to provide the 23 buyer with a definite revised shipping date;\n\n24 D. Violating Section 435.1(b)(2) of the Rule by failing to timely offer to 25 the buyer, clearly and conspicuously and without prior demand, a 26 renewed option either to consent to a delay in shipping or to cancel 27 the order and receive a prompt refund;\n\n28 E. Violating Section 435.1(b)(2)(ii) of the Rule by failing to advise the 6 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 7 of 17 Page ID #:1251 1 buyer in a renewed option notice that the order will be automatically 2 canceled and a prompt refund provided unless the buyer gives specific 3 consent to a further delay prior to expiration of the old definite revised 4 shipping date; and,\n\n5 F. Violating Section 435.1(c)(3) of the Rule by failing to deem orders 6 cancelled and make prompt consumer refunds when consumers have 7 not consented to further delay of shipments.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Consumer Redress" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "V", "title": "Customer Chargebacks", "category": "prohibition", "summary": "Defendants must not oppose or contest customer chargebacks made prior to twelve months from the date of entry of this Order.", "verbatim_text": "10 IT IS FURTHER ORDERED that Defendants shall not oppose or contest 11 customer chargebacks made prior to twelve (12) months from the date of entry of 12 this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "VI", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Defendants are ordered to pay $500,000 in equitable monetary relief to the Commission, with payment suspended subject to the provisions of Section VII.", "verbatim_text": "15 IT IS FURTHER ORDERED that Defendants shall pay to the Commission 16 the sum of five hundred thousand dollars ($500,000), as equitable monetary relief, 17 which payment shall be suspended subject to the provisions of Section VII.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "VII", "title": "Right to Reopen / Suspension of Monetary Judgment", "category": "affirmative_obligation", "summary": "The $500,000 monetary judgment suspension is premised on the truthfulness of Defendants' financial statements; if material misrepresentation is found, the suspension is lifted and the full amount becomes due. Funds paid go toward consumer redress, with any remainder deposited in the U.S. Treasury.", "verbatim_text": "21 A. The Commission’s agreement to this Order is expressly premised 22 upon the truthfulness, accuracy, and completeness of the certified 23 financial statements and supporting documents submitted to the 24 Commission by Defendants including the following: 25 1. Financial Statements of Balls of Kryptonite, LLC dated August 26 18 and August 27, 2009, May 13, 2010, and February 17, 2011, 27 including attachments; 28 2. Financial Statement of Intrigue, Inc., dated February 17, 2011, 7 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 8 of 17 Page ID #:1252 1 including attachments; 2 3. Financial Statement of Erudite, Inc., a corporation wholly- 3 owned by Defendant Jaivin Karnani, dated February 17, 2011, 4 including attachments; 5 4. Sworn Deposition Testimony of Defendant Jaivin Karnani on 6 September 14, 2009, including exhibits; and 7 5. Financial Statements of Jaivin Karnani dated August 10, and 8 August 27, 2009, May 13, 2010, and February 17, 2011, 9 including attachments.. 10 Defendants stipulate that all of the materials submitted are truthful, 11 accurate, and complete. These documents contain material 12 information upon which the Commission relied in negotiating and 13 agreeing to the terms of this Order.\n\n14 B. If, upon motion by the Commission, a Court determines that 15 Defendants made a material misrepresentation or omitted material 16 information concerning their financial condition, then the Court shall 17 lift the suspension described in Section VI, and shall enter a money 18 judgment against Defendants, jointly and severally, for the sum of five 19 hundred thousand dollars ($500,000) as equitable monetary relief, 20 which amount shall become immediately due and payable by 21 Defendants, and interest computed at the rate prescribed under 28 22 U.S.C. § 1961, as amended, shall immediately begin to accrue on the 23 unpaid balance, provided, however, that in all other respects this Order 24 shall remain in full force and effect unless otherwise ordered by the 25 Court; and provided, further, that proceedings instituted under this 26 provision would be in addition to, and not in lieu of, any other civil or 27 criminal remedies, as may be provided by law, including but not 28 limited to contempt proceedings, or any other proceedings that the 8 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 9 of 17 Page ID #:1253 1 Commission may initiate to enforce this Order.\n\n2 C. All funds paid to the Commission pursuant to this Order shall be 3 deposited into an account administered by the Commission or its 4 agents to be used for equitable relief, including, but not limited to, 5 consumer redress, and any attendant expenses for the administration 6 of such equitable relief. In the event that direct redress to consumers 7 is wholly or partially impracticable, or funds remain after the redress 8 is completed, the Commission may apply any remaining funds for 9 such other equitable relief (including consumer information remedies) 10 as it determines to be reasonably related to Defendants’ practices 11 alleged in the Complaint. Any funds not used for such equitable relief 12 shall be deposited in the United States Treasury as disgorgement. 13 Defendants shall have no right to challenge the Commission’s choice 14 of remedies under this Section. Defendants shall have no right to 15 contest the manner of distribution chosen by the Commission. No 16 portion of any payment ordered herein shall be deemed a payment of 17 any fine, penalty, or punitive assessment.\n\n18 D. Defendants relinquish all dominion, control and title to the funds paid, 19 to the fullest extent permitted by law. Defendants shall make no claim 20 to, or demand return of the funds, directly or indirectly, through 21 counsel or otherwise.\n\n22 E. Defendants agree that the facts as alleged in the Complaint filed in 23 this action shall be taken as true without further proof in any 24 bankruptcy case or subsequent civil litigation pursued by the 25 Commission to enforce its rights to any payment pursuant to this 26 Order, including, but not limited to, a nondischargeability complaint 27 in any bankruptcy case.\n\n28 F. In accordance with 31 U.S.C. § 7701, Defendants are hereby required, 9 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 10 of 17 Page ID #:1254 1 unless they have done so already, to furnish to the Commission their 2 taxpayer identifying number and/or social security number, which 3 shall be used for the purposes of collecting and reporting on any 4 delinquent amount arising out of Defendants’ relationship with the 5 government.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "VIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor compliance through written reports, document production, depositions, facility inspections, undercover investigations, and employee interviews.", "verbatim_text": "14 A. Within ten (10) days of receipt of written notice from a representative 15 of the Commission, Defendants shall submit additional written 16 reports, which are true and accurate and sworn to under penalty of 17 perjury; produce documents for inspection and copying; appear for 18 deposition; and provide entry during normal business hours to any 19 business location in each Defendant’s possession or direct or indirect 20 control to inspect the business operation; 21 B. In addition, the Commission is authorized to use all other lawful 22 means, including but not limited to:\n\n21 B. In addition, the Commission is authorized to use all other lawful 22 means, including but not limited to: 23 1. obtaining discovery from any person, without further leave of 24 court, using the procedures prescribed by Fed. R. Civ. P. 30, 31, 25 33, 34, 36, 45 and 69; 26 2. posing as consumers and suppliers to Defendants, their 27 employees, or any other entity managed or controlled in whole 28 or in part by any Defendant, without the necessity of 10 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 11 of 17 Page ID #:1255 1 identification or prior notice; and\n\n2 C. Defendants shall permit representatives of the Commission to 3 interview any employer, consultant, independent contractor, 4 representative, agent, or employee who has agreed to such an 5 interview, relating in any way to any conduct subject to this Order. 6 The person interviewed may have counsel present.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "IX", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "For four years from entry of the Order, Defendants must notify the FTC of changes in residence, employment, business structure, and name; file sworn annual compliance reports starting 60 days after entry; and notify the Commission of any bankruptcy filing within 15 days.", "verbatim_text": "16 A. For a period of four (4) years from the date of entry of this Order, 17 1. Individual Defendant shall notify the Commission of the 18 following: 19 a. Any changes in Defendant’s residence, business address, 20 mailing addresses, and telephone numbers, within ten 21 (10) days of the date of such change;\n\n22 b. Any changes in Defendant’s employment status 23 (including self-employment), and any change in 24 Defendant’s ownership in any business entity, within ten 25 (10) days of the date of such change. Such notice shall 26 include the name and address of each business that 27 Defendant is affiliated with, employed by, creates or 28 forms, or performs services for; a detailed description of 11 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 12 of 17 Page ID #:1256 1 the nature of the business; and a detailed description of 2 Defendant’s duties and responsibilities in connection 3 with the business or employment; and\n\n4 c. Any changes in Defendant’s name or use of any aliases 5 or fictitious names;\n\n6 2. Defendants shall notify the Commission of any changes in 7 structure of any Corporate Defendant or any business entity that 8 any Defendant directly or indirectly controls, or has an 9 ownership interest in, that may affect compliance obligations 10 arising under this Order, including but not limited to: 11 incorporation or other organization; a dissolution, assignment, 12 sale, merger, or other action; the creation or dissolution of a 13 subsidiary, parent, or affiliate that engages in any acts or 14 practices subject to this Order; or a change in the business name 15 or address, at least thirty (30) days prior to such change, 16 provided that, with respect to any proposed change in the 17 business entity about which a Defendant learns less than thirty 18 (30) days prior to the date such action is to take place, such 19 Defendant shall notify the Commission as soon as is practicable 20 after obtaining such knowledge.\n\n21 B. Sixty days (60) days after the date of entry of this Order and annually 22 thereafter for a period of four (4) years, Defendants each shall provide 23 a written report to the FTC, which is true and accurate and sworn to 24 under penalty of perjury, setting forth in detail the manner and form in 25 which they have complied and are complying with this Order. This 26 report shall include, but not be limited to: 27 1. For Individual Defendant: 28 a. Defendant’s then-current residence address, mailing 12 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 13 of 17 Page ID #:1257 1 addresses, and telephone numbers; 2 b. Defendant’s then-current employment status (including 3 self-employment), including the name, addresses, and 4 telephone numbers of each business that Defendant is 5 affiliated with, employed by, or performs services for; a 6 detailed description of the nature of the business; and a 7 detailed description of Defendant’s duties and 8 responsibilities in connection with the business or 9 employment; and 10 c. Any other changes required to be reported under 11 Subsection A of this Section. 12 2. For all Defendants: 13 a. A copy of each acknowledgment of receipt of this Order, 14 obtained pursuant to the Section titled “Distribution of 15 Order”; and, 16 b. Any other changes required to be reported under 17 Subsection A of this Section.\n\n18 C. Each Defendant shall notify the Commission of the filing of a 19 bankruptcy petition by such Defendant within fifteen (15) days of 20 filing.\n\n21 D. For the purposes of this Order, Defendants shall, unless otherwise 22 directed by the Commission’s authorized representatives, send by 23 overnight courier all reports and notifications required by this Order to 24 the Commission, to the following address: 25 Associate Director for Enforcement Federal Trade Commission 26 600 Pennsylvania Avenue, N.W. Washington, D.C. 20580 27 RE: FTC v. JAIVIN KARNANI, et al. 28 Provided that, in lieu of overnight courier, Defendants may send such reports or 13 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 14 of 17 Page ID #:1258 1 notifications by first-class mail, but only if Defendants contemporaneously send an 2 electronic version of such report or notification to the Commission at: 3 DEBrief@ftc.gov.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "X", "title": "Recordkeeping", "category": "recordkeeping", "summary": "For seven years from entry of the Order, Defendants must create and retain records including accounting records, personnel records, customer files, email communications, complaints and refund requests, complaint response metrics, marketing materials, and all compliance documentation.", "verbatim_text": "9 IT IS FURTHER ORDERED that, for a period of seven (7) years from the 10 date of entry of this Order, in connection with the advertising, marketing, 11 promotion, offering for sale or sale of any goods over the Internet, in or affecting 12 commerce, Defendants are hereby restrained and enjoined from failing to create 13 and retain the following records: 14 A. Accounting records that reflect the cost of goods or services sold, 15 revenues generated, and the disbursement of such revenues;\n\n16 B. Personnel records accurately reflecting: the name, address, and 17 telephone number of each person employed in any capacity by such 18 business, including as an independent contractor; that person's job title 19 or position; the date upon which the person commenced work; and the 20 date and reason for the person's termination, if applicable;\n\n21 C. Customer files containing the names, addresses, phone numbers, 22 monetary amounts paid, quantity of items or services purchased, and 23 description of items or services purchased, to the extent such 24 information is obtained in the ordinary course of business;\n\n25 D. All email communications with customers for the prior three years;\n\n26 E. Complaints and refund requests (whether received directly, indirectly, 27 or through any third party) and any responses to those complaints or 28 requests;\n\n1 F. Records sufficient to show the number of days between receipt of 2 complaints or refund requests and Defendants’ responses to them; the 3 report should also show: (1) dates of refund; (2) dates of notification 4 of shipment delay; and, (3) dates that pre-paid shipment instructions 5 were sent to customers for return of merchandise; such data should be 6 kept in a form that is searchable and sortable.\n\n7 G. Copies of all sales scripts, invoices, collection letters, training 8 materials, taped telemarketing or verification calls, advertisements, or 9 other marketing materials, including newspaper advertisements and 10 Internet web pages; and\n\n11 H. All records and documents necessary to demonstrate full compliance 12 with each provision of this Order, including but not limited to, copies 13 of acknowledgments of receipt of this Order required by the Sections 14 titled “Distribution of Order” and “Acknowledgment of Receipt of 15 Order” and all reports submitted to the FTC pursuant to the Section 16 titled “Compliance Reporting.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "XI", "title": "Distribution of Order", "category": "acknowledgment", "summary": "For four years from entry, Defendants must deliver copies of the Order to principals, officers, employees, and agents; new personnel must receive copies before assuming responsibilities; and all recipients must sign and date an acknowledgment of receipt within 30 days of delivery.", "verbatim_text": "22 A. Corporate Defendant: Corporate Defendant must deliver a copy of 23 this Order to (1) all of its principals, officers, directors, and managers; 24 (2) all of its employees, agents, and representatives who engage in 25 conduct related to the subject matter of the Order; and (3) any 26 business entity resulting from any change in structure set forth in 27 Subsection A.2 of the Section titled “Compliance Reporting.” For 28 current personnel, delivery shall be within five (5) days of service of 15 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 16 of 17 Page ID #:1260 1 this Order upon such Defendant. For new personnel, delivery shall 2 occur prior to them assuming their responsibilities. For any business 3 entity resulting from any change in structure set forth in Subsection 4 A.2 of the Section titled “Compliance Reporting,” delivery shall be at 5 least ten (10) days prior to the change in structure.\n\n6 B. Individual Defendant as Control Person: For any business that the 7 Individual Defendant controls, directly or indirectly, or in which such 8 Defendant has a majority ownership interest, such Defendant must 9 deliver a copy of this Order to (1) all principals, officers, directors, 10 and managers of that business; (2) all employees, agents, and 11 representatives of that business who engage in conduct related to the 12 subject matter of the Order; and (3) any business entity resulting from 13 any change in structure set forth in Subsection A.2 of the Section 14 titled “Compliance Reporting.” For current personnel, delivery shall 15 be within five (5) days of service of this Order upon such Defendant. 16 For new personnel, delivery shall occur prior to them assuming their 17 responsibilities. For any business entity resulting from any change in 18 structure set forth in Subsection A.2 of the Section titled “Compliance 19 Reporting,” delivery shall be at least ten (10) days prior to the change 20 in structure.\n\n21 C. Individual Defendant as employee or non-control person: For any 22 business where the Individual Defendant is not a controlling person of 23 a business but otherwise engages in conduct related to the subject 24 matter of this Order, such Defendant must deliver a copy of this Order 25 to all principals and managers of such business before engaging in 26 such conduct.\n\n27 D. All Defendants must secure a signed and dated statement 28 acknowledging receipt of the Order, within thirty (30) days of 16 Case 2:09-cv-05276-DDP -E Document 57 Filed 05/20/11 Page 17 of 17 Page ID #:1261 1 delivery, from all persons receiving a copy of the Order pursuant to 2 this Section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "XII", "title": "Acknowledgment of Receipt of Order", "category": "acknowledgment", "summary": "Within ten business days of receipt of the Order as entered by the Court, each Defendant must submit a truthful sworn statement to the Commission acknowledging receipt of the Order.", "verbatim_text": "5 IT IS FURTHER ORDERED that Defendants, within ten (10) business 6 days of receipt of this Order as entered by the Court, must submit to the 7 Commission a truthful sworn statement acknowledging receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "XIII", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of the Order.", "verbatim_text": "10 IT IS FURTHER ORDERED that this Court shall retain jurisdiction of this 11 matter for purposes of construction, modification, and enforcement of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "docket_number": "CV 09-5276 DDP" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the extent to which it maintains and protects the privacy, confidentiality, or integrity of any personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent maintains and protects the privacy, confidentiality, or integrity of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "docket_number": "C-4325" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to its size, complexity, and the sensitivity of personal information it handles.", "verbatim_text": "IT IS FURTHER ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to, (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, and (3) prevention, detection, and response to attacks, intrusions, or other systems failure;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subpart C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "docket_number": "C-4325" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party assessments from a qualified, independent professional covering its information security program, with the initial assessment covering the first 180 days and biennial assessments every two years thereafter for 20 years.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession; provided, however, that this Part shall not apply to Comdata Network Inc. or Ceridian Stored Value Solutions, Inc. to the extent that they do not advertise, market, promote, offer for sale, or sell any product or service relating to payroll, taxes, or human resources. Provided further that this Part shall not apply to payment cards provided to employers by Comdata Network Inc. that are not linked to accounts maintained by individual employees. Professionals qualified to prepare such Assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nProtection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and\n\nD. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial Assessment, and any subsequent Assessments requested, shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer -4- Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line In the matter of Ceridian Corporation, FTC File No.1023160. Provided, however, that in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of any such notice is contemporaneously sent to the Commission at Debrief@ftc.gov.\n\nprepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "docket_number": "C-4325" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC copies of all materials relied upon for each Assessment for three years, and all other compliance-related documents for five years.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of: A. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III of this order, for the compliance period covered by such Assessment;\n\nB. unless covered by IV.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this order, including but not limited to: 1. all advertisements and promotional materials containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation; and 2. any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "docket_number": "C-4325" }, { "provision_number": "V", "title": "Order Distribution / Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future subsidiaries, principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities within 30 days of service or assumption of position.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or\n\nsubsidiaries and personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "docket_number": "C-4325" }, { "provision_number": "VI", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, sale, merger, bankruptcy filing, or change of name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nUnless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line In the matter of Ceridian Corporation, FTC File No.1023160. Provided, however, that in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of any such notice is contemporaneously sent to the Commission at Debrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "docket_number": "C-4325" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 60 days of service of this order, and submit additional reports within 10 days of written request from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "docket_number": "C-4325" }, { "provision_number": "VIII", "title": "Order Duration / Termination", "category": "duration", "summary": "This order terminates on June 8, 2031, or twenty years from the most recent date the FTC files a federal court complaint alleging any violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on June 8, 2031, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. -6- Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "docket_number": "C-4325" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Data Control and Collection", "category": "prohibition", "summary": "Respondent is prohibited from misrepresenting consumers' ability to control data collected about them, or the extent to which their data is collected, used, disclosed, or shared.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, website, third party, or other means, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: (A) the extent to which consumers may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities, or (B) the extent to which data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "docket_number": "C-4324" }, { "provision_number": "II", "title": "Opt-Out Notice and Mechanism for Online Behavioral Advertising", "category": "affirmative_obligation", "summary": "Respondent must place clear opt-out notices on its website homepage, provide a persistent opt-out mechanism for consumers, and include opt-out hyperlinks in behavioral ads, all within specified timeframes.", "verbatim_text": "A. Within thirty (30) days after the date of service of the order, place a clear and prominent notice, including a hyperlink, on the homepage(s) of its website(s), which states, “We collect information about your activities on certain websites to send you targeted advertisements. To opt out of Chitika’s targeted ads, click here.” When selected, the hyperlink shall directly take consumers to the mechanism required by Part II.C. of the order;\n\nB. Within thirty (30) days after the date of service of the order, for a duration of twelve (12) months, include immediately after the notice required by Part II.A. of the order, the following statement: “If you opted out of our targeted ads before March 1, 2010, the opt-out has expired and you must opt out again to avoid targeted ads.”;\n\nC. Within thirty (30) days after the date of service of the order, provide a mechanism, separate and apart from any preferences or controls offered by 3 consumers’ browsers, to enable Chitika users to prevent respondent from collecting data that can be associated with a Chitika user or a Chitika user’s computer or device, or that contains any unique identifier, including Chitika user ID or Internet Protocol (IP) address; from redirecting Chitika users’ browsers to third parties that collect data, absent a click or other affirmative action by such Chitika user; and from associating any previously collected data with any Chitika user’s computer or device. This mechanism shall require no more than one additional click for consumers to exercise their choice(s), and shall remain in effect for a minimum time period of five (5) years, unless the consumer deletes his or her cookies or takes deliberate action to disable the mechanism. Within close proximity to the mechanism, respondent shall clearly and prominently disclose to consumers: (1) that Chitika collects information about consumers’ activities on certain websites in order to deliver targeted advertisements; (2) that by opting out, Chitika will not collect this information for the purpose of delivering targeted advertisements; (3) the current status of their choice (i.e., “opted in” or “opted out” of collection); and (4) that their choice is specific to the browser they are using, and they need to implement the mechanism again if they use a different browser; and\n\nD. Within ninety (90) days after the date of service of the order, within any advertisement that respondent serves as part of online behavioral advertising, include a hyperlink that directly takes consumers to the mechanism required by Part II.C. of this order. The hyperlink text shall clearly and prominently state: “Opt out?” While a consumer’s cursor, or functional equivalent, hovers over the hyperlink, a box shall be visible in close proximity to the hyperlink, which clearly and prominently states, “Opt out of Chitika’s targeted ads.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "docket_number": "C-4324" }, { "provision_number": "III", "title": "Prohibition on Use of Pre-March 2010 Data and Required Deletion", "category": "prohibition", "summary": "Respondent must not use, disclose, sell, or transfer data collected prior to March 1, 2010, and must permanently delete all such data within 60 days, with written sworn confirmation to the FTC.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, third party, or other entity, shall not use, disclose, sell, rent, lease, or transfer any information that can be associated with a Chitika user or a Chitika user’s computer or device that respondent obtained prior to March 1, 2010. Within sixty (60) days after the date\n\nor device that respondent obtained prior to March 1, 2010. Within sixty (60) days after the date of service of the order, respondent shall permanently delete or destroy: (1) all such information stored in Chitika users’ cookies; and (2) all IP addresses and unique identifiers, including any Chitika user identification numbers, in log files on respondent’s server(s) and in backup tapes, and shall provide a written statement to the Commission, sworn under penalty of perjury, confirming that all such information has been deleted or destroyed. Provided that, if respondent is prohibited from deleting or destroying such information by law, regulation, or court order, respondent shall provide a written statement to the Commission, sworn under penalty of perjury, identifying any information that has not been deleted or destroyed and the specific law, regulation, or court order that prohibits respondent from deleting or destroying such information.\n\nconfirming that all such information has been deleted or destroyed. Provided that, if respondent is prohibited from deleting or destroying such information by law, regulation, or court order, respondent shall provide a written statement to the Commission, sworn under penalty of perjury, identifying any information that has not been deleted or destroyed and the specific law, regulation, or court order that prohibits respondent from deleting or destroying such information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion", "Prohibition" ], "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "docket_number": "C-4324" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC all documents relating to compliance with this order, including complaint records for 5 years and advertising/policy documents for 5 years after last dissemination.", "verbatim_text": "A. For a period of five (5) years, any documents, whether prepared by or on behalf of respondent, that: 1. Comprise or relate to complaints or inquiries, whether received directly or indirectly, concerning: (a) any data collection by respondent; (b) the use, disclosure or sharing of such data; or (c) any mechanism to limit or prevent such collection of data or the use, disclosure, or sharing of data collected, as well as any responses to those complaints or inquiries;\n\n2. Are necessary to demonstrate full compliance with each provision of this order, including, but not limited to, all documents obtained, created, generated, or which in any way relate to the requirements, provisions, or terms of this order, and all reports submitted to the Commission pursuant to this order; or\n\n3. Contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. For a period of five (5) years after the last public dissemination thereof, all advertisements, terms of use, end-user license agreements, frequently asked questions, privacy policies, and similar documents relating to: (a) any data collection by respondent; (b) the use, disclosure or sharing of such data; or (c) any mechanism to limit or prevent such collection of data or use, disclosure, or sharing of data collected, as well as any responses to those complaints or inquiries.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "docket_number": "C-4324" }, { "provision_number": "V", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, within 30 days of service or assumption of duties.", "verbatim_text": "IT IS FURTHER ORDERED that Chitika, Inc., and its successors and assigns, shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of this order. Respondent shall deliver this order to current personnel within thirty (30) days after the date of service of the order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nrespect to the subject matter of this order. Respondent shall deliver this order to current personnel within thirty (30) days after the date of service of the order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "docket_number": "C-4324" }, { "provision_number": "VI", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, sale, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that Chitika, Inc., and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the entity that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor entity; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the entity name or address. Provided, however, that with respect to any proposed change in the entity about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, with the subject line FTC v. Chitika.\n\nentity name or address. Provided, however, that with respect to any proposed change in the entity about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "docket_number": "C-4324" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 60 days of service and at other times as required, and submit additional reports within 10 days of written notice from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that Chitika, Inc., and its successors and assigns, within sixty (60) days after service of the order, and at such other times as the Federal Trade Commission may require, shall file with the Commission a true and accurate report, in writing, setting forth the manner and form in which respondent has complied with this order. Within ten\n\nsetting forth the manner and form in which respondent has complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, Chitika, Inc. shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "docket_number": "C-4324" }, { "provision_number": "VIII", "title": "Order Duration", "category": "duration", "summary": "This order terminates on June 7, 2031, or 20 years from the most recent date the FTC files a complaint alleging any violation of the order in federal court, whichever is later.", "verbatim_text": "This order will terminate on June 7, 2031, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part of this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such a complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. 6 Provided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that this order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "docket_number": "C-4324" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, website, or other device, shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains and protects the privacy, confidentiality, security, or integrity of personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "docket_number": "C-4326" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to its size, complexity, and the sensitivity of personal information collected.", "verbatim_text": "IT IS FURTHER ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards.\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subpart C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of the information security program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "docket_number": "C-4326" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from a qualified independent professional, covering the first 180 days after service and each two-year period thereafter for twenty years, and submit or retain these assessments as directed.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall: A. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nperiod for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall: A. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period. Each Assessment shall be prepared and completed within sixty (60) days after the end of the\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been completed. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial Assessment, and any subsequent Assessments requested, shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line In the matter of Lookout Services, Inc., FTC File No.1023076. Provided, however, that in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of any such notice is contemporaneously sent to the Commission at Debrief@ftc.gov.\n\ncompleted. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial Assessment,", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "docket_number": "C-4326" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC all materials relied upon for Assessments for three years, and all other compliance-related documents for five years.", "verbatim_text": "A. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III of this order, for the compliance period covered by such Assessment;\n\nB. unless covered by IV.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of each document relating to compliance with this order, including but not limited to: 1. all advertisements and promotional materials containing any representations covered by this order, with all materials used or relied upon in making or disseminating the representation; and 2. any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question compliance with this order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "docket_number": "C-4326" }, { "provision_number": "V", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver copies of the order to current and future principals, officers, directors, managers, employees, agents, and representatives, and obtain signed acknowledgments of receipt.", "verbatim_text": "A. Respondent must deliver a copy of this order to (1) all current and future principals, officers, directors, and managers, (2) all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and (3) any business entity resulting from any change in structure set forth in Part VI. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nwithin thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part VI, delivery shall be at least ten (10) days prior to the change in structure.\n\nB. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "docket_number": "C-4326" }, { "provision_number": "VI", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least thirty days prior to any corporate change that may affect compliance obligations under this order, including dissolution, merger, sale, bankruptcy filing, or change in name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in respondent that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nUnless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line In the matter of Lookout Services, Inc., FTC File No.1023076. Provided, however, that in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of any such notice is contemporaneously sent to the Commission at Debrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "docket_number": "C-4326" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within sixty days of service of the order, and submit additional written reports within ten days of written notice from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "docket_number": "C-4326" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 15, 2031, or twenty years from the most recent date the FTC files a complaint alleging any violation of the order in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on June 15, 2031, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. -6- Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "docket_number": "C-4326" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, or participation in any privacy or security program, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_american_apparel", "company_name": "American Apparel, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3036-american-apparel-inc-matter", "docket_number": "C-4459" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC all documents relating to compliance with the order for five years.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_american_apparel", "company_name": "American Apparel, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3036-american-apparel-inc-matter", "docket_number": "C-4459" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of\n\nthis order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_american_apparel", "company_name": "American Apparel, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3036-american-apparel-inc-matter", "docket_number": "C-4459" }, { "provision_number": "IV", "title": "Notice of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any corporate change that may affect compliance obligations.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_american_apparel", "company_name": "American Apparel, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3036-american-apparel-inc-matter", "docket_number": "C-4459" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission detailing the manner and form of compliance with the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_american_apparel", "company_name": "American Apparel, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3036-american-apparel-inc-matter", "docket_number": "C-4459" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "The order will terminate on June 16, 2034, or twenty years from the most recent date that the United States or Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 16, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_american_apparel", "company_name": "American Apparel, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3036-american-apparel-inc-matter", "docket_number": "C-4459" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, or participation in any privacy or security program, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_apperian", "company_name": "Apperian, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3017-apperian-inc-matter", "docket_number": "C-4461" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available for FTC inspection all documents relating to compliance with this order for five years from the date of preparation or dissemination.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_apperian", "company_name": "Apperian, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3017-apperian-inc-matter", "docket_number": "C-4461" }, { "provision_number": "III", "title": "Order Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future personnel with responsibilities relating to the subject matter of the order and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nIT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_apperian", "company_name": "Apperian, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3017-apperian-inc-matter", "docket_number": "C-4461" }, { "provision_number": "IV", "title": "Change in Corporate Structure Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any change in the corporation that may affect compliance obligations, including dissolution, merger, bankruptcy, or name changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Apperian, Inc., FTC File No. 1423017.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_apperian", "company_name": "Apperian, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3017-apperian-inc-matter", "docket_number": "C-4461" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission within sixty days after service of this order, and submit additional reports upon request within ten days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_apperian", "company_name": "Apperian, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3017-apperian-inc-matter", "docket_number": "C-4461" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or twenty years from the most recent date the United States or Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: Page 3 of 4 A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_apperian", "company_name": "Apperian, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3017-apperian-inc-matter", "docket_number": "C-4461" }, { "provision_number": "I", "title": "Prohibition Against Misrepresenting Privacy or Security Program Participation", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, or participation in any privacy or security program, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_atlanta_falcons_football_club", "company_name": "Atlanta Falcons Football Club, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3018-atlanta-falcons-football-club-llc-matter", "docket_number": "C-4462" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years all documents relating to compliance with this order, including advertisements and materials that question compliance.", "verbatim_text": "A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_atlanta_falcons_football_club", "company_name": "Atlanta Falcons Football Club, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3018-atlanta-falcons-football-club-llc-matter", "docket_number": "C-4462" }, { "provision_number": "III", "title": "Acknowledgment of Order", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt within thirty days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person\n\nassumes such position or responsibilities. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_atlanta_falcons_football_club", "company_name": "Atlanta Falcons Football Club, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3018-atlanta-falcons-football-club-llc-matter", "docket_number": "C-4462" }, { "provision_number": "IV", "title": "Notice of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission within fourteen days of any corporate changes that may affect compliance obligations, including dissolution, merger, bankruptcy, or change of name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission within fourteen (14) days of any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Atlanta Falcons Football Club, LLC, FTC File No. 1423018.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_atlanta_falcons_football_club", "company_name": "Atlanta Falcons Football Club, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3018-atlanta-falcons-football-club-llc-matter", "docket_number": "C-4462" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission within ninety days and submit additional reports upon request within ten days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_atlanta_falcons_football_club", "company_name": "Atlanta Falcons Football Club, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3018-atlanta-falcons-football-club-llc-matter", "docket_number": "C-4462" }, { "provision_number": "VI", "title": "Order Termination", "category": "duration", "summary": "This order terminates on June 19, 2034, or twenty years from the most recent date the U.S. or Commission files a federal court complaint alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: Page 3 of 4 A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_atlanta_falcons_football_club", "company_name": "Atlanta Falcons Football Club, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3018-atlanta-falcons-football-club-llc-matter", "docket_number": "C-4462" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, compliance with, certification by, endorsement by, or participation in any privacy or security program sponsored by the government or any self-regulatory or standard-setting organization, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_baker_tilly_virchow_krause_llp", "company_name": "Baker Tilly Virchow Krause, LLP", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3019-baker-tilly-virchow-krause-llp-matter", "docket_number": "C-4463" }, { "provision_number": "II", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection all documents relating to compliance with this order for five years from the date of preparation or dissemination.", "verbatim_text": "A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_baker_tilly_virchow_krause_llp", "company_name": "Baker Tilly Virchow Krause, LLP", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3019-baker-tilly-virchow-krause-llp-matter", "docket_number": "C-4463" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with responsibilities relating to the subject matter of the order, and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_baker_tilly_virchow_krause_llp", "company_name": "Baker Tilly Virchow Krause, LLP", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3019-baker-tilly-virchow-krause-llp-matter", "docket_number": "C-4463" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least 30 days prior to any corporate changes that may affect compliance obligations, including dissolution, assignment, sale, merger, creation or dissolution of subsidiaries, bankruptcy filing, or changes in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_baker_tilly_virchow_krause_llp", "company_name": "Baker Tilly Virchow Krause, LLP", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3019-baker-tilly-virchow-krause-llp-matter", "docket_number": "C-4463" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial compliance report with the Commission within 60 days after service of the order, and submit additional reports within 10 days of receipt of written notice from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_baker_tilly_virchow_krause_llp", "company_name": "Baker Tilly Virchow Krause, LLP", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3019-baker-tilly-virchow-krause-llp-matter", "docket_number": "C-4463" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "The order will terminate on June 19, 2034, or 20 years from the most recent date that the United States or Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_baker_tilly_virchow_krause_llp", "company_name": "Baker Tilly Virchow Krause, LLP", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3019-baker-tilly-virchow-krause-llp-matter", "docket_number": "C-4463" }, { "provision_number": "I", "title": "Prohibition Against Misrepresenting Privacy Program Participation", "category": "prohibition", "summary": "Respondent must not misrepresent its membership, adherence, compliance, certification, or participation in any privacy or security program, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_bittorrent", "company_name": "BitTorrent, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3020-bittorrent-inc-matter", "docket_number": "C-4464" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection copies of all documents relating to compliance with the order for five years.", "verbatim_text": "A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_bittorrent", "company_name": "BitTorrent, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3020-bittorrent-inc-matter", "docket_number": "C-4464" }, { "provision_number": "III", "title": "Order Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_bittorrent", "company_name": "BitTorrent, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3020-bittorrent-inc-matter", "docket_number": "C-4464" }, { "provision_number": "IV", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any corporate changes that may affect compliance obligations, including dissolution, merger, sale, bankruptcy, or name changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_bittorrent", "company_name": "BitTorrent, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3020-bittorrent-inc-matter", "docket_number": "C-4464" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the Commission within sixty days after service of the order and submit additional reports upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_bittorrent", "company_name": "BitTorrent, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3020-bittorrent-inc-matter", "docket_number": "C-4464" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on June 19, 2034, or twenty years from the most recent date the United States or Commission files a complaint in federal court alleging order violations, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: Page 3 of 4 A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_bittorrent", "company_name": "BitTorrent, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3020-bittorrent-inc-matter", "docket_number": "C-4464" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, or participation in any privacy or security program, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_charles_river_laboratories_int_l.", "company_name": "Charles River Laboratories International, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3022-charles-river-laboratories-intl-matter", "docket_number": "C-4465" }, { "provision_number": "II", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available for FTC inspection all documents relating to compliance with this order for five years from the date of preparation or dissemination.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to:\n\nA. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_charles_river_laboratories_int_l.", "company_name": "Charles River Laboratories International, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3022-charles-river-laboratories-intl-matter", "docket_number": "C-4465" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt within thirty days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days\n\nthis order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_charles_river_laboratories_int_l.", "company_name": "Charles River Laboratories International, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3022-charles-river-laboratories-intl-matter", "docket_number": "C-4465" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any change in the corporation that may affect compliance obligations, including dissolution, merger, sale, bankruptcy, or name/address changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_charles_river_laboratories_int_l.", "company_name": "Charles River Laboratories International, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3022-charles-river-laboratories-intl-matter", "docket_number": "C-4465" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission within sixty days after service of this order and additional reports upon request within ten days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_charles_river_laboratories_int_l.", "company_name": "Charles River Laboratories International, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3022-charles-river-laboratories-intl-matter", "docket_number": "C-4465" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or twenty years from the most recent date that the United States or the Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_charles_river_laboratories_int_l.", "company_name": "Charles River Laboratories International, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3022-charles-river-laboratories-intl-matter", "docket_number": "C-4465" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, or participation in any privacy or security program, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_datamotion", "company_name": "DataMotion, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3023-datamotion-inc-corporation-matter", "docket_number": "C-4466" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC all documents relating to compliance with this order for five years, including advertisements, promotional materials, and documents questioning compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_datamotion", "company_name": "DataMotion, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3023-datamotion-inc-corporation-matter", "docket_number": "C-4466" }, { "provision_number": "III", "title": "Acknowledgment of Order Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to current and future personnel with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_datamotion", "company_name": "DataMotion, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3023-datamotion-inc-corporation-matter", "docket_number": "C-4466" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least 30 days prior to any corporate change that may affect compliance obligations, including dissolution, merger, bankruptcy, or change in name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_datamotion", "company_name": "DataMotion, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3023-datamotion-inc-corporation-matter", "docket_number": "C-4466" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission within 60 days after service of this order and submit additional reports within 10 days upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_datamotion", "company_name": "DataMotion, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3023-datamotion-inc-corporation-matter", "docket_number": "C-4466" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or 20 years from the most recent date the United States or Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: Page 3 of 4 A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_datamotion", "company_name": "DataMotion, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3023-datamotion-inc-corporation-matter", "docket_number": "C-4466" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Program Membership", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, compliance with, certification by, endorsement by, or participation in any privacy or security program sponsored by the government or any self-regulatory or standard-setting organization, including the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_ddc_laboratories_also_dba_dna_diagnostics_center", "company_name": "DDC Laboratories, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3024-ddc-laboratories-inc-also-dba-dna-diagnostics-center-matter", "docket_number": "C-4467" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC, for a period of five years from the date of preparation or dissemination, all documents relating to compliance with this order, including advertisements, promotional materials, and any documents that call into question compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_ddc_laboratories_also_dba_dna_diagnostics_center", "company_name": "DDC Laboratories, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3024-ddc-laboratories-inc-also-dba-dna-diagnostics-center-matter", "docket_number": "C-4467" }, { "provision_number": "III", "title": "Order Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future personnel with responsibilities relating to the subject matter of the order, and secure signed and dated acknowledgment statements from all recipients.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_ddc_laboratories_also_dba_dna_diagnostics_center", "company_name": "DDC Laboratories, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3024-ddc-laboratories-inc-also-dba-dna-diagnostics-center-matter", "docket_number": "C-4467" }, { "provision_number": "IV", "title": "Compliance Reporting for Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any change in the corporation that may affect compliance obligations, including dissolution, assignment, sale, merger, creation or dissolution of subsidiaries, bankruptcy filing, or change in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_ddc_laboratories_also_dba_dna_diagnostics_center", "company_name": "DDC Laboratories, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3024-ddc-laboratories-inc-also-dba-dna-diagnostics-center-matter", "docket_number": "C-4467" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a true and accurate compliance report with the Commission within sixty days after the date of service of this order, and submit additional reports within ten days of receipt of written notice from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_ddc_laboratories_also_dba_dna_diagnostics_center", "company_name": "DDC Laboratories, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3024-ddc-laboratories-inc-also-dba-dna-diagnostics-center-matter", "docket_number": "C-4467" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or twenty years from the most recent date that the United States or the Commission files a complaint in federal court alleging any violation of the order, whichever comes later, subject to certain conditions and exceptions.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_ddc_laboratories_also_dba_dna_diagnostics_center", "company_name": "DDC Laboratories, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3024-ddc-laboratories-inc-also-dba-dna-diagnostics-center-matter", "docket_number": "C-4467" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, compliance with, certification by, endorsement by, or participation in any privacy or security program, including Safe Harbor Frameworks.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_fantage.com", "company_name": "Fantage.com, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3026-fantagecom-inc-matter", "docket_number": "C-4469" }, { "provision_number": "II", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection all documents relating to compliance with this order for a period of five years.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_fantage.com", "company_name": "Fantage.com, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3026-fantagecom-inc-matter", "docket_number": "C-4469" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future personnel with responsibilities relating to the subject matter of this order and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_fantage.com", "company_name": "Fantage.com, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3026-fantagecom-inc-matter", "docket_number": "C-4469" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any change in the corporation that may affect compliance obligations, such as dissolution, merger, sale, or bankruptcy filing.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_fantage.com", "company_name": "Fantage.com, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3026-fantagecom-inc-matter", "docket_number": "C-4469" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file with the Commission a true and accurate written report detailing its compliance with this order within sixty days, and submit additional reports upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_fantage.com", "company_name": "Fantage.com, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3026-fantagecom-inc-matter", "docket_number": "C-4469" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or twenty years from the most recent date that the United States or the Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_fantage.com", "company_name": "Fantage.com, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3026-fantagecom-inc-matter", "docket_number": "C-4469" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, compliance with, certification by, endorsement by, or participation in any privacy or security program, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_level_3_communications", "company_name": "Level 3 Communications, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3028-level-3-communications-llc-matter", "docket_number": "C-4470" }, { "provision_number": "II", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC all documents relating to compliance with this order for five years from the date of preparation or dissemination.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_level_3_communications", "company_name": "Level 3 Communications, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3028-level-3-communications-llc-matter", "docket_number": "C-4470" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future personnel with responsibilities relating to the subject matter and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_level_3_communications", "company_name": "Level 3 Communications, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3028-level-3-communications-llc-matter", "docket_number": "C-4470" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least 30 days prior to any change in the company that may affect compliance obligations, including dissolution, merger, sale, bankruptcy, or name/address changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the company that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the company name or address. Provided, however, that, with respect to any proposed change in the company about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nUnless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Level 3 Communications, LLC, FTC File No. 1423028.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_level_3_communications", "company_name": "Level 3 Communications, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3028-level-3-communications-llc-matter", "docket_number": "C-4470" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission within 60 days after service of the order and submit additional reports within 10 days upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_level_3_communications", "company_name": "Level 3 Communications, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3028-level-3-communications-llc-matter", "docket_number": "C-4470" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or 20 years from the most recent date of filing a federal court complaint alleging violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: Page 3 of 4 A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_level_3_communications", "company_name": "Level 3 Communications, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3028-level-3-communications-llc-matter", "docket_number": "C-4470" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, or participation in any privacy or security program, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_pdb_sports_ltd._dba_denver_broncos_football_club", "company_name": "PDB Sports, Ltd.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3025-pdb-sports-ltd-dba-denver-broncos-football-club-matter", "docket_number": "C-4468" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for five years all documents relating to compliance with this order, including advertisements and materials that question compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to: A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_pdb_sports_ltd._dba_denver_broncos_football_club", "company_name": "PDB Sports, Ltd.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3025-pdb-sports-ltd-dba-denver-broncos-football-club-matter", "docket_number": "C-4468" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. Respondent must secure a signed and dated statement\n\nassumes such position or responsibilities. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_pdb_sports_ltd._dba_denver_broncos_football_club", "company_name": "PDB Sports, Ltd.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3025-pdb-sports-ltd-dba-denver-broncos-football-club-matter", "docket_number": "C-4468" }, { "provision_number": "IV", "title": "Change in Corporate Structure Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission within fourteen days of any change in the partnership that may affect compliance obligations, including dissolution, merger, bankruptcy, or change in name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission within fourteen (14) days of any change in the partnership(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the partnership name or address. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re PDB Sports, Ltd., d/b/a the Denver Broncos Football Club, FTC File No. 1423025.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_pdb_sports_ltd._dba_denver_broncos_football_club", "company_name": "PDB Sports, Ltd.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3025-pdb-sports-ltd-dba-denver-broncos-football-club-matter", "docket_number": "C-4468" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a true and accurate compliance report with the Commission within ninety days after service of this order, and submit additional reports within ten days upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_pdb_sports_ltd._dba_denver_broncos_football_club", "company_name": "PDB Sports, Ltd.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3025-pdb-sports-ltd-dba-denver-broncos-football-club-matter", "docket_number": "C-4468" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or twenty years from the most recent date that the United States or Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_pdb_sports_ltd._dba_denver_broncos_football_club", "company_name": "PDB Sports, Ltd.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3025-pdb-sports-ltd-dba-denver-broncos-football-club-matter", "docket_number": "C-4468" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, compliance with, certification by, endorsement by, or participation in any privacy or security program sponsored by the government or any self-regulatory or standard-setting organization, including the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_receivable_management_services_corporation_the", "company_name": "The Receivable Management Services Corporation", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3031-receivable-management-services-corporation-matter", "docket_number": "C-4472" }, { "provision_number": "II", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection and copying all documents relating to compliance with this order for a period of five years from the date of preparation or dissemination, whichever is later.", "verbatim_text": "A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_receivable_management_services_corporation_the", "company_name": "The Receivable Management Services Corporation", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3031-receivable-management-services-corporation-matter", "docket_number": "C-4472" }, { "provision_number": "III", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future personnel with responsibilities relating to the subject matter of the order and secure signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_receivable_management_services_corporation_the", "company_name": "The Receivable Management Services Corporation", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3031-receivable-management-services-corporation-matter", "docket_number": "C-4472" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any change in the corporation that may affect compliance obligations, including dissolution, assignment, sale, merger, creation or dissolution of a subsidiary, bankruptcy filing, or change in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_receivable_management_services_corporation_the", "company_name": "The Receivable Management Services Corporation", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3031-receivable-management-services-corporation-matter", "docket_number": "C-4472" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a true and accurate written report with the Commission detailing the manner and form of its compliance with this order within sixty days after service of the order, and submit additional reports within ten days of receipt of written notice from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_receivable_management_services_corporation_the", "company_name": "The Receivable Management Services Corporation", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3031-receivable-management-services-corporation-matter", "docket_number": "C-4472" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or twenty years from the most recent date that the United States or the Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_receivable_management_services_corporation_the", "company_name": "The Receivable Management Services Corporation", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3031-receivable-management-services-corporation-matter", "docket_number": "C-4472" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, compliance with, certification by, endorsement by, or participation in any privacy or security program sponsored by the government or self-regulatory organizations, including Safe Harbor Frameworks.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_reynolds_consumer_products", "company_name": "Reynolds Consumer Products Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3030-reynolds-consumer-products-inc-matter", "docket_number": "C-4471" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC all documents relating to compliance with the order for five years from the date of preparation or dissemination.", "verbatim_text": "A. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_reynolds_consumer_products", "company_name": "Reynolds Consumer Products Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3030-reynolds-consumer-products-inc-matter", "docket_number": "C-4471" }, { "provision_number": "III", "title": "Order Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all current and future personnel with responsibilities relating to the subject matter and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in\n\nassumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part IV, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this\n\nstructure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_reynolds_consumer_products", "company_name": "Reynolds Consumer Products Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3030-reynolds-consumer-products-inc-matter", "docket_number": "C-4471" }, { "provision_number": "IV", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least 30 days prior to any corporate change that may affect compliance obligations, including dissolution, merger, bankruptcy, or name changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_reynolds_consumer_products", "company_name": "Reynolds Consumer Products Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3030-reynolds-consumer-products-inc-matter", "docket_number": "C-4471" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission within 60 days after service of the order and submit additional reports upon request within 10 days.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_reynolds_consumer_products", "company_name": "Reynolds Consumer Products Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3030-reynolds-consumer-products-inc-matter", "docket_number": "C-4471" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "The order will terminate on June 19, 2034, or 20 years from the most recent date the United States or Commission files a complaint in federal court alleging violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_reynolds_consumer_products", "company_name": "Reynolds Consumer Products Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3030-reynolds-consumer-products-inc-matter", "docket_number": "C-4471" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, compliance with, certification by, endorsement by, or participation in any privacy or security program sponsored by the government or any self-regulatory or standard-setting organization, including the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.14_tennessee_football", "company_name": "Tennessee Football, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3032-tennessee-football-inc-matter", "docket_number": "C-4473" }, { "provision_number": "II", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection all documents relating to compliance with this order for a period of five years from the date of preparation or dissemination, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all documents relating to compliance with this order, including but not limited to:\n\nA. all advertisements, promotional materials, and any other statements containing any representations covered by this order, with all materials relied upon in disseminating the representation; and\n\nB. any documents, whether prepared by or on behalf of respondent, that call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.14_tennessee_football", "company_name": "Tennessee Football, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3032-tennessee-football-inc-matter", "docket_number": "C-4473" }, { "provision_number": "III", "title": "Order Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all current and future principals, officers, directors, managers, employees, agents, and representatives with responsibilities relating to the subject matter of the order, and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nafter service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. Respondent must secure a signed and dated statement\n\nassumes such position or responsibilities. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_tennessee_football", "company_name": "Tennessee Football, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3032-tennessee-football-inc-matter", "docket_number": "C-4473" }, { "provision_number": "IV", "title": "Compliance Notifications", "category": "compliance_reporting", "summary": "Respondent must notify the Commission of any changes in the corporation that may affect compliance obligations, including dissolution, assignment, sale, merger, creation or dissolution of subsidiaries, bankruptcy filing, or change in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission within fourteen (14) days of any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Tennessee Football, Inc., FTC File No. 1423032.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_tennessee_football", "company_name": "Tennessee Football, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3032-tennessee-football-inc-matter", "docket_number": "C-4473" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a true and accurate written report with the Commission detailing its compliance with the order, and submit additional reports upon request from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.14_tennessee_football", "company_name": "Tennessee Football, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3032-tennessee-football-inc-matter", "docket_number": "C-4473" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on June 19, 2034, or twenty years from the most recent date that the United States or the Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 19, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and Page 3 of 4 C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.14_tennessee_football", "company_name": "Tennessee Football, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3032-tennessee-football-inc-matter", "docket_number": "C-4473" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Information Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the purposes, consumer controls, compliance program participation, or extent of collection and protection related to Covered Information.", "verbatim_text": "A. the purposes for which Respondent or any entity to whom it discloses Covered Information collects, maintains, uses, or discloses Covered Information;\n\nB. the extent to which consumers may exercise control over Respondent’s collection, maintenance, use, disclosure, or deletion of Covered Information, and the steps a consumer must take to implement such controls;\n\nC. the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by a government or any self-regulatory or standard-setting organization, including the EU-U.S. Privacy Shield and the U.S.-Swiss Privacy Shield framework; and\n\nD. the extent to which Respondent collects, maintains, uses, discloses, deletes, or permits or denies access to any Covered Information, or the extent to which Respondent protects the availability, confidentiality, or integrity of any Covered Information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "II", "title": "Data Deletion", "category": "affirmative_obligation", "summary": "Within 30 days of filing, Respondent must instruct any Third Party that received Health Information from Respondent belonging to any Covered App User to destroy such information.", "verbatim_text": "IT IS FURTHER ORDERED that, on or before thirty (30) days after the date of the filing of this Order, Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, must instruct any Third Party that has received Health Information from Respondent belonging to any Covered App User to destroy such information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "III", "title": "Notice to Users", "category": "affirmative_obligation", "summary": "Within 14 days of filing, Respondent must post the required notice Clearly and Conspicuously on its website and email it to all Covered App Users, with no additional materials included.", "verbatim_text": "IT IS FURTHER ORDERED that on or before fourteen (14) days after the date of the filing of this Order, Respondent must post Clearly and Conspicuously on Respondent’s website, https://flo.health/, an exact copy of the notice attached hereto as Exhibit A (“Notice”) and email the Notice to all Covered App Users, provided however, that if Respondent does not have email information for any Covered App User, Respondent must send the Notice to that Covered App User through Respondent’s primary means of communicating with that user (such as a notification within Respondent’s mobile application). Respondent shall not include with the\n\nnotification within Respondent’s mobile application). Respondent shall not include with the Notice any other information, documents, or attachments.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "IV", "title": "Notice and Affirmative Express Consent", "category": "affirmative_obligation", "summary": "Before disclosing any consumer's Health Information to any Third Party, Respondent must provide clear and conspicuous disclosure of the categories, identities, and purposes of disclosure, and obtain affirmative express consent.", "verbatim_text": "A. Clearly and Conspicuously disclose to the consumer, separate and apart from any “privacy policy,” “terms of use” page, or other similar document: (1) the categories of Health Information that will be disclosed to such Third Parties, (2) the identities of such Third Parties, and (3) all purposes for Respondent’s disclosure of such Health Information, including how it may be used by each Third Party; and\n\nB. obtain the consumer’s affirmative express consent.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "V", "title": "Compliance Review", "category": "assessment", "summary": "Within 180 days of the Order's issuance, Respondent must obtain an independent third-party Compliance Review of its privacy practices against the EU-U.S. Privacy Shield Principles, and submit it to the Commission within 10 days of completion.", "verbatim_text": "IT IS FURTHER ORDERED that, within 180 days after the issuance date of this Order, Respondent must obtain an outside review of certain of its practices (the “Compliance Review”): A. The Compliance Review must be completed by a qualified, objective, independent third- party professional, who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of compliance with the EU-U.S. Privacy Shield Framework Principles (the “Principles”), attached hereto as Exhibit B; and (3) retains all documents relevant to the Compliance Review for five (5) years after completion and will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim.\n\nB. Respondent shall provide the Associate Director of Enforcement for the Bureau of Consumer Protection at the Commission with the name, affiliation, and resume of each person selected to conduct the Compliance Review, which the Associate Director shall have the authority to approve in his sole discretion.\n\nC. The reporting period for the Compliance Review must cover the first 180 days after the issuance date of the Order.\n\nD. The Compliance Review must (1) determine whether Respondent has maintained compliance with the Principles attached hereto as Exhibit B; (2) determine whether Respondent’s privacy practices are consistent with its privacy policy; (3) determine whether Respondent adequately informs individuals about the mechanisms through which they may pursue complaints regarding Respondent’s privacy practices; (4) identify any gaps or weaknesses in the privacy practices assessed; and (5) identify specific evidence (including, but not limited to, documents reviewed, sampling and technical testing performed, and interviews conducted) examined to make such determinations and identifications, and explain why the evidence examined is sufficient to justify the findings. No finding of the Compliance Review shall rely solely on assertions or attestations by Respondent’s management. The Compliance Review shall be signed by the lead professional who performs the review and shall state that he or she conducted an independent review of Respondent’s privacy practices, and did not rely solely on assertions or attestations by Respondent’s management.\n\nE. Unless otherwise directed by a Commission representative in writing, Respondent must submit the Compliance Review to the Commission within ten (10) days after the Compliance Review has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Flo Health, Inc., LLC, FTC File No. 1923133.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "VI", "title": "Cooperation with Compliance Reviewer", "category": "affirmative_obligation", "summary": "Respondent must disclose all material facts to the Compliance Reviewer and must not misrepresent any fact material to the Reviewer's determination about Respondent's privacy practices.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in connection with the Compliance Review required by Provision V of this Order, must disclose all 5 material facts to the individual(s) conducting the Compliance Review (the “Reviewer”), and must not misrepresent in any manner, expressly or by implication, any fact material to the Reviewer’s determination whether Respondent (1) has maintained compliance with the Principles attached hereto as Exhibit B; (2) has engaged in privacy practices consistent with its privacy policy; (3) adequately informs individuals about the mechanisms through which they may pursue complaints regarding Respondent’s privacy practices; or (4) has any gaps or weaknesses in its privacy practices.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "VII", "title": "Certification", "category": "compliance_reporting", "summary": "Within 180 days of the Order's issuance, Respondent must submit a senior management certification to the Commission confirming establishment and maintenance of Order requirements and absence of known material noncompliance.", "verbatim_text": "A. Within 180 days after the issuance date of this Order, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s privacy practices that Resondent: (1) has established, implemented, and maintained the requirements of this Order; and (2) is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit the certification to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Flo Health, Inc., LLC, FTC File No. 1923133.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "VIII", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Within 30 days of discovering a Covered Incident, Respondent must submit a report to the Commission detailing the date, facts, scope, number of affected consumers, remediation steps, and any notices sent.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within thirty (30) days after that Respondent’s discovery of a Covered Incident, must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known; C. The number of consumers whose information was affected; D. The acts that Respondent has taken to date to remediate the Covered Incident and protect Health Information from further disclosure, exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and E. A representative copy of any materially different notice sent by Respondent to consumers or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Flo Health, Inc., LLC, FTC File No. 1923133.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "IX", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt of the Order to the Commission within 10 days, deliver copies to key personnel for 5 years, and obtain signed acknowledgments from recipients within 30 days of delivery.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For five (5) years after the issuance date of this Order, Respondent, must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order, and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "X", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must file sworn compliance reports annually for 5 years starting 60 days after issuance, submit notices of structural or contact changes within 14 days, notify the Commission of any bankruptcy filing within 14 days, and submit all required materials electronically or by overnight courier.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, and annually thereafter for five (5) more years, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the services offered, what Covered Information is collected, and how Covered Information is used and disclosed to third parties; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in: (a) any designated point of contact or (b) the structure 7 of Respondent or any entity Respondent has any ownership interest in or control directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: ___________” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Flo Health, Inc., a corporation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "XI", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create certain records for 20 years and retain each for 5 years, including accounting records, personnel records, consumer complaints, compliance documentation, advertising materials, privacy-related representations, and Compliance Review materials.", "verbatim_text": "A. accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name, addresses, telephone numbers, job title or position, dates of service, and (if applicable) the reason for termination;\n\nC. copies or records of all consumer complaints and refund requests sent to Respondent, and any response;\n\nD. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission;\n\nE. a copy of each unique advertisement or other marketing material making a representation subject to this Order;\n\nF. a copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security and confidentiality of any Covered Information, including any representation concerning a change in any website or 8 other service controlled by Respondent that relates to the privacy, security, and confidentiality of Covered Information;\n\nG. for five (5) years after the date of preparation of the Compliance Review required by this Order, all materials relied upon to prepare the Compliance Review, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by the Compliance Review.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "XII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission may monitor Respondent's compliance by requesting additional reports and records within 10 days, communicating directly with and interviewing Respondent's personnel, and using all other lawful means including undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "XIII", "title": "Order Effective Dates", "category": "duration", "summary": "This Order is final and effective upon publication on the FTC website and will terminate 20 years from issuance, or 20 years from the most recent date a federal complaint alleging a violation is filed, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate twenty (20) years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; B. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or 9 upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "docket_number": "C-4747" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it or its products maintain and protect the security of covered device functionality or the security, privacy, confidentiality, or integrity of covered information.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent, in or affecting commerce, shall not misrepresent in 2 any manner, expressly or by implication, the extent to which respondent or its products or services, including any covered devices, use, maintain and protect the security of covered device functionality or the security, privacy, confidentiality, or integrity of any covered information from or about consumers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "II", "title": "Comprehensive Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive security program designed to address security risks related to covered devices and protect the security, confidentiality, and integrity of covered information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing covered devices, and (2) protect the security, confidentiality, and integrity of covered information, whether collected by respondent or input into, stored on, captured with, accessed or transmitted through a covered device. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered device functionality or covered information, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the security program;\n\nB. the identification of material internal and external risks to the security of covered devices that could result in unauthorized access to or use of covered device functionality, and assessment of the sufficiency of any safeguards in place to control these risks;\n\nC. the identification of material internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, whether such information is in respondent’s possession or is input into, stored on, captured with, accessed or transmitted through a covered device, and assessment of the sufficiency of any safeguards in place to control these risks;\n\nD. at a minimum, the risk assessments required by subparts B and C should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) product design, development and research; (3) secure software design and testing, including secure engineering and defensive programming; and (4) review, assessment, and response to third-party security vulnerability reports;\n\nE. the design and implementation of reasonable safeguards to control the risks identified through the risk assessments, including through reasonable and appropriate software security testing techniques, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nF. the development and use of reasonable steps to select and retain service providers capable of maintaining security practices consistent with this order, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nG. the evaluation and adjustment of the security program in light of the results of the testing and monitoring required by subpart E, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its security program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "III", "title": "Security Patches for Specific Vulnerabilities", "category": "affirmative_obligation", "summary": "Respondent must develop and release security patches to fix vulnerabilities described in Attachment A for affected covered devices with operating systems released on or after December 2010.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall develop security patches to fix the security vulnerabilities described in Attachment A for each affected covered device having an operating system version released on or after December 2010. Within thirty (30) days of service\n\nof this order, respondent shall release the applicable security patch(es) either directly to affected covered devices or to the applicable network operator for deployment of the security patch(es) to\n\nthe affected covered devices. Respondent shall provide users of the affected covered devices with clear and prominent notice regarding the availability of the applicable security patch(es) and instructions for installing the applicable security patch(es).", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "IV", "title": "Third-Party Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial assessments from a qualified, independent third-party professional to evaluate compliance with the security program requirements.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with experience in secure mobile programming; or as a Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and secure mobile programming; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nIT IS FURTHER ORDERED that, in connection with its compliance with Part II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with experience in secure mobile programming; or as a Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and secure mobile programming; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; 4 B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered device functionality or covered information; C. explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security of covered device functionality and the security, confidentiality, and integrity of covered information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is\n\nprepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain records related to compliance with the order and make them available to the FTC upon request.", "verbatim_text": "A. for a period of three (3) years after the date of preparation of each Assessment required under Part IV of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III of this order, for the compliance period covered by such Assessment;\n\nB. unless covered by V.A, for a period of three (3) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this order, including but not limited to: 5 1. all advertisements and promotional materials containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation; and\n\nB. unless covered by V.A, for a period of three (3) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this order, including but not limited to: 5 1. all advertisements and promotional materials containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation; and 2. any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "VI", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all current and future subsidiaries, principals, officers, directors, managers, and employees with responsibilities relating to the subject matter of the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or\n\nIT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "VII", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least 30 days prior to any corporate change that may affect compliance obligations under the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file compliance reports with the Commission detailing manner and form of compliance with the order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nreceipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "IX", "title": "Order Duration and Termination", "category": "duration", "summary": "The order will terminate on June 25, 2033, or 20 years from the most recent date the United States or Commission files a complaint alleging violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on June 25, 2033, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "docket_number": "C-4406" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Respondent must not misrepresent, expressly or by implication, the security of its Covered Devices, the protection of Covered Information, the ability to use a Covered Device to secure a network, or the up-to-date status of a Covered Device's software.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or indirectly, in or affecting commerce, must not misrepresent in any manner, expressly or by implication: Page 3 of 9 A. The extent to which respondent or its products or services maintain and protect: 1. The security of any Covered Device; 2. The security, privacy, confidentiality, or integrity of any Covered Information;\n\nB. The extent to which a consumer can use a Covered Device to secure a network; and\n\nC. The extent to which a Covered Device is using up-to-date software.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "II", "title": "Comprehensive Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive, fully documented security program reasonably designed to address security risks for Covered Devices and protect Covered Information, including specific administrative, technical, and physical safeguards.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing Covered Devices, and (2) protect the privacy, security, confidentiality, and integrity of Covered Information. Such program, the content and implementation of which must be fully documented in writing, must contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the Covered Device’s function or the Covered Information, including:\n\nA. The designation of an employee or employees to coordinate and be accountable for the security program;\n\nB. The identification of material internal and external risks to the security of Covered Devices that could result in unauthorized access to or unauthorized modification of a Covered Device, and assessment of the sufficiency of any safeguards in place to control these risks;\n\nC. The identification of material internal and external risks to the privacy, security, confidentiality, and integrity of Covered Information that could result in the unintentional exposure of such information by consumers or the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks;\n\nD. At a minimum, the risk assessments required by Subparts B and C must include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management, including in secure engineering and defensive programming; (2) product design, development, and research; (3) secure software design, development, and testing, including for Default Settings; (4) review, assessment, and response to third-party security vulnerability reports, and (5) prevention, detection, and response to attacks, intrusions, or systems failures;\n\nE. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, including through reasonable and appropriate software security testing techniques, such as (1) vulnerability and penetration testing; (2) security architecture reviews; (3) code reviews; and (4) other reasonable and appropriate assessments, audits, reviews, or other tests to identify potential security failures and verify that access to Covered Devices and Covered Information is restricted consistent with a user’s security settings;\n\nF. Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nG. The development and use of reasonable steps to select and retain service providers capable of maintaining security practices consistent with this order, and requiring service providers by contract to implement and maintain appropriate safeguards consistent with this order; and\n\nH. The evaluation and adjustment of respondent’s security program in light of the results of the testing and monitoring required by Subpart F, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of the security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from a qualified, objective, independent professional (CSSLP or CISSP-credentialed), covering the first 180 days and each two-year period thereafter for 20 years, with each assessment certifying the effectiveness of the security program.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this order, respondent must obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments must be: a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with experience programming secure Internet-accessible consumer-grade devices; or as a Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and in programming secure Internet-accessible consumer-grade devices; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580. The reporting period for the Assessments must cover: (1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment must:\n\n(1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment must:\n\nA. Set forth the specific controls and procedures that respondent has implemented and maintained during the reporting period;\n\nB. Explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the Covered Device’s function or the Covered Information;\n\nC. Explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and\n\nD. Certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security of Covered Devices and the privacy, security, confidentiality, and integrity of Covered Information is protected and has so operated throughout the reporting period.\n\nEach Assessment must be prepared and completed within sixty (60) days after the end of the\n\nreporting period to which the Assessment applies. Respondent must provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments must be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial Assessment, and any subsequent Assessments requested, must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin: In re ASUSTek Computer Inc., FTC File No. 142 3156.\n\nprepared. All subsequent biennial Assessments must be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "IV", "title": "Security Flaw Notification and Consumer Registration", "category": "affirmative_obligation", "summary": "Respondent must clearly and conspicuously notify consumers when a Software Update is available or when mitigation steps exist for a Security Flaw, through multiple channels, and must provide consumers an opportunity to register contact information to receive such notifications during initial device setup.", "verbatim_text": "A. Notify consumers, Clearly and Conspicuously, when a Software Update is available, or when respondent is aware of reasonable steps that a consumer could take to mitigate a Security Flaw. The notice must explain how to install the Software Update, or otherwise mitigate the Security Flaw, and the risks to the consumer’s Covered Device or Covered Information if the consumer chooses not to install the available Software Update or take the recommended steps to mitigate the Security Flaw. Notice must be provided through at least each of the following\n\n1. Posting of a Clear and Conspicuous notice on at least the primary, consumer-facing website of respondent and, to the extent feasible, on the user interface of any Covered Device that is affected;\n\n2. Directly informing consumers who register, or who have registered, a Covered Device with respondent, by email, text message, push notification, or another similar method of providing notifications directly to consumers; and\n\n3. Informing consumers who contact respondent to complain or inquire about any aspect of the Covered Device they have purchased.\n\nB. Provide consumers with an opportunity to register an email address, phone number, device, or other information during the initial setup or configuration of a Covered Device, in order to receive the security notifications required by this Part. The consumer’s registration of such information must not be dependent upon or defaulted to an agreement to receive non-security related notifications or any other communications, such as advertising. Notwithstanding this requirement, respondent may provide an option for consumers to opt-out of receiving such security-related notifications.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC for inspection all materials relied upon for Part III Assessments for three years, and all other compliance-related documents (including advertisements, notifications, and any documents contradicting compliance) for five years.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of: A. For a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Part III of this order, for the compliance period covered by such Assessment;\n\nB. Unless covered by V.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this order, including but not limited to: 1. All advertisements, promotional materials, installation and user guides, and packaging containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation; 2. All notifications required by Part IV of this order; and 3. Any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "VI", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future subsidiaries, principals, officers, directors, managers, and employees or agents with supervisory responsibilities relating to the subject matter of the order, within specified timeframes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having supervisory responsibilities relating to the subject matter of this order. Respondent must deliver this order to\n\nresponsibilities relating to the subject matter of this order. Respondent must deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to\n\nsuch current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes such Page 7 of 9\n\nposition or responsibilities. For any business entity resulting from any change in structure set forth in Part VII, delivery must be at least ten (10) days prior to the change in structure.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "VII", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, including dissolution, merger, sale, creation or dissolution of subsidiaries, bankruptcy filings, or changes in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent must notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent must notify the Commission as soon as is practicable after obtaining such knowledge.\n\nUnless otherwise directed by a representative of the Commission, all notices required by this Part must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin: In re ASUSTek Computer Inc., FTC File No. 142 3156.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 60 days of service of this order and submit additional written reports within 10 days of receiving written notice from a Commission representative.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, within sixty (60) days after the date of service of this order, must file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it must submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "IX", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on July 18, 2036, or twenty years from the most recent date the U.S. or the Commission files a complaint in federal court alleging any violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on July 18, 2036, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in fewer than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Page 8 of 9 Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "docket_number": "C-4587" }, { "provision_number": "I", "title": "Comprehensive Software Security Program", "category": "affirmative_obligation", "summary": "Defendant must establish, implement, and maintain a comprehensive software security program for twenty years designed to protect the security of its Covered Devices, including at minimum nine categories of documented safeguards.", "verbatim_text": "IT IS ORDERED that Defendant shall, for a period of twenty (20) years after entry of 13 this Order, continue with or establish and implement, and maintain, a comprehensive software 14 15 security program (“Software Security Program”) that is designed to provide protection for the 16 security of its Covered Devices, unless Defendant ceases to market, distribute, or sell any 17 Covered Devices. Subject to Section II.I of this Order, to satisfy this requirement, Defendant 18 must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the 20 Software Security Program;\n\n22 B. Provide the written program and any evaluations thereof or updates thereto to 23 Defendant’s board of directors or governing body or, if no such board or equivalent governing 24 body exists, to a senior officer of Defendant responsible for Defendant’s Software Security 25 Program at least once every twelve (12) months;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for 2 the Software Security Program;\n\nD. Assess and document, at least once every twelve (12) months, internal and 4 external risks to the security of Covered Devices that could result in the unauthorized disclosure, 5 misuse, loss, theft, alteration, destruction, or other compromise of such information input into, 6 7 stored on or captured with, accessed, or transmitted by a Covered Device;\n\nE. Design, implement, maintain, and document safeguards, as a part of a secure 9 software development process, that control for the internal and external risks Defendant 10 identifies to the security of Covered Devices. Such safeguards shall also include: 11 1. Engaging in security planning by enumerating in writing how 12 functionality and features will affect the security of Covered Devices; 13 14 2. Performing threat modeling to identify internal and external risks to the 15 security of data transmitted using Covered Devices; 16 3. Engaging in pre-release code review of every release of software for 17 Covered Devices through the use of automated static analysis tools; 18 4. Conducting pre-release vulnerability testing of every release of software 19 for Covered Devices; 20 5. Performing ongoing code maintenance by maintaining a database of 21 22 shared code to be used to help find other instances of a vulnerability when a vulnerability is 23 reported or otherwise discovered; 24 6. Remediation processes designed to address security flaws, or analogous 25 instances of security flaws, identified at any stage of software development process; 26 27 4 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 5 of 32 1 7. Ongoing monitoring of security research for potential vulnerabilities that 2 could affect Covered Devices; 3 8. A process for accepting vulnerability reports from security researchers, 4 which shall include providing a designated point of contact for security researchers, appointing 5 supervisory personnel to validate concerns; 6 7 9. Automatic firmware updates directly to the Covered Devices that are 8 configured to receive automatic firmware updates; 9 10. At least 60 days prior to ceasing security updates for a Covered Device, a 10 clear and conspicuous notice to consumers who registered their Covered Device, through the 11 communication channel(s) the consumer chose at the time of registration, and a clear and 12 conspicuous notice on the product information page of the Covered Device on Defendant’s 13 14 website that the Covered Device will no longer receive firmware updates; and 15 11. Biennial security training for personnel and vendors responsible for 16 developing, implementing, or reviewing Covered Device software, including firmware updates.\n\nF. Assess, at least once every twelve (12) months the sufficiency of any safeguards 18 in place to address the risks to the security of Covered Devices, and modify the Software 19 Security Program based on the results.\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve 21 22 (12) months, and modify the Software Security Program based on the results.\n\n23 H. Select and retain service providers capable of maintaining security practices 24 consistent with this Order, and contractually require service providers to implement and maintain 25 safeguards consistent with this Order; and\n\nI. Evaluate and adjust the Software Security Program in light of any changes to 2 Defendant’s operations or business arrangements, or any other circumstances that Defendant 3 knows or has reason to know may have an impact on the effectiveness of the Software Security 4 Program. At a minimum, Defendant must evaluate the Software Security Program at least once 5 every twelve (12) months and modify the Software Security Program based on the results.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "II", "title": "Software Security Assessments by a Third Party", "category": "assessment", "summary": "Defendant must obtain initial and biennial third-party assessments of its Software Security Program or the Approved Standard, conducted by a qualified independent Assessor, with results submitted to the FTC.", "verbatim_text": "Software Security Program, Defendant must obtain initial and biennial assessments 18 (“Assessments”): 19 A. The Assessments must be obtained from a qualified, objective, independent third- 20 party professional (“Assessor”), who: (1) is qualified as a Certified Secure Software Lifecycle 21 22 Professional (CSSLP) with professional experience with secure Internet-accessible devices; 23 (2) uses procedures and standards generally accepted in the profession; (3) conducts an 24 independent review of the Software Security Program, or, at the election of Defendant, an 25 assessment of the Approved Standard; and (4) retains all documents considered for each 26 Assessment for five (5) years after completion of such Assessment and will provide such 27 6 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 7 of 32 1 documents to the Commission within fourteen (14) days of receipt of a written request from a 2 representative of the Commission. No documents considered for an Assessment may be 3 withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product or 4 attorney client privilege.\n\nB. For each Assessment, Respondent shall provide the Associate Director for 6 7 Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the 8 name and affiliation of the person selected to conduct the Assessment, which the Associate 9 Director shall have the authority to approve in his sole discretion. Any decision not to approve 10 an individual selected to conduct such Assessment must be accompanied by a writing setting 11 forth in detail the reasons for denying such approval.\n\nC. The reporting period for the Assessments to FTC must cover: (1) from the entry 13 14 of this Order to January 31, 2020, for the initial Assessment; and (2) each 2-year period 15 thereafter for ten (10) years after entry of this Order for the biennial Assessments.\n\nD. If Defendant elects to assess Defendant’s compliance with the Software Security 17 Program, the Assessment must: (1) determine whether Defendant has implemented and 18 maintained the Software Security Program; (2) assess the effectiveness of Defendant’s 19 implementation and maintenance of sub-Sections I.A-I; (3) identify any gaps or weaknesses in 20 the Software Security Program; (4) identify specific evidence (such as documents reviewed, 21 22 sampling and testing performed, and interviews conducted) examined to make such 23 determinations, assessments, and identifications, and explain why the evidence that the Assessor 24 examined is sufficient to justify the Assessor’s findings; or,\n\nE. If Defendant elects to assess Defendant’s compliance with the Approved 26 Standard, the Assessment must certify compliance with the Approved Standard, including, but 27 7 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 8 of 32 1 not limited to, the following provisions: (1) Part 6.4 (“SR-3: Product Security Requirements”); 2 (2) Part 6.5 (“SR-4: Product security requirements content”); (3) Part 6.3 (“SR-2: Threat 3 model”); (4) Part 8.3.1(c) (“Static Code Analysis”); (5) Part 9.4 (“SVV-3: Vulnerability 4 Testing”); (6) Part 9.5 (“Penetration Testing”); (7) Part 10.4 (“DM-3: Assessing security-related 5 issues”); (8) Part 10.5 (“DM-4: Addressing security-related issues”); (9) Part 10.2 (“DM-1: 6 7 Receiving notifications of security-related issues”); (10) Part 11.6 (“SUM-5: Timely delivery of 8 security patches”); (11) Part 10.6 (“DM-5: Disclosing security-related issues”); (12) Part 5.6 9 (“SM-4: Security expertise”).\n\nF. No finding of any Assessment shall rely solely on assertions or attestations by 11 Defendant’s management. The Assessment shall be signed by the Assessor and shall state that 12 the Assessor conducted an independent review of the Software Security Program or the 13 14 Approved Standard, and did not rely solely on assertions or attestations by Defendant’s 15 management.\n\nG. To the extent that Defendant has selected, appointed, or worked with a third party 17 to implement any of the criteria of the Software Security Program or any criteria of the Approved 18 Standard, Defendant shall provide to the Assessor, or cause to be provided to the Assessor, in 19 connection with the Assessment, all materials and documentation necessary for the Assessor to 20 conduct the Assessment of the effectiveness of the Comprehensive Software Security Program or 21 22 Approved Standard. All such materials and documentation shall be maintained and produced 23 upon request pursuant to the provisions of this Order.\n\nH. Each Assessment must be completed within sixty (60) days after the end of the 25 reporting period to which the Assessment applies. Unless otherwise directed by a Commission 26 representative in writing, Defendant must submit the initial Assessment to the Commission 27 8 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 9 of 32 1 within twenty (20) days after the Assessment has been completed via email to DEbrief@ftc.gov 2 or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, 3 Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 4 Washington, DC 20580. The subject line must begin, “In re D-Link Systems, FTC File No. 5 X170030.” All subsequent biennial Assessments shall be retained by Defendant until the order 6 7 is terminated and provided to the Associate Director for Enforcement within twenty (20) days of 8 request.\n\nI. If Defendant obtains an Assessment (i) certifying that the Software Security 10 Program for the Covered Devices is in compliance with the Approved Standard and 11 (ii) certifying that Defendant is in compliance with Section I.E.10, Defendant shall be deemed in 12 compliance with Section I of this Order for two (2) years from the date of that Assessment or 13 14 until the next January 31 Assessment deadline, whichever is earlier. Provided, however: 15 1. Defendant shall not be deemed in compliance with Section I of this Order 16 based on a Section II Assessment if Defendant made a representation, express or implied, that 17 either misrepresented or omitted a material fact and such misrepresentation or omission would 18 likely affect a reasonable Assessor’s decision about whether Defendant complied with the 19 Approved Standard. Further, in the event that such a misrepresentation or omission was made 20 for the purpose of deceiving the Assessor, Defendant shall not be deemed in compliance with 21 22 any portion of Section I or Section II of this Order based on that Assessment. 23 2. Defendant shall not be deemed in compliance with Section I of this Order 24 based upon a Section II Assessment if Defendant materially changed its practices after the 25 Assessment in question, unless, at the time of the material change, an Assessor qualified under 26 27 9 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 10 of 32 1 this Section certifies that the material change does not cause Defendant to fall out of compliance 2 with the Approved Standard on which the Assessment in question was based.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "III", "title": "Cooperation with Third-Party Software Security Assessor", "category": "affirmative_obligation", "summary": "Defendant must disclose all material facts to the Assessor and provide all necessary information and materials for each Assessment, without misrepresentation.", "verbatim_text": "A. Disclose all material facts to the Assessor, and must not misrepresent in any 9 manner, expressly or by implication, any fact material to the Assessor’s Assessment; and\n\nB. Provide or otherwise make available to the Assessor all information and material 11 in its possession, custody, or control that is necessary to the Assessment for which there is no 12 reasonable claim of privilege.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "IV", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Defendant must annually submit to the FTC a sworn certification from a senior corporate manager confirming compliance with the Order and disclosing any material noncompliance.", "verbatim_text": "A. One year after the entry of this Order, and each year thereafter, provide the 18 Commission with a certification from a senior corporate manager, or, if no such senior corporate 19 manager exists, a senior officer of Defendant responsible for Defendant’s Software Security 20 Program that: (1) the requirements of this Order have been established, implemented, and 21 22 maintained; and (2) Defendant is not aware of any material noncompliance that has not been (a) 23 corrected or (b) disclosed to the Commission. The certification must be based on the personal 24 knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom 25 the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all 2 annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or 3 by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau 4 of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 5 Washington, DC 20580. The subject line must begin, “In re D-Link Systems, Inc., FTC File No. 6 7 X170030.”", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "V", "title": "Specific Conduct Provisions", "category": "prohibition", "summary": "Defendant must stop selling or distributing the IP Camera set-up wizard software containing representations in Exhibit C, and must notify registered consumers to update their device firmware within 60 days.", "verbatim_text": "A. Defendant shall no longer sell, distribute, or host on its website the IP Camera set- 11 up wizard software containing the representations shown in Exhibit C attached hereto for any 12 Covered Devices.\n\nB. Within 60 days of the effective date of this Order, provide clear and conspicuous 14 15 notice to all consumers who registered their Covered Devices, through the communication 16 channel(s) the consumer chose at the time of registration, containing instructions for updating 17 said device with the latest firmware update.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "VI", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Defendant must obtain and submit acknowledgments of receipt of this Order from itself and relevant personnel, and deliver copies to all current and future responsible personnel.", "verbatim_text": "A. Defendant, within 7 days of entry of this Order, must submit to the Commission 22 23 an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For three years after entry of this Order, Defendant must deliver a copy of this 25 Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all 26 employees having managerial responsibilities for the security of Covered Devices and all agents 27 11 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 12 of 32 1 and representatives who participate in the security of Covered Devices; and (3) any business 2 entity resulting from any change in structure as set forth in the Section titled Compliance 3 Reporting. Delivery must occur within 7 days of entry of this Order for current personnel. For 4 all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which a Defendant delivered a copy of this 6 7 Order, that Defendant must obtain, within 30 days, a signed and dated acknowledgment of 8 receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendant must file a compliance report on January 31, 2020 and timely notices for any changes in structure or bankruptcy filings, submitted sworn under penalty of perjury.", "verbatim_text": "A. On January 31, 2020, Defendant must submit a compliance report, sworn under 13 penalty of perjury, which must: (1) identify the primary physical, postal, and email address and 14 15 telephone number, as designated points of contact, which representatives of the Commission may 16 use to communicate with Defendant; (2) identifies all of that Defendant’s businesses by all of 17 their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describes 18 the activities of each business, including the security and marketing practices; (4) describes in 19 detail whether and how Defendant is in compliance with each Section of this Order (either 20 directly or, at Defendant’s election, Defendant may, for the purpose of satisfying this 21 requirement as to Sections I and II, incorporate a Section II initial Assessment); and (5) provides 22 23 a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously 24 submitted to the Commission.\n\nB. For ten (10) years after entry of this Order, Defendant must submit a compliance 26 notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any 27 12 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 13 of 32 1 designated point of contact; or (b) the structure of Defendant or any entity that Defendant has 2 any ownership interest in or controls directly or indirectly that may affect compliance obligations 3 arising under this Order, including: creation, merger, sale, or dissolution of the Defendant or any 4 subsidiary, parent, or affiliate that Defendant has any ownership interest in or controls directly or 5 indirectly that engages in any acts or practices subject to this Order.\n\n7 C. Defendant must submit to the Commission notice of the filing of any bankruptcy 8 petition, insolvency proceeding, or similar proceeding by or against such Defendant within 14 9 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under 11 penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by 12 concluding: “I declare under penalty of perjury under the laws of the United States of America 13 14 that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s 15 full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all 17 submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or 18 sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, 19 Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 20 Washington, DC 20580. The subject line must begin: FTC v. D-Link Systems, Inc., X170030.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendant must create and retain specified records for ten years after entry of the Order (each retained for 5 years), including accounting records, personnel records, consumer complaints, compliance documents, and marketing materials.", "verbatim_text": "23 IT IS FURTHER ORDERED that Defendant must create certain records for ten (10) 24 years after entry of the Order, and retain each such record for 5 years. Specifically, Defendant 25 must create and retain the following records: 26 A. accounting records showing the revenues from all goods or services sold; 27 13 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 14 of 32 1 B. Defendant’s personnel records showing, for each person providing services, 2 whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job 3 title or position; dates of service; and (if applicable) the reason for termination; 4 C. records of all consumer complaints and refund requests, whether received directly 5 6 or indirectly, such as through a third party, concerning the subject matter of the Order; 7 D. all records necessary to demonstrate full compliance with each provision of this 8 Order, including all submissions to the Commission; and 9 E. a copy of each unique advertisement or other marketing material by Defendant 10 making a representation subject to this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC has the right to monitor Defendant's compliance through document requests, depositions, discovery, and interviews, with Defendant required to respond within 14 days of written requests.", "verbatim_text": "15 A. Within 14 days of receipt of a written request from a representative of the 16 Commission, Defendant must: submit additional compliance reports or other requested 17 information, which must be sworn under penalty of perjury; appear for depositions; and produce 18 documents for inspection and copying. The Commission is also authorized to obtain discovery, 19 without further leave of court, using any of the procedures prescribed by Federal Rules of Civil 20 Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69. Provided, 21 22 however, that Defendant, after attempting to resolve a dispute without court action and for good 23 cause shown, may file a motion with this Court seeking an order for one or more of the 24 protections set forth in Rule 26(c).\n\nB. For matters concerning this Order, the Commission is authorized to communicate 26 directly with Defendant, Defendant must permit representatives of the Commission to interview 27 14 28 [PROPOSED] STIPULATED ORDER FOR INJUNCTION CASE NO. 3:17-cv-00039-JD Case 3:17-cv-00039-JD Document 272-1 Filed 07/02/19 Page 15 of 32 1 any employee or other person affiliated with Defendant who has agreed to such an interview. 2 The person interviewed may have counsel present.\n\nC. The Commission may use all other lawful means, including posing, through its 4 representatives, as consumers, suppliers, or other individuals or entities, to Defendant or any 5 individual or entity affiliated with Defendant, without the necessity of identification or prior 6 7 notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, 8 pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1, nor does it limit 9 Defendant’s ability to assert any and all objections, defenses, rights, or privileges available to it, 10 as to any such process.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "X", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for the purposes of construction, modification, and enforcement of this Order.", "verbatim_text": "X. RETENTION OF JURISl>JCTJON 2 3 . pwpous ofc onmw:tio11, modificatiOII, 8Tld enfon::i,ment ofl his Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "docket_number": "3:17-CV-00039-JD" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy or Security of Personal Information", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the extent to which it maintains and protects the privacy, security, confidentiality, or integrity of Personal Information, including encryption and security techniques.", "verbatim_text": "IT IS ORDERED that Respondent, Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent maintains and protects the privacy, security, confidentiality, or integrity of Personal Page 2 of 9 Information, including the extent to which Respondent utilizes (1) encryption techniques; and (2) security techniques.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "II", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program for any business it controls that collects or stores Personal Information, meeting at least eight specific minimum requirements.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, for any business that Respondent controls directly or indirectly, shall not transfer, sell, share, collect, maintain, or store Personal Information unless it establishes and implements, and thereafter maintains, a comprehensive information security program (“Information Security Program”) that is designed to protect the security, confidentiality, and integrity of such Personal Information. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;\n\nC. Assess and document, at least once every twelve months and promptly following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information;\n\nD. Design, implement, and document safeguards that address the internal and external risks Respondent identifies to the security, confidentiality, or integrity of Personal Information identified in response to sub-Provision II.C. Each safeguard shall take into account the sensitivity of Personal Information at issue;\n\nE. Assess, at least once every twelve months and promptly following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information. Each such assessment must evaluate safeguards in each area of relevant operation, including: (1) employee training and management; (2) information systems, such as network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nF. Test and monitor the effectiveness of the safeguards at least once every twelve months and promptly following a Covered Incident, and modify the Information Security Program based on the results;\n\nG. Select and retain service providers capable of safeguarding Personal Information they receive from Respondent, and contractually require service providers to implement and maintain safeguards for Personal Information; and\n\nH. Evaluate and adjust the Information Security Program in light of any changes to Respondent’s operations or business arrangements, a Covered Incident, or any other circumstances that Respondent knows or has reason to know may have an impact on the effectiveness of the Information Security Program. At a minimum, Respondent must evaluate the Information Security Program at least once every twelve months.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "III", "title": "Data Security Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party data security assessments from a qualified, independent assessor (CISSP, CISA, or GIAC-certified), covering compliance with the Information Security Program, for twenty years.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who uses procedures and standards generally accepted in the profession. The Assessor preparing such Assessments must be: an individual qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); an individual holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nB. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each 2-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.\n\nC. Each Assessment must: (1) determine whether Respondent has implemented and maintained Provision II of this Order titled Mandated Information Security Program; (2) assess the effectiveness of Respondent’s implementation and maintenance of sub- Provisions II.A-H; and (3) identify any gaps or weaknesses in the Information Security Program.\n\nD. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re James V. Grago, Jr., d/b/a ClixSense.com, FTC File No.1723003.” All subsequent biennial Assessments shall be retained by Respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "IV", "title": "Prohibition Against Misrepresentations to the Assessor", "category": "prohibition", "summary": "Respondent must not misrepresent any material fact to the third-party assessor conducting the data security assessments required under Provision III.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in connection with any Assessment required by Provision III of this Order titled Data Security Assessments by a Third Party, must not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondent has implemented and maintained Provision II of this Order titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions II.A- H; or (3) identification of any gaps or weaknesses in the Information Security Program.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "V", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondent must provide the Commission with an annual certification from a senior corporate manager or officer confirming compliance with the Order, disclosing any material noncompliance, and describing any Covered Incidents.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Information Security Program that: (1) Respondent has established, implemented, and maintained the requirements of this Order; (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of any Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re James V. Grago, Jr., d/b/a ClixSense.com, FTC File No.1723003.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "VI", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order, deliver copies to principals, officers, employees, and agents with relevant responsibilities, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives with responsibilities related to Page 5 of 9 the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in Provision VII of this Order titled Compliance Reports and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "VII", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an annual compliance report and timely notices of changes to contact information, business structure, name, role, or bankruptcy filings, all sworn under penalty of perjury.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which: 1. Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\n2. Additionally, Respondent must: (a) identify all his telephone numbers and all his physical, postal, email and Internet addresses, including all residences; (b) identify all his business activities, including any business for which Respondent performs services whether as an employee or otherwise and any entity in which Respondent, individually, has any ownership interest; and (c) describe in detail Respondent’s involvement in each such business activity, including title, role, responsibilities, participation, authority, control, and any ownership.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: 1. Respondent must submit notice of any change in: (a) any designated point of contact; or (b) the structure of any entity that Respondent has any ownership interest in or Page 6 of 9 controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\n2. Additionally, Respondent must submit notice of any change in: (a) name, including alias or fictitious name, or residence address; or (b) title or role in any business activity, including (i) any business for which Respondent performs services whether as an employee or otherwise and (ii) any entity in which Respondent has any ownership interest and over which Respondent has direct or indirect control. For each such business activity, also identify its name, physical address, and any Internet address.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re James V. Grago, Jr., d/b/a ClixSense.com, FTC File No.1723003.”", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for twenty years after the Order's issuance, retaining each record for five years, covering revenues, personnel, consumer complaints, privacy representations, and compliance documentation.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for twenty (20) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records:\n\nA. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, confidentiality, security, or integrity of any Personal Information, including any representation concerning a change in any website or other service controlled by Respondent that relates to the privacy, confidentiality, security, or integrity of Personal Information, including the extent to which Respondent utilizes (1) encryption techniques; and (2) security techniques; and\n\nE. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting reports and records, conducting interviews, and using any other lawful means including undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "X", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is final upon publication on the FTC website and terminates twenty years from issuance, or twenty years from the most recent date a complaint is filed in federal court alleging a violation, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate twenty (20) years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; Page 8 of 9 B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any Provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "docket_number": "C-4678" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, the extent to which it participates in, is certified by, or complies with any government or self-regulatory privacy or security program, including the CARU COPPA safe harbor.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the Children’s Advertising Review Unit (CARU) Children’s Online Privacy Protection Act of 1998 (COPPA) safe harbor.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "07.20_miniclip", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "docket_number": "C-4722" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order itself, deliver copies to relevant personnel and business successors, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For five (5) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives having managerial responsibilities for conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Page 2 of 5 Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "07.20_miniclip", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "docket_number": "C-4722" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report within 60 days, and thereafter submit timely sworn notices upon changes in contact information, corporate structure, or bankruptcy filings, following specified submission procedures.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Page 3 of 5 Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Miniclip S.A., FTC File No. 1923129.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.20_miniclip", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "docket_number": "C-4722" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for 10 years after the Order's issuance date and retain each such record for 5 years, covering financial records, personnel records, compliance records, and representations about privacy program participation.", "verbatim_text": "A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent regarding Respondent’s participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.20_miniclip", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "docket_number": "C-4722" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting reports and records, communicating directly with and interviewing Respondent's personnel, and using all other lawful investigative means including undercover contact.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification Page 4 of 5 or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.20_miniclip", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "docket_number": "C-4722" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates on June 29, 2040, or 20 years from the most recent federal court complaint alleging a violation of the Order, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on June 29, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "07.20_miniclip", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "docket_number": "C-4722" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in or Compliance with Privacy Programs", "category": "prohibition", "summary": "Respondent must not misrepresent its membership in, adherence to, or certification under any government or self-regulatory privacy or security program, including the EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield, and APEC Cross-Border Privacy Rules.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework, the Swiss-U.S. Privacy Shield framework, and the APEC Cross-Border Privacy Rules.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "07.20_ortho-clinical_diagnostics", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "docket_number": "C-4723" }, { "provision_number": "II", "title": "Requirement to Meet Continuing Obligations Under Privacy Shield", "category": "affirmative_obligation", "summary": "Respondent must either affirm to the Department of Commerce that it will continue applying Privacy Shield principles (or protect the information by another authorized means) or return/delete the personal information it received while participating in Privacy Shield, within ten days of the order's effective date.", "verbatim_text": "A. affirm to the Department of Commerce, within ten (10) days after the effective date of this Order and on an annual basis thereafter for as long as it retains such information, that it will Page 2 of 6 1. continue to apply the EU-U.S. Privacy Shield framework principles to the personal information it received while it participated in the Privacy Shield; or 2. protect the information by another means authorized under EU (for the EU-U.S. Privacy Shield framework) or Swiss (for the Swiss-U.S. Privacy Shield framework) law, including by using a binding corporate rule or a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission; or\n\nB. return or delete the information within ten (10) days after the effective date of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "07.20_ortho-clinical_diagnostics", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "docket_number": "C-4723" }, { "provision_number": "III", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit an acknowledgment of receipt to the Commission within 10 days, deliver a copy of the Order to relevant personnel for 5 years, and obtain signed acknowledgments from each recipient within 60 days of delivery.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For five (5) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within sixty (60) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "07.20_ortho-clinical_diagnostics", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "docket_number": "C-4723" }, { "provision_number": "IV", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report 90 days after issuance, provide sworn compliance notices within 14 days of certain changes, and submit bankruptcy notices within 14 days of filing; all submissions must follow specified formatting and delivery requirements.", "verbatim_text": "A. Ninety (90) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their Page 3 of 6 names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Ortho-Clinical Diagnostics, Inc., FTC File No. 1923050, Docket No. C-4723.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.20_ortho-clinical_diagnostics", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "docket_number": "C-4723" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create certain records for 10 years after the issuance date and retain each for 5 years, including accounting records, personnel records, all compliance records, and copies of representations subject to this Order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for ten (10) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each widely disseminated representation by Respondent making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.20_ortho-clinical_diagnostics", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "docket_number": "C-4723" }, { "provision_number": "VI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting reports and records, interviewing affiliated individuals, and using all other lawful investigative means including undercover activities.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.20_ortho-clinical_diagnostics", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "docket_number": "C-4723" }, { "provision_number": "VII", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates on July 8, 2040, or twenty years from the most recent date a complaint alleging a violation is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on July 8, 2040, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and Page 5 of 6 C. this Order if such complaint is filed after the order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "07.20_ortho-clinical_diagnostics", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5 of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "docket_number": "C-4723" }, { "provision_number": "I", "title": "Prohibited Representations: Weight-Loss and Efficacy Claims", "category": "prohibition", "summary": "Defendants are permanently enjoined from making any unsubstantiated weight-loss or efficacy claims about Covered Products unless supported by competent and reliable scientific evidence consisting of qualifying human clinical testing.", "verbatim_text": "IT IS ORDERED that Defendants, Defendants’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product, are hereby PERMANENTLY RESTRAINED AND ENJOINED from making, or assisting others in making, expressly or by implication, including through the use of a good or service name, Endorsement, depiction, or illustration, any representation that, in humans: A. Such Covered Product causes, or assists in causing, weight loss;\n\nB. Such Covered Product causes, or assists in causing, weight loss in a specific amount or time, including as much as 21 pounds in a month or as much as 100 pounds in ten months;\n\nC. Such Covered Product causes, or assists in causing, any reduction in caloric or Food intake, or any appetite suppression, including reduction of Food 10 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 11 of 30 PageID 11227 intake by as much as fifty percent;\n\nD. Use of such Covered Product causes, or assists in causing, weight loss in a specific percentage of users, including that as much as ninety percent of users of a Covered Product will lose substantial amounts of weight;\n\nE. Such Covered Product causes or assists in causing, weight-loss benefits that are comparable or superior to bariatric surgery, or to any weight- loss treatment or method;\n\nF. Consumption of a Covered Product causes, or assists in causing, reduction of a user’s stomach capacity by a specific percentage or amount, within a specific time, or for a specific duration, or that fluid intake will maintain or assist in maintaining any reduction of a user’s stomach capacity related to use of a Covered Product;\n\nG. Such Covered Product materially contributes to any system, program, plan, or regimen that produces the results referenced in Subsections A-F of this Section;\n\nH. Consumers who use the Covered Product can generally expect to achieve the weight loss results represented by an Endorser of such Covered Product;\n\nI. Such Covered Product is safe and effective for weight loss in children; or\n\nJ. Such Covered Product cures, mitigates, or treats any disease;\n\nunless the representation is non-misleading and, at the time of making such representation, they possess and rely upon competent and reliable scientific evidence substantiating that the representation is true. For purposes of this Section, competent 11 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 12 of 30 PageID 11228 and reliable scientific evidence shall consist of human clinical testing of the Covered Product, or of an Essentially Equivalent Product, that is sufficient in quality and quantity based on standards generally accepted by experts in the relevant disease, condition, or function to which the representation relates, when considered in light of the entire body of relevant and reliable scientific evidence, to substantiate that the representation is true. Such testing must be: (1) randomized, double-blind, and placebo-controlled; and (2) conducted by researchers qualified by training and experience to conduct such testing. In addition, all underlying or supporting data and documents generally accepted by experts in the field as relevant to an assessment of such testing as described in the Section of this Order entitled “Preservation of Records Relating to Competent and Reliable Human Clinical Tests or Studies” must be available for inspection and production to the FTC. Persons covered by this Section shall have the burden of proving that a product satisfies the definition of Essentially Equivalent Product.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "II", "title": "Prohibited Representations: Other Health-Related Claims", "category": "prohibition", "summary": "Defendants are permanently enjoined from making any unsubstantiated representations about the health benefits, performance, or efficacy of any Covered Product beyond the weight-loss claims covered in Section I.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants, Defendants’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any Covered Product, are hereby PERMANENTLY RESTRAINED AND ENJOINED from making, or assisting others in making, expressly or by implication, including through the use of a good or service name, Endorsement, depiction, or illustration, any representation, other than 12 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 13 of 30 PageID 11229 representations covered under Section I of this Order, about the health benefits, performance, or efficacy of any Covered Product, unless the representation is non- misleading, and, at the time of making such representation, they possess and rely upon competent and reliable scientific evidence that is sufficient in quality and quantity based on standards generally accepted by experts in the relevant disease, condition, or function to which the representation relates when considered in light of the entire body of relevant and reliable scientific evidence, to substantiate that the representation is true. For purposes of this Section, competent and reliable scientific evidence means tests, analyses, research, or studies (1) that have been conducted and evaluated in an objective manner by experts in the relevant disease, condition, or function to which the representation relates; (2) that are generally accepted by qualified experts to yield accurate and reliable results; and (3) that are randomized, double-blind, and placebo- controlled human clinical testing of the Covered Product, or of an Essentially Equivalent Product, when such experts would generally require such human clinical testing to substantiate that the representation is true. In addition, when such tests or studies are human clinical tests or studies, all underlying or supporting data and documents generally accepted by experts in the field as relevant to an assessment of such testing as set forth in the Section of this Order entitled “Preservation of Records Relating to Competent and Reliable Human Clinical Tests or Studies” must be available for inspection and production to the FTC. Persons covered by this Section shall have the burden of proving that a product satisfies the definition of Essentially Equivalent Product.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "III", "title": "Prohibited Representations: Tests, Studies, or Other Research", "category": "prohibition", "summary": "Defendants are permanently enjoined from misrepresenting that any good or service's performance is scientifically proven, or misrepresenting the existence, contents, validity, results, or conclusions of any test, study, or research.", "verbatim_text": "A. That the performance or benefits of such good or service are scientifically or clinically proven or otherwise established, including that the efficacy of any Covered Product for achieving weight loss is scientifically proven or that any Covered Product is scientifically proven to have a ninety-percent success rate in forcing users to eat half their usual Food intake and cause substantial weight loss; or\n\nB. The existence, contents, validity, results, conclusions, or interpretations of any test, study, or other research.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "IV", "title": "FDA Approved Claims", "category": "affirmative_obligation", "summary": "Nothing in this Order prohibits Defendants from making representations that are specifically approved or authorized in FDA labeling for Drugs or other products under applicable federal regulations.", "verbatim_text": "IT IS FURTHER ORDERED that nothing in this Order shall prohibit Defendants from: A. For any Drug, making a representation that is approved in labeling for such Drug under any tentative or final monograph promulgated by the Food and Drug Administration, or under any new Drug application approved by the 14 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 15 of 30 PageID 11231 Food and Drug Administration; and\n\nB. For any product, making a representation that is specifically authorized for use in labeling for such product by regulations promulgated by the Food and Drug Administration pursuant to the Nutrition Labeling and Education Act of 1990 or permitted under Sections 303-304 of the Food and Drug Administration Modernization Act of 1997.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Consumer Notification" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "V", "title": "Prohibitions on Review-Limiting Contract Provisions and Threats About Customer Communications", "category": "prohibition", "summary": "Defendants are permanently enjoined from using non-disparagement contract terms, threatening customers about negative reviews, representing customers owe higher prices for speaking out, and retaliating against anyone who cooperates with law enforcement.", "verbatim_text": "A. Offering to any prospective customer a contract, or offering to any customer a renewal contract, that includes a Review-Limiting Contract Term;\n\nB. Requiring that a customer accept a Review-Limiting Contract Term as a condition of a Defendant’s fulfillment of its obligations under a customer contract;\n\nC. Representing, including through any notice, warning, threat to enforce, or attempt to enforce, to any purchaser of any good or service — regardless of when purchased — that any contract: 1. Prohibits purchasers from speaking or publishing truthful or 15 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 16 of 30 PageID 11232 non- defamatory negative comments or reviews about any Defendant, or the Defendant’s goods, services, agents, or employees; or\n\n2. Imposes any precondition on purchasers speaking or publishing any comments or reviews about any Defendant, or the Defendant’s goods, services, agents, or employees;\n\nD. Representing that any purchaser of any Covered Product could be liable for defamation or other legal liability for speaking or publishing any statement that the Covered Product was ineffective, including that it did not cause or assist in causing them to lose or maintain weight, to reduce their caloric or Food intake, to reduce their stomach capacity, or to reduce their appetite;\n\nE. Representing that any purchaser of any good or service owes or has agreed to pay the difference between any purported “discount price,” “subsidized price,” or other price the purchaser was actually charged at the time of purchase of a good or service, and any higher or “full price” for a good or service, if the purchaser speaks or publishes negative comments or reviews about any Defendant, or the Defendant’s goods, services, agents, or employees; or\n\nF. Retaliating, or threatening to take or taking any adverse action, against any Person who communicates or cooperates with, provides statements, documents, or information to, or testifies on behalf of, the FTC or other party in connection with any law enforcement investigation or litigation, or who has done so during or prior to this litigation, including by enforcing or threatening to 16 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 17 of 30 PageID 11233 enforce any contractual provision representing that it limits or prohibits the Person from speaking or publishing negative or disparaging comments or reviews about any Defendant, the Defendant’s goods, services, agents, or employee.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "VI", "title": "Deceptive Format in Advertising", "category": "prohibition", "summary": "Defendants are permanently enjoined from misrepresenting that any website (including Gastricbypass.me) or other publication is an independent, objective resource for research or scientific information related to any good or service.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants, Defendants’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any good or service, including any Covered Product, are hereby PERMANENTLY RESTRAINED AND ENJOINED from misrepresenting that any website (including Gastricbypass.me) or other publication is an independent, objective resource for research or other scientific information, or other information relating to such good or service.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "VII", "title": "Prohibitions Concerning Endorsements", "category": "prohibition", "summary": "Defendants are permanently enjoined from misrepresenting endorser opinions or expertise, misrepresenting that endorsers are health professionals, and failing to clearly and conspicuously disclose material connections between endorsers and Defendants.", "verbatim_text": "A. Misrepresenting, in any manner, expressly or by implication, that an 17 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 18 of 30 PageID 11234 Endorsement of any such good or service represents the opinions, findings, beliefs, or experience of the Endorser;\n\nB. Misrepresenting, in any manner, expressly or by implication, that any Person is an expert with respect to the Endorsement message provided by that person, or that an Endorser of any such good or service is a health professional; and\n\nC. Failing to disclose, Clearly and Conspicuously, and in Close Proximity to the representation, a Material Connection, when one exists, between the Endorser and any Defendant.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Prohibition" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "VIII", "title": "Prohibited Representations: Information Privacy", "category": "prohibition", "summary": "Defendants are permanently enjoined from misrepresenting the extent to which they maintain the confidentiality of consumer information.", "verbatim_text": "IS FURTHER ORDERED that Defendants, Defendants’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the manufacturing, labeling, advertising, promotion, offering for sale, sale, or distribution of any good or service, including any Covered Product, are hereby PERMANENTLY RESTRAINED AND ENJOINED from misrepresenting the extent to which they maintain the confidentiality of consumer information.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "IX", "title": "Monetary Judgment", "category": "affirmative_obligation", "summary": "A judgment of $25,246,000 is entered jointly and severally against the Corporate Defendants and Individual Defendant Don Juravin for equitable monetary relief, with specific asset transfer requirements and directions for use of collected funds.", "verbatim_text": "A. Judgment in the amount of twenty-five million, two-hundred forty- six thousand dollars ($25,246,000) is entered in favor of the FTC against Corporate Defendants and Individual Defendant Don Juravin, jointly and 18 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 19 of 30 PageID 11235 severally, as equitable monetary relief, including consumer redress and disgorgement of ill-gotten gains.\n\n1. Asset Transfer Defendants and iPayment, Inc., and its successors and assigns, are ordered to transfer all funds held in the name of Roca Labs Nutraceutical USA, Inc., or any other Asset Transfer Defendant, to the Commission. Such payment must be made within 15 days of entry of this Order by electronic fund transfer in accordance with instructions previously provided by a representative of the Commission.\n\n2. Asset Transfer Defendants, Jugaad Co. and its successors and assigns, and Wells Fargo Bank, N.A. and its successors and assigns, are ordered to transfer all funds held in the name of Jugaad Co. in account number ending in 2137 to the Commission. Such payment must be made within 15 days of entry of this Order by electronic fund transfer in accordance with instructions previously provided by a representative of the Commission.\n\nC. Asset Transfer Defendants relinquish dominion and all legal and equitable right, title, and interest in all Assets transferred pursuant to this Order and may not seek the return of any Assets.\n\nD. Asset Transfer Defendants’ Taxpayer Identification Numbers (Social Security Numbers or Employer Identification Numbers), which they previously submitted to the FTC, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.\n\nE. All money paid to the FTC pursuant to this Order may be deposited into a fund administered by the FTC or its designee to be used for equitable relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the FTC decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the FTC may apply any remaining money for such other equitable relief (including consumer information remedies) as it determines to be reasonably related to Defendants’ practices alleged in the Complaint. Any money not used for such equitable relief is to be deposited to the U.S. Treasury as disgorgement. Defendants have no right to challenge any actions the FTC or its representatives may take pursuant to this Subsection.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "X", "title": "Lifting of Asset Freeze", "category": "affirmative_obligation", "summary": "The Court's asset freeze is modified to permit the payments and transfers required by the Monetary Judgment section, and is fully dissolved upon completion of all such payments and transfers.", "verbatim_text": "IT IS FURTHER ORDERED that the asset freeze entered by this Court on September 13, 2016, (Dkt. 90), and extended on November 9, 2018, (Dkt. 245), is modified to permit the payments and transfers identified in the Monetary Judgment section of this Order, and upon completion of all such payments and transfers, the asset freeze is dissolved.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Consumer Redress" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "XI", "title": "Customer Information", "category": "affirmative_obligation", "summary": "Defendants must provide sufficient customer information to the FTC to facilitate consumer redress within 14 days of any written request, and are prohibited from disclosing, using, or benefitting from customer information obtained prior to entry of this Order.", "verbatim_text": "A. Failing to provide sufficient customer information to enable the FTC to efficiently administer consumer redress. If a representative of the FTC requests in writing any information related to redress, Defendants must provide it, in the form prescribed by the FTC, within 14 days; and\n\nB. Disclosing, using, or benefitting from customer information, including the name, address, telephone number, email address, Social Security number, other identifying information, or any data that enables access to a customer’s account (including a credit card, bank account, or other financial account), that any Defendant obtained prior to entry of this Order in connection with the manufacturing, labeling, advertising, marketing, promotion, offering for sale, sale, or distribution of any Covered Product; Provided, however, that customer information may be disclosed to the extent requested by a government agency or required by law, regulation, or court order, or to the extent that such disclosure is reasonably necessary to protect the health or safety of any Person or address any billing or shipping inquiry, and that Defendants may use customer information to respond to customer-initiated support inquiries, but not to advertise or sell any good or service to, or solicit any Endorsement from, such customers.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Consumer Redress" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "XII", "title": "Preservation of Records Relating to Competent and Reliable Human Clinical Tests or Studies", "category": "recordkeeping", "summary": "Defendants must secure and preserve all underlying data and documents associated with any human clinical test or study upon which they rely to substantiate any claim covered by this Order, and must establish written procedures to protect participant information confidentiality.", "verbatim_text": "IT IS FURTHER ORDERED that, with regard to any human clinical test or study (“test”) upon which Defendants rely to substantiate any claim covered by this Order, Defendants shall secure and preserve all underlying or supporting data and documents generally accepted by experts in the field as relevant to an assessment of the test, including: A. All protocols and protocol amendments, reports, articles, write-ups, or other accounts of the results of the test, and drafts of such documents reviewed by the test sponsor or any other Person not employed by the research entity;\n\nB. All documents referring or relating to recruitment; randomization; instructions, including oral instructions, to participants; and participant compliance;\n\nC. Documents sufficient to identify all test participants, including any participants who did not complete the test, and all communications with any participants relating to the test; all raw data collected from participants enrolled in the test, including any participants who did not complete the test; source documents for such data; any data dictionaries; and any case report forms;\n\nD. All documents referring or relating to any statistical analysis of any test data, including any pretest analysis, intent-to-treat analysis, or between-group analysis performed on any test data; and\n\nE. All documents referring or relating to the sponsorship of the test, including all communications and contracts between any sponsor and the test’s 22 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 23 of 30 PageID 11239 researchers.\n\nFor any test conducted, controlled, or sponsored, in whole or in part, by Defendants, Defendants must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of any personal information collected from or about participants. These procedures must be documented in writing and must contain administrative, technical, and physical safeguards appropriate to Corporate Defendants’ size and complexity, the nature and scope of Defendants’ activities, and the sensitivity of the personal information collected from or about the participants.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "XIII", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Defendants must submit sworn acknowledgments of receipt of this Order to the FTC within 7 days, deliver copies of the Order to all relevant personnel and business entities for 20 years, and obtain signed acknowledgments within 30 days from each recipient.", "verbatim_text": "A. Each Defendant, within 7 days of entry of this Order, must submit to the FTC an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after entry of this Order, each Individual Defendant, for any business that such Defendant, individually or collectively with any other Defendants, is the majority owner or controls directly or indirectly, and each Corporate Defendant, must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all current employees, agents, and representatives who have participated in conduct specified in Sections I through VIII; (3) all employees, agents, and representatives who participate in conduct related to the subject matter specified in Sections I through VIII, X, and XI; and (4) any business entity resulting from any change in structure as set forth in the Section entitled Compliance Reporting. Delivery must occur within 7 days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which a Defendant delivered a copy of this Order, that Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "XIV", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendants must submit sworn compliance reports to the FTC one year after entry of the Order, and for 20 years must submit sworn notices within 14 days of any change in contact information, business structure, or bankruptcy filings.", "verbatim_text": "A. One year after entry of this Order, each Defendant must submit a compliance report, sworn under penalty of perjury: 1. Each Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the FTC may use to communicate with Defendant; (b) identify all of that Defendant’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods or services offered, the means of advertising, marketing, and sales, and the involvement of any other Defendant (which Defendants must describe if they know or should know due to their own involvement); (d) describe in detail whether and how that Defendant is in compliance with each Section of this Order; and (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the FTC.\n\n2. Additionally, each Individual Defendant must: (a) identify all telephone numbers and all physical, postal, email, and Internet addresses, including all residences; (b) identify all business activities, including any business for which such Defendant performs services whether as an employee or otherwise and any entity in which such 25 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 26 of 30 PageID 11242 Defendant has any ownership interest; and (c) describe in detail such Defendant’s involvement in each such business, including title, role, responsibilities, participation, authority, control, and any ownership.\n\nB. For 20 years after entry of this Order, each Defendant must submit a compliance notice, sworn under penalty of perjury, within 14 calendar days of any change in the following: 1. Each Defendant must report any change in: (a) any designated point of contact; or (b) the structure of Corporate Defendants, and any entity that either Individual Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\n2. Additionally, each Individual Defendant must report any change in: (a) name, including aliases or fictitious name, or residence address; or (b) title or role in any business activity, including any business for which such Defendant performs services whether as an employee or otherwise and any entity in which such Defendant has any ownership interest, and identify the name, physical address, and any Internet address of the business or entity.\n\nC. Each Defendant must submit to the FTC notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Defendant within 14 calendar days of its filing.\n\nD. Any submission to the FTC required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: ” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a FTC representative in writing, all submissions to the FTC pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: FTC v. Roca Labs, Inc., Matter No. X150061.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "XV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendants must create specified records for 20 years after entry of the Order and retain each such record for 5 years, covering accounting, personnel, compliance, consumer complaints, consumer communications, endorsements, and advertising materials.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants must create certain records for 20 years after entry of the Order, and retain each such record for 5 years. Specifically, Corporate Defendants and Individual Defendants, for any business in which such Individual Defendant, either, individually or collectively with any other Defendants, is a majority owner or controls directly or indirectly, must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each Person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for 27 Case 8:15-cv-02231-MSS-CPT Document 253 Filed 01/04/19 Page 28 of 30 PageID 11244 termination;\n\nC. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the FTC;\n\nD. Records of all consumer complaints and refund requests concerning the subject matter of this Order, whether received directly or indirectly, such as through a third party, and any response;\n\nE. Records of all communications with consumers concerning the subject matter of this Order regarding any allegedly defamatory or legally actionable statement, or any alleged breach of contract;\n\nF. Records of all communications with consumers, or with persons making any Endorsement, regarding any Endorsement concerning the subject matter of this Order;\n\nG. Records of all support communications with customers who purchased a Covered Product prior to entry of this Order; and\n\nH. A copy of each unique advertisement or other marketing material disseminated by or on behalf of the Defendants concerning the subject matter of this Order, including any web pages, websites, videos, search ads, display banners, mobile web banners, mobile web posters, and any interstitial, email, social media site or application, short message service (SMS), and multimedia messaging service (MMS) advertisements.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "XVI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor Defendants' compliance through written requests for reports, depositions, document production, direct communication with Defendants and their employees, and undercover investigation, with Defendants required to respond within 14 days of written requests.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the FTC, each Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The FTC is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69, except that the FTC shall not enter upon the property of any Defendant pursuant to Fed. R. Civ. P. 34(a)(2) without a specific subsequent order of the Court or stipulation, and the FTC shall have no authority under this Order under Fed. R. Civ. P. 69 without following the judicial procedures prescribed by applicable law.\n\nB. For matters concerning this Order, the FTC is authorized to communicate directly with each Defendant. Defendants must permit representatives of the FTC to interview any employee or other Person affiliated with any Defendant who has agreed to such an interview. The Person interviewed may have counsel present.\n\nC. The FTC may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Defendants, or any individual or entity affiliated with Defendants, without the necessity of identification or prior notice. Nothing in this Order limits the FTC’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.\n\nD. Upon written request from a representative of the FTC, any consumer reporting agency must furnish consumer reports concerning Defendants, pursuant to Section 604(1) of the Fair Credit Reporting Act, 15 U.S.C. § 1681b(a)(1).", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "XVII", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of this Order.", "verbatim_text": "IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "remedy_types": [ "Order Administration" ], "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "docket_number": "8:15-cv-02231-MSS-TBM" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner the extent to which they maintain and protect the security, confidentiality, or integrity of personal information collected from or about consumers in connection with online advertising, marketing, or sales.", "verbatim_text": "IT IS ORDERED that Respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the online advertising, marketing, promotion, offering for sale, or sale of 2 any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which Respondents maintain and protect the security, confidentiality, or integrity of any personal information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "docket_number": "C-4091" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to their size, complexity, and the sensitivity of personal information collected.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the online advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall establish and maintain a comprehensive information security program in writing that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program shall contain administrative, technical, and physical safeguards appropriate to Respondents’ size and complexity, the nature and scope of Respondents’ activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the evaluation and adjustment of Respondents’ information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to Respondents’ operations or business arrangements, or any other circumstances that Respondents know or have reason to know may have a material impact on the effectiveness of their information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "docket_number": "C-4091" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondents must obtain biannual assessments from a qualified, independent third-party professional certifying that their security program is operating with sufficient effectiveness to protect personal information.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents obtain an assessment and report from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, within one (1) year after service of the order, and biannually thereafter, that: A. sets forth the specific administrative, technical, and physical safeguards that Respondents have implemented and maintained during the reporting period; B. explains how such safeguards are appropriate to Respondents’ size and complexity, the nature and scope of Respondents’ activities, and the sensitivity of the personal information collected from or about consumers; C. explains how the safeguards that have been implemented meet or exceed the protections required by Paragraph II of this order; and D. certifies that Respondents’ security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and, for biannual reports, has so operated throughout the reporting period.\n\nEach assessment and report required by this Paragraph shall be prepared by a person qualified as a Certified Information System Security Professional (CISSP) or holding Global Information Assurance Certification from the SysAdmin, Audit, Network, Security Institute; or by a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal\n\nTrade Commission. Respondents shall provide the first assessment and report to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after it is prepared. All subsequent biannual reports shall be retained in accordance\n\nwithin ten (10) days after it is prepared. All subsequent biannual reports shall be retained in accordance with Paragraph IV. B. of this order and provided to the Associate Director of Enforcement upon request.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "docket_number": "C-4091" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC for inspection copies of compliance-related documents, including advertisements and security assessments, for specified retention periods.", "verbatim_text": "A. for a period of five (5) years: 1. a sample copy of each different print, broadcast, cable, or Internet advertisement, promotion, information collection form, Web page, screen, email message, or 4 other document containing any representation regarding Respondents’ online collection, use, and security of personal information from or about consumers. Each Web page copy shall be dated and contain the full URL of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting the information on the Web. Provided, however, that after creation of any Web page or screen in compliance with this order, Respondents shall not be required to retain a print or electronic copy of any amended Web page or screen to the extent that the amendment does not affect Respondents’ compliance obligations under this order, and 2. any documents, whether prepared by or on behalf of Respondents, that contradict, qualify, or call into question Respondents’ compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each previous assessment and report required under Paragraph III of this order, and for the initial assessment and report, from the date the order is entered until two years following preparation of the assessment and report: all reports, studies, reviews, audits, audit trails, security assessments, risk assessments, policies, training materials, logs (from devices that detect or prevent attacks such as firewalls and intrusion detection systems), and plans (including the assessments and reports required under Paragraph III), whether prepared by or on behalf of Respondents, relating to Respondents’ compliance with Paragraphs II and III of this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "docket_number": "C-4091" }, { "provision_number": "V", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondents must deliver a copy of the order to all current and future principals, officers, directors, managers, and employees with managerial responsibilities relating to the subject matter of the order.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of this order. Respondents shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nshall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "docket_number": "C-4091" }, { "provision_number": "VI", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondents must notify the FTC at least thirty days prior to any corporate change that may affect compliance obligations under the order, including dissolution, sale, merger, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall notify the Commission at least thirty (30) days prior to any change in either corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in either corporation about which either Respondent learns less than thirty (30) days prior to the 5 date such action is to take place, Respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nchange in either corporate name or address. Provided, however, that, with respect to any proposed change in either corporation about which either Respondent learns less than thirty (30) days prior to the 5 date such action is to take place, Respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "docket_number": "C-4091" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file an initial written compliance report with the FTC within 120 days after service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that Respondents shall, within one hundred and twenty (120) days after service of this order, and at such other times as the Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which they have complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "docket_number": "C-4091" }, { "provision_number": "VIII", "title": "Order Duration", "category": "duration", "summary": "The order terminates on July 30, 2023, or twenty years from the most recent date the FTC files a complaint alleging a violation of the order in federal court, whichever is later.", "verbatim_text": "This order will terminate on July 30, 2023, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Paragraph in this order that terminates in less than twenty (20) years; B. this order’s application to any Respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Paragraph. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondents did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Paragraph as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "docket_number": "C-4091" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Each respondent must establish, implement, and maintain a comprehensive written information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected through LexisNexis products and services.", "verbatim_text": "IT IS ORDERED that each respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of personal information collected from or about consumers made available through any information product or service of LexisNexis (“the information”), in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of the information. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to each respondent’s size and complexity, the nature and scope of each respondent’s activities, and the sensitivity of the information, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of the information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of the information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, Page 3 of 7 storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; provided, however, that this subparagraph shall not apply to personal information about a consumer that respondent provides to a government agency or lawful information supplier when the agency or supplier already possesses the information and uses it only to retrieve, and supply to respondent, additional personal information about the consumer.\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.08_reed_elsevier_inc._and_seisint", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "docket_number": "C-4226" }, { "provision_number": "II", "title": "Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Each respondent must obtain initial and biennial assessments from a qualified, independent third-party professional covering the security program's implementation and effectiveness, with the initial assessment submitted to the FTC within 10 days of completion.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph I of this order, each respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by Paragraph I of this order; and Page 4 of 7 D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.08_reed_elsevier_inc._and_seisint", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "docket_number": "C-4226" }, { "provision_number": "III", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Each respondent must maintain and make available to the FTC documents relating to compliance, including documents contradicting compliance for 5 years and materials relied upon to prepare each Assessment for 3 years after the Assessment date.", "verbatim_text": "IT IS FURTHER ORDERED that each respondent shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance, including but not limited to: A. for a period of five (5) years: any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question its compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each Assessment required under Paragraph II of this order: all materials relied upon to prepare the Assessment, whether prepared by or behalf of respondent, including, but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments and any other materials relating to its compliance with Paragraphs I and II of this order, for the compliance period covered by such Assessment.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.08_reed_elsevier_inc._and_seisint", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "docket_number": "C-4226" }, { "provision_number": "IV", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Each respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, and employees with managerial responsibilities relating to the order's subject matter within specified timeframes.", "verbatim_text": "IT IS FURTHER ORDERED that each respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of this order. Each respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.08_reed_elsevier_inc._and_seisint", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "docket_number": "C-4226" }, { "provision_number": "V", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Each respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that each respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.08_reed_elsevier_inc._and_seisint", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "docket_number": "C-4226" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Each respondent must file an initial written compliance report with the FTC within 180 days after service of the order, and additional reports at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that each respondent shall, within one hundred and eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.08_reed_elsevier_inc._and_seisint", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "docket_number": "C-4226" }, { "provision_number": "VII", "title": "Order Duration", "category": "duration", "summary": "The order terminates on July 29, 2028, or twenty years from the most recent date the FTC files a complaint alleging any violation of the order in federal court, whichever comes later, subject to specified exceptions.", "verbatim_text": "This order will terminate on July 29, 2028, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Paragraph in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Paragraph. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Paragraph as though the complaint had never Page 6 of 7 been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.08_reed_elsevier_inc._and_seisint", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "docket_number": "C-4226" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to its size, complexity, and the sensitivity of personal information collected.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards.\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.08_tjx_companies_the", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "docket_number": "C-4227" }, { "provision_number": "II", "title": "Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial independent third-party security assessments covering specified criteria, prepared by a qualified professional, and submit or retain them as required.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Part I of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by the Part I of this order; and\n\nD. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.08_tjx_companies_the", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "docket_number": "C-4227" }, { "provision_number": "III", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC upon request copies of documents relating to compliance, including documents contradicting compliance for five years and assessment-related materials for three years after each assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance, including but not limited to: A. for a period of five (5) years: any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each Assessment required under Part II of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts I and II of this order, for the compliance period covered by such Assessment.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.08_tjx_companies_the", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "docket_number": "C-4227" }, { "provision_number": "IV", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all current and future principals, officers, directors, and managers with responsibilities relating to the subject matter of this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel Page 4 of 6 within thirty (30) days after service of this order, and to such future personnel within thirty (30)\n\nwithin thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.08_tjx_companies_the", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "docket_number": "C-4227" }, { "provision_number": "V", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under the order, including dissolution, merger, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.\n\nProvided, however, that with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nAll notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.08_tjx_companies_the", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "docket_number": "C-4227" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 180 days after service of the order and at such other times as the FTC may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within one hundred eighty (180) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.08_tjx_companies_the", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "docket_number": "C-4227" }, { "provision_number": "VII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on July 29, 2028, or twenty years from the most recent date the United States or FTC files a complaint in federal court alleging any violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on July 29, 2028, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and Page 5 of 6 the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.08_tjx_companies_the", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "docket_number": "C-4227" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the privacy, security, confidentiality, or integrity of any covered information.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent or its products or services maintain and protect the privacy, security, confidentiality, or integrity of any covered information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "docket_number": "C-4480" }, { "provision_number": "II", "title": "Comprehensive Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive security program to address security risks and protect covered information, with specific administrative, technical, and physical safeguards.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing products and services for consumers, and (2) protect the security, integrity, and confidentiality of covered information, whether collected by respondent or input into, stored on, captured with, or accessed through a computer using respondent’s products or services. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered information, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, whether such information is in respondent’s possession or is input into, stored on, captured with, or accessed through a computer using respondent’s products or services, and assessment of the sufficiency of any safeguards in place to control these risks.\n\nC. at a minimum, the risk assessment required by Subpart B should include consideration of risks in each area of relevant operation, including, but not limited to, (1) employee training and management, including in secure engineering and defensive programming; (2) product design, development and research; (3) secure software design, development, and testing; (4) review, assessment, and response to third-party security vulnerability reports, and (5) prevention, detection, and response to attacks, intrusions, or systems failures;\n\nD. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures, including through reasonable and appropriate software security testing techniques;\n\nE. the development and use of reasonable steps to select and retain service providers capable of maintaining security practices consistent with this order, and requiring service providers by contract to implement and maintain appropriate safeguards;\n\nF. the evaluation and adjustment of respondent’s security program in light of the results of the testing and monitoring required by subpart B, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "docket_number": "C-4480" }, { "provision_number": "III", "title": "Third-Party Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from qualified professionals for any product or service offered through client software.", "verbatim_text": "order, for any product or service offered through client software, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments shall be: a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with experience in secure mobile programming; or as a Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and secure mobile programming; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific controls and procedures that respondent has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered information; C. explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of covered information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is\n\nprepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "docket_number": "C-4480" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available for inspection various documents related to compliance with the order.", "verbatim_text": "A. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III of this order, for the compliance period covered by such Assessment;\n\nB. unless covered by IV.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this order, including but not limited to: i. all advertisements and promotional materials containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation; and\n\nii. any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "docket_number": "C-4480" }, { "provision_number": "V", "title": "Order Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to current and future subsidiaries, principals, officers, directors, and managers with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order,\n\nand to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure\n\nsuch position or responsibilities. For any business entity resulting from any change in structure set forth in Part VI, delivery shall be at least ten (10) days prior to the change in structure.\n\nRespondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "docket_number": "C-4480" }, { "provision_number": "VI", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty (30) days prior to any corporate changes that may affect compliance obligations under this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "docket_number": "C-4480" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission setting forth in detail the manner and form of its compliance with this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, within one hundred twenty (120) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten\n\n(10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "docket_number": "C-4480" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on August 13, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on August 13, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: 6 A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "docket_number": "C-4480" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which it maintains and protects the privacy, security, confidentiality, or integrity of any covered information.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent or its products or services maintain and protect the privacy, security, confidentiality, or integrity of any covered information.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "docket_number": "C-4481" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish and maintain a comprehensive security program reasonably designed to address security risks and protect covered information, with administrative, technical, and physical safeguards.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing products and services for consumers, and (2) protect the security, integrity and confidentiality of covered information, whether collected by respondent or input into, stored on, captured with, or accessed through a computer using respondent’s products or services. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered information, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, whether such information is in respondent’s possession or is input into, stored on, captured with, or accessed through a computer using respondent’s products or services, and assessment of the sufficiency of any safeguards in place to control these risks.\n\nC. at a minimum, this risk assessment required by Subpart B should include consideration of risks in each area of relevant operation, including, but not limited to, (1) employee training and management, including in secure engineering and defensive programming; (2) product design and development; (3) secure software design, development, and testing; (4) review, assessment, and response to third-party security vulnerability reports, and (5) prevention, detection, and response to attacks, intrusions, or systems failures;\n\nD. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures, including through reasonable and appropriate software security testing techniques;\n\nE. the development and use of reasonable steps to select and retain service providers capable of maintaining security practices consistent with this order, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nF. the evaluation and adjustment of respondent’s security program in light of the results of the testing and monitoring required by subpart B, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "docket_number": "C-4481" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "For any product or service offered through client software, respondent must obtain initial and biennial third-party security assessments from qualified professionals for twenty years.", "verbatim_text": "order, for any product or service offered through client software, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.\n\nAvenue, NW, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the\n\nand (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is\n\nprepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of 4", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "docket_number": "C-4481" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC various records related to compliance with the order, including assessment materials and compliance documents.", "verbatim_text": "A. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III of this order, for the compliance period covered by such Assessment;\n\nB. unless covered by IV.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this order, including but not limited to: i. all advertisements and promotional materials containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation; and\n\nB. unless covered by IV.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, all other documents relating to compliance with this order, including but not limited to: i. all advertisements and promotional materials containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation; and ii. any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "docket_number": "C-4481" }, { "provision_number": "V", "title": "Order Acknowledgment and Distribution", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to current and future subsidiaries, personnel, and representatives with relevant responsibilities and obtain signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current\n\nrelating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or\n\nsubsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part\n\nresponsibilities. For any business entity resulting from any change in structure set forth in Part 5 VI, delivery shall be at least ten (10) days prior to the change in structure. Respondent must\n\nsecure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "docket_number": "C-4481" }, { "provision_number": "VI", "title": "Change in Corporate Structure Notification", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least thirty days prior to any change in the corporation that may affect compliance obligations, including dissolution, merger, bankruptcy, or change in name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nProvided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "docket_number": "C-4481" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a compliance report with the Commission within sixty days after service of the order, and submit additional reports upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nforth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "docket_number": "C-4481" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on August 13, 2034, or twenty years from the most recent date the United States or the Commission files a complaint alleging violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on August 13, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "docket_number": "C-4481" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondents must not misrepresent the extent to which they use, maintain, and protect the privacy, confidentiality, security, or integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondents and their officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondents, shall not misrepresent in any manner, expressly or by implication, the extent to which respondents use, maintain, and protect the privacy, confidentiality, security, or integrity of personal information collected from or about consumers.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS FURTHER ORDERED that respondent GMR Transcription Services, Inc., its successors and assigns, and any business entity that respondent Ajay Prasad or Shreekant Srivastava controls, directly or indirectly, that collects, maintains, or stores personal information from or about consumers, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ or the business entity’s size and complexity, the nature and scope of respondents’ or the business entity’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondents, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of the information security program in light of the results of the testing and monitoring required by subpart C, any material changes to any operations or business arrangements, or any other circumstances that respondents know or have reason to know may have a material impact on the effectiveness of the information security program.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "III", "title": "Third-Party Assessments", "category": "assessment", "summary": "Respondents must obtain initial and biennial assessments from a qualified, objective, independent third-party professional covering a 20-year period after service of the order.", "verbatim_text": "order, respondents shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\norder, respondents shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondents have implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondents’ or the business entity’s size and complexity, the nature and scope of respondents’ or the business entity’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by Part II of this order; and\n\nD. certify that the security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nreporting period to which the Assessment applies. Respondents shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been\n\ncompleted. All subsequent biennial Assessments shall be retained by respondents until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, the initial", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC for inspection all materials related to Assessments for three years and other compliance documents for five years.", "verbatim_text": "A. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondents, including but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondents’ compliance with Parts II and III of this order, for the compliance period covered by such Assessment;\n\nB. unless covered by IV.A, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of each document relating to compliance with this order, including but not limited to: 1. all advertisements and promotional materials containing any representations covered by this order, with all materials used or relied upon in making or disseminating the representation; and 2. any documents, whether prepared by or on behalf of respondents, that contradict, qualify, or call into question compliance with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "V", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondents must deliver copies of the order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, and secure signed acknowledgments of receipt.", "verbatim_text": "A. Respondents shall deliver a copy of this order to (1) all current and future principals, officers, directors, and managers, (2) all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order, and (3) any business entity resulting from any change in structure set forth in Part VI. Respondents shall deliver this order to such current personnel\n\nwithin thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nFor any business entity resulting from any change in structure set forth in Part VI, delivery shall be at least ten (10) days prior to the change in structure.\n\nB. Respondents shall secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "VI", "title": "Individual Respondents' Notification Obligations", "category": "compliance_reporting", "summary": "Individual respondents Prasad and Srivastava must notify the Commissionwithin 10 days of changes to their residence, employment status, business ownership, or name for a period of 10 years.", "verbatim_text": "IT IS FURTHER ORDERED that respondents Prasad and Srivastava, for a period of ten (10) years after the date of issuance of the order, shall notify the Commission of the following: (a) Any changes to respondent Prasad’s or respondent Srivastava’s residence, mailing addresses and/or telephone numbers, within ten (l0) days of the date of such change; (b) Any\n\nchanges in respondent Prasad’s or respondent Srivastava’s employment status (including self- employment), and any changes in ownership in any business entity, within ten (10) days of the date of such change. Such notice shall include: the name and address of each business that respondent Prasad or respondent Srivastava is affiliated with, employed by, creates or forms, incorporates, or performs services for; a detailed description of the nature of the business; and a detailed description of respondent Prasad’s or respondent Srivastava’s duties and responsibilities in connection with the business or employment; and (c) Any changes in respondent Prasad’s or\n\nrespondent Srivastava’s name or use of any aliases or fictitious names, including “doing business as” names. All notices required by this Part shall be sent by overnight courier (not the U.S.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "VII", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondents must notify the Commission at least 30 days prior to any change that may affect compliance obligations, including dissolution, merger, sale, bankruptcy, or change in corporate name or address.", "verbatim_text": "IT IS FURTHER ORDERED respondents shall notify the Commission at least thirty (30) days prior to any change in respondents that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation about which respondents learn less than thirty (30) days prior to the date such action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file a written compliance report with the Commission within 60 days after service of the order and submit additional reports upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondents, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of\n\nreceipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "IX", "title": "Order Termination", "category": "duration", "summary": "This order will terminate on August 14, 2034, or twenty years from the most recent date that the United States or the FTC files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on August 14, 2034, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "docket_number": "C-4482" }, { "provision_number": "I", "title": "Prohibition against Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the extent to which it uses, maintains, and protects the privacy and confidentiality of any covered information, including whether covered information will be made publicly available.", "verbatim_text": "IT IS ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service must not misrepresent in any manner, expressly or by implication: A. the extent to which Respondent uses, maintains, and protects the privacy and confidentiality of any covered information, including: the extent to which covered information shall be made publicly available, including by posting on the Internet.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "docket_number": "C-4591" }, { "provision_number": "II", "title": "Notice and Affirmative Express Consent Provision", "category": "affirmative_obligation", "summary": "Before making any consumer's covered information publicly available, Respondent must clearly and conspicuously disclose this fact to the consumer and obtain their affirmative express consent.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive notice of this Order, whether acting directly or indirectly, prior to making any consumer’s covered information publicly available, including by posting on the Internet, must: A. clearly and conspicuously disclose to the consumer, separate and apart from “privacy policy,” “terms of use” page, or similar document, that such information is being made publicly available, including by posting on the Internet; and\n\nB. obtain the consumer’s affirmative express consent.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "docket_number": "C-4591" }, { "provision_number": "III", "title": "Disposition of Healthcare Provider Review Information", "category": "affirmative_obligation", "summary": "Respondent must not publicly display or maintain any healthcare provider review information (except for retrieval by its healthcare provider customers or as required by law), and must submit a sworn written statement to the Commission confirming compliance within 60 days.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by Respondent, in or affecting commerce, must not publicly display any healthcare provider review information, and must not maintain any healthcare provider review information, except for review and retrieval by its healthcare provider customers, or their respective agents, contractors, assigns, or as permitted to comply with applicable law, regulation, or legal process. Within sixty (60) days after the effective date of the\n\napplicable law, regulation, or legal process. Within sixty (60) days after the effective date of the Order, Respondent must provide a written statement to the Commission, sworn under penalty of perjury, confirming the foregoing.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "docket_number": "C-4591" }, { "provision_number": "IV", "title": "Acknowledgements of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt of this Order within 10 days, deliver copies of the Order to key personnel and new hires, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives having direct supervisory responsibilities over the conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "docket_number": "C-4591" }, { "provision_number": "V", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must file an initial sworn compliance report 90 days after the Order's effective date, and must submit sworn notices within 14 days of changes to contact information, organizational structure, or any bankruptcy filing.", "verbatim_text": "A. Ninety (90) days after the effective date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which: 1. Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of that Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales, and the extent to which covered information is made publicly available; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgments of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: 1. (a) any designated point of contact; or (b) the structure of any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re Practice Fusion, Inc.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "docket_number": "C-4591" }, { "provision_number": "VI", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for 5 years, including accounting records, personnel records, consumer complaints, compliance records, consumer feedback forms, and privacy-related representations.", "verbatim_text": "A. accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;\n\nB. personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. copies or records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission;\n\nE. all forms, websites, and other methods used by Respondent to obtain feedback from consumers on Respondent’s own behalf or on behalf of Respondent’s healthcare provider customers regarding healthcare services provided by said healthcare provider customer (or their agents, contractors, or assigns);\n\nF. a copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy and confidentiality of any covered information, including any representation concerning a change in any website or other service controlled by Respondent that relates to the privacy and confidentiality of covered information; and\n\nG. for 5 years from the date created or received, all records, whether prepared by or on behalf of Respondent, that tend to show any lack of compliance by Respondent with this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "docket_number": "C-4591" }, { "provision_number": "VII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor Respondent's compliance by requesting reports and records, communicating directly with Respondent, interviewing affiliated persons, and using other lawful means including undercover methods.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "docket_number": "C-4591" }, { "provision_number": "VIII", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC's website and will terminate on August 15, 2036, or 20 years from the most recent date the Commission files a complaint alleging a violation, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on August 15, 2036, or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. If such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "docket_number": "C-4591" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, its membership in, adherence to, certification by, or participation in any privacy or security program sponsored by a government or self-regulatory organization, including APEC CBPR.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including APEC CBPR.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "08.16_very_incognito_technologies", "company_name": "Very Incognito Technologies, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3034-very-incognito-technologies-matter", "docket_number": "C-4580" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit its own acknowledgment of receipt of the Order, deliver copies of the Order to relevant personnel and successors, and obtain signed acknowledgments from each recipient.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives with responsibilities related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reporting. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "08.16_very_incognito_technologies", "company_name": "Very Incognito Technologies, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3034-very-incognito-technologies-matter", "docket_number": "C-4580" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report 60 days after the Order's issuance date, and thereafter submit sworn notices within 14 days of changes in contact information, corporate structure, or bankruptcy filings, following specified formatting and delivery requirements.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re Very Incognito Technologies, Inc., FTC File No. 1623034.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.16_very_incognito_technologies", "company_name": "Very Incognito Technologies, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3034-very-incognito-technologies-matter", "docket_number": "C-4580" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for 20 years after the Order's issuance date and retain each record for 5 years, covering accounting, personnel, compliance, and marketing materials.", "verbatim_text": "A. accounting records showing the revenues from all goods or services sold;\n\nB. personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nD. a copy of each unique advertisement, promotional material, or other marketing material making any representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.16_very_incognito_technologies", "company_name": "Very Incognito Technologies, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3034-very-incognito-technologies-matter", "docket_number": "C-4580" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "Respondent must cooperate with Commission monitoring by submitting additional compliance information and records upon request, permitting direct communications and voluntary interviews, and allowing the Commission to use all lawful investigative means including undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.16_very_incognito_technologies", "company_name": "Very Incognito Technologies, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3034-very-incognito-technologies-matter", "docket_number": "C-4580" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC's website and terminates on June 21, 2036, or 20 years from the most recent date a complaint alleging any Order violation is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on June 21, 2036, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision. If such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order as to Respondent will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "08.16_very_incognito_technologies", "company_name": "Very Incognito Technologies, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3034-very-incognito-technologies-matter", "docket_number": "C-4580" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Participation in Privacy or Security Programs", "category": "prohibition", "summary": "Respondent must not misrepresent, in any manner, the extent to which it participates in, is certified by, or otherwise belongs to any privacy or security program sponsored by a government or self-regulatory organization, including the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.", "verbatim_text": "IT IS ORDERED that Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service must not misrepresent in any manner, expressly or by implication, the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss- U.S. Privacy Shield framework.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "08.19_securtest", "company_name": "SecurTest, Inc.", "date_issued": "2019-08-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3152-securtest-inc-matter", "docket_number": "C-4685" }, { "provision_number": "II", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of this Order, deliver copies to relevant personnel and business entities, and obtain signed acknowledgments from all recipients.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For five (5) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; Page 2 of 5 (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "08.19_securtest", "company_name": "SecurTest, Inc.", "date_issued": "2019-08-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3152-securtest-inc-matter", "docket_number": "C-4685" }, { "provision_number": "III", "title": "Compliance Report and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial sworn compliance report 60 days after the issuance date and provide timely sworn notices of any changes in contact information, organizational structure, or bankruptcy proceedings.", "verbatim_text": "A. Sixty (60) days after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: ” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The subject line must begin: In re SecurTest, Inc., FTC File No. 182 3152.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.19_securtest", "company_name": "SecurTest, Inc.", "date_issued": "2019-08-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3152-securtest-inc-matter", "docket_number": "C-4685" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for ten (10) years and retain each such record for five (5) years, covering personnel records, compliance documentation, and copies of advertising materials.", "verbatim_text": "A. personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nB. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and\n\nC. a copy of each unique advertisement or other marketing material making a representation subject to this Order, and all materials that were relied upon in making the representation.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.19_securtest", "company_name": "SecurTest, Inc.", "date_issued": "2019-08-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3152-securtest-inc-matter", "docket_number": "C-4685" }, { "provision_number": "V", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting additional reports and records, communicating directly with and interviewing Respondent's personnel, and using undercover methods or compulsory process.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification Page 4 of 5 or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.19_securtest", "company_name": "SecurTest, Inc.", "date_issued": "2019-08-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3152-securtest-inc-matter", "docket_number": "C-4685" }, { "provision_number": "VI", "title": "Order Effective Dates", "category": "duration", "summary": "This Order becomes final and effective upon publication on the FTC's website and will terminate on August 12, 2039, or twenty (20) years from the most recent date the Commission or the United States files a complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on August 12, 2039, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of the Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Provision in this Order that terminates in less than twenty (20) years; B. this Order’s application to any respondent that is not named as a defendant in such complaint; and C. this Order if such complaint is filed after the order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "08.19_securtest", "company_name": "SecurTest, Inc.", "date_issued": "2019-08-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3152-securtest-inc-matter", "docket_number": "C-4685" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations Regarding Online Collection of Personal Information", "category": "prohibition", "summary": "Respondent must not make any misrepresentation in connection with online collection of personal information from children and/or consumers ages 13–17, including about anonymity, promised products/services, prize eligibility, or collection and use practices.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with any online collection of personal information from children and/or consumers age thirteen (13) through seventeen (17), in or affecting commerce, shall not make any misrepresentation, in any manner, expressly or by implication: A. That the information collected is maintained in an anonymous manner;\n\nB. That children and/or consumers age thirteen (13) through seventeen (17) who submit such information will receive an e-mail newsletter or any other represented product or service;\n\nC. That children and/or consumers age thirteen (13) through seventeen (17) who submit such information are eligible to win prizes in respondent’s drawing or contest; or\n\nD. Regarding the collection or use of personal information from or about children and/or consumers age thirteen (13) through seventeen (17).", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "II", "title": "Prohibition Against Collecting Personal Information Without Parental Permission", "category": "prohibition", "summary": "Respondent must not collect personal information from a child at a website directed to children (or any site where respondent has actual knowledge it is collecting from a child) when respondent has actual knowledge the child lacks parental permission.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online collection of personal information at a website directed to children, or at any commercial website where respondent has actual knowledge that it is collecting personal information from a child, in or affecting commerce, shall not collect personal information from any child if respondent has actual knowledge that such child does not have his or her parent's permission to provide the information to respondent. For purposes of Parts II, III, IV, and V of this order, respondent shall not be deemed to have actual knowledge if the child has falsely represented that (s)he is not a child and respondent does not knowingly possess information that such representation is false.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "III", "title": "Affirmative Obligation to Provide Clear and Prominent Privacy Notice", "category": "affirmative_obligation", "summary": "Respondent must provide clear and prominent notice of its practices regarding collection and use of personal information from children, including what is collected, how it is used, disclosure practices, and a means for parents to access or delete their child's information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online collection of personal information from children, at a website directed to children, or at any commercial website where respondent has actual knowledge that it is collecting personal information from a child, in or affecting commerce, shall provide clear and prominent notice with respect to respondent's practices regarding its collection and use of personal information. Such notice shall include: A. what information is being collected (e.g., \"name,\" \"home address,\" \"e-mail address,\" \"age,\" \"interests\"); B. how respondent uses such information; C. respondent’s disclosure practices for such information (e.g., parties to whom it may be disclosed, such as \"advertisers of consumer products,\" \"mailing list companies,\" \"the general public\"); D. a description of a means that is reasonable under the circumstances by which a parent whose child has provided personal information may obtain, upon request and upon proper identification, (i) a description of the specific types of personal information collected from the child by respondent, (ii) the opportunity at any time to refuse to permit the respondent’s further use or maintenance in retrievable form, or future online collection, of personal information from that child, and (iii) any personal information collected from the child.\n\nSuch notice shall appear on the home page of respondent's website(s) directed to children, or at any commercial website where respondent has actual knowledge that it is collecting personal information Page 4 of 7 from a child, and at each location on the site(s) at which such information is collected.\n\nProvided, however, that for purposes of this Part, compliance with all of the following shall be deemed adequate notice: (a) placement of a clear and prominent hyperlink or button labeled PRIVACY NOTICE on the home page(s), which directly links to the privacy notice screen(s); (b) placement of the information required in this Part clearly and prominently on the privacy notice screen(s), followed on the same screen(s) with a button that must be clicked on to make it disappear; and (c) at each location on the site at which any personal information is collected, placement of a clear and prominent hyperlink on the initial screen on which the collection takes place, which links directly to the privacy notice and which is accompanied by the following statement in bold typeface: NOTICE: We collect personal information on this site. To learn more about how we use your information click here.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "IV", "title": "Affirmative Obligation to Obtain Verifiable Parental Consent", "category": "affirmative_obligation", "summary": "Respondent must maintain a procedure to obtain verifiable parental consent before collecting, using, or disclosing personal information from children online.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online collection of personal information from children at a website directed to children, or at any commercial website where respondent has actual knowledge that it is collecting personal information from a child, in or affecting commerce, shall maintain a procedure by which it obtains verifiable parental consent for the collection, use or disclosure of such information from children.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "V", "title": "Deletion of Previously Collected Children's Personal Information", "category": "affirmative_obligation", "summary": "Respondent must delete all personal information previously collected from children prior to the date of service of this order from its websites directed to children and any commercial websites where it has actual knowledge it collected personal information from a child.", "verbatim_text": "IT IS FURTHER ORDERED that respondent Liberty Financial Companies, Inc., and its successors and assigns, shall delete from its website(s) directed to children, and at any commercial website(s) where respondent has actual knowledge that it is collecting personal information from a child, all personal information collected from children prior to the date of service of the order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Data Deletion" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "VI", "title": "COPPA Compliance as Deemed Compliance", "category": "affirmative_obligation", "summary": "After the effective date of COPPA and any FTC regulations or guides thereunder, compliance with that statute and its regulations shall be deemed compliance with the definitions section and Parts II, III, and IV of this order.", "verbatim_text": "IT IS FURTHER ORDERED that after the effective date of the Children’s Online Privacy Protection Act of 1998 and any regulations or guides promulgated by the Commission pursuant to the Act, compliance with such statute, regulations, and guides shall be deemed to be compliance with the definition section of this order and Parts II, III and IV of this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Other" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "VII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC upon request records evidencing compliance with Parts III–V, including copies of web pages and information collection forms, and all materials evidencing verifiable parental consent.", "verbatim_text": "A. For five (5) years after the last date of dissemination of a notice required by this order, a print or electronic copy in HTML format of all documents relating to compliance with Parts III through V of this order, including, but not limited to, a sample copy of every information collection form, Web page, screen, or document containing any representation regarding respondent's information collection and use practices pertaining to children. Each Web page copy shall be accompanied by the URL of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting information on the World Wide Web; and\n\nB. For five (5) years after the last collection of personal information from a child, all materials evidencing the verifiable parental consent given to respondent.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "VIII", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities — current personnel within 30 days, future personnel within 30 days of assuming their position.", "verbatim_text": "IT IS FURTHER ORDERED that respondent Liberty Financial Companies, Inc., and its successors and assigns, shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of this order. Respondent shall deliver this order to current personnel within thirty (30) days after the date of service of this order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "IX", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, including dissolution, sale, merger, bankruptcy, or name/address change.", "verbatim_text": "successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Page 6 of 7 Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "X", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 60 days of service of this order and at such other times as the FTC may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent Liberty Financial Companies, Inc., and its successors and assigns, shall, within sixty (60) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which they have complied with this order.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "XI", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on August 12, 2019, or 20 years from the most recent date the United States or FTC files a federal court complaint alleging any violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on August 12, 2019, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order's application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "docket_number": "C-3891" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of consumers' personal information.", "verbatim_text": "IT IS ORDERED that Respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the evaluation and adjustment of Respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to Respondent’s operations or business arrangements, or any other circumstances that Respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "09.05_bj_s_wholesale_club", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "docket_number": "C-4148" }, { "provision_number": "II", "title": "Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain independent third-party security assessments within 180 days of service and biennially thereafter for 20 years, certifying that the security program is operating effectively, and provide assessments and supporting documents to the FTC.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent obtain an assessment and report (an “Assessment”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, within one hundred and eighty (180) days after service of the order, and biennially thereafter for twenty (20) years after service of the order that: A. sets forth the specific administrative, technical, and physical safeguards that Respondent has implemented and maintained during the reporting period; B. explains how such safeguards are appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the personal information collected from or about consumers; C. explains how the safeguards that have been implemented meet or exceed the protections required by Paragraph I of this order; and 3 D. certifies that Respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and, for biennial reports, has so operated throughout the reporting period.\n\nEach Assessment shall be prepared by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the first Assessment, as well as all: plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of Respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial\n\nAssessments shall be retained by Respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "09.05_bj_s_wholesale_club", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "docket_number": "C-4148" }, { "provision_number": "III", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC copies of compliance-related documents, including documents contradicting compliance for 5 years and supporting biennial assessment documents for 3 years after each assessment.", "verbatim_text": "A. for a period of five (5) years: any documents, whether prepared by or on behalf of Respondent, that contradict, qualify, or call into question Respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each biennial Assessment required under Paragraph II of this order: all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of Respondent, relating to Respondent’s compliance with Paragraphs I and II of this order for the compliance period covered by such biennial Assessment.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "09.05_bj_s_wholesale_club", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "docket_number": "C-4148" }, { "provision_number": "IV", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of the order to all current and future principals, officers, directors, managers, and employees with managerial responsibilities related to the order's subject matter, within 30 days of service or assumption of duties.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty 4 (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "09.05_bj_s_wholesale_club", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "docket_number": "C-4148" }, { "provision_number": "V", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under the order, such as dissolution, merger, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which Respondent learns less than thirty (30) days prior to the date such action is to take place, Respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\naddress. Provided, however, that, with respect to any proposed change in the corporation about which Respondent learns less than thirty (30) days prior to the date such action is to take place, Respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.05_bj_s_wholesale_club", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "docket_number": "C-4148" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 180 days of service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent shall, within one hundred and eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.05_bj_s_wholesale_club", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "docket_number": "C-4148" }, { "provision_number": "VII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on September 20, 2025, or 20 years from the most recent date the FTC files a complaint alleging any violation of the order in federal court, whichever is later.", "verbatim_text": "This order will terminate on September 20, 2025, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Paragraph in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Paragraph. 5 Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Paragraph as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "09.05_bj_s_wholesale_club", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "docket_number": "C-4148" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "docket_number": "C-4168" }, { "provision_number": "II", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from a qualified, independent professional, covering the first 180 days and each two-year period thereafter for twenty years, and submit them to the FTC.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph I of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order Page 3 of 6 for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by Paragraph I of this order; and\n\nD. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment, as well as all: plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial\n\nAssessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "docket_number": "C-4168" }, { "provision_number": "III", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC print or electronic copies of compliance-related documents, including documents contradicting compliance for five years and assessment-related materials for three years after each biennial assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance, including but not limited to: A. for a period of five (5) years: any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each biennial Assessment required under Paragraph II of this order: all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relating to respondent’s compliance with Paragraphs I and II of this order for the compliance period covered by such biennial Assessment.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "docket_number": "C-4168" }, { "provision_number": "IV", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, and employees with managerial responsibilities, within 30 days of service for current personnel and within 30 days of assuming a position for future personnel.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "docket_number": "C-4168" }, { "provision_number": "V", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, including dissolution, merger, sale, bankruptcy filing, or name/address changes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address.\n\nProvided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nAll notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "docket_number": "C-4168" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 180 days after service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within one hundred and eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "docket_number": "C-4168" }, { "provision_number": "VII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on September 5, 2026, or twenty years from the most recent date the FTC files a federal court complaint alleging any violation, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on September 5, 2026, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, Page 5 of 6 whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Paragraph in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Paragraph.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Paragraph as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "docket_number": "C-4168" }, { "provision_number": "I", "title": "Prohibition Against Deceptive Collection Practices", "category": "prohibition", "summary": "Defendants are permanently restrained and enjoined from making any misrepresentation to consumers or third parties in connection with the collection of a debt, including false threats of arrest, overstated legal obligations, and false threats of lawsuits or wage garnishment.", "verbatim_text": "16 IT IS THEREFORE ORDERED that, in connedtion with the collection of a debt from 16 IT IS THEREFORE ORDERED that, in connection with the collection of a debt from 1 1 7 7 a a n n y y c c o o n n s s u u m m e e r r , , D De e f fe en n d d a a n n t t s s , , a a n n d d t t h h e e i i r r o o f f i f i i c c e e r rs s. , a a g g e e n n t t s s, sseerrvvaannttss,, eemmppllooyyeeeess,, aanndd aattttoonmleeyyss,, aanndd aa1l1l , 18 other persons in active concert or participation with them who receive actual notice of this Order 18 other persons in active concert or participation with them who receive actual notice of this Order 19 by personal service or otherwise, whether acting directly or through any corporation 19 by personal service or otherwise, whether acting directly or through any corporation, ssuubbssiiddiiaarryy,, , 20 division or other (levice are hereby permanently restrained and enjoined from making any 20 diVision, or other device, are hereby permanently restrained and enjoined from making any 21 misrepresentation to any consumer or third party in violation of Section 5(a) of the FT'C Act, 21 misrepresentation to any consumer or third party in violation of Section 5(a) of the FTC Act, 22 including but not lirnited to misrepresenting that: 22 including but not limited to misrepresenting that: 23 A. Consumers can be arrested or imprisoned for failing to pay a debt to the 23 A. Consumers can be arrested or imprisoned for failing to pay a debt to the 24 Defendants;\n\n25 B. Consumers have a legal obligation to pay the Defendants the full amount 25 B. Consumers have a legal obligation to pay the Defendants the full amount 26 the Defendants claim they are owed; and 26 the Defendants claim they are owed; and\n\n2 2 7 7 C C . . l I f f c c o o n n s s u u m m e e r r s s d d o o n n o o t t p p a a y y t t h h e e D D e e f f e e n n d d a a n n t t s s, tthhee DDeeffeennddaannttss wwiillll oorr ccaann ttaakkee , 2 2 8 8 f f o o n rm na a l l I l e e g g a a l l a a c c d ti o o n n a a g g a a i i n n s s t t c c o o n n s s u u m m e e r r s s,, iinncclluuddiinngg bbuutt nnoott lliimmiitteedd ttoo,, ffiilliinngg ssuuiitt,, seizing or attaching property, or garnishing wages. seizing or attaching property, or gamishing wages.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "docket_number": "CV-S-08-00590" }, { "provision_number": "II", "title": "Prohibition Against Unfair Collection Practices", "category": "prohibition", "summary": "Defendants are permanently restrained and enjoined from engaging in any unfair act or practice in connection with the collection of a debt, including repeatedly calling consumers at work, using abusive language, and disclosing debts to third parties.", "verbatim_text": "2 IT IS FURTHER ORDERED that in connection with the collection of a debt from any 2 IT IS FURTHER ORDERED that in connection with the collection of a debt from any 3 3 c c o o n n s s u u m m e e r r , , D D e c f f e e n n d d a a n n t t s s ,, a a n n d d t t h h e e i i r r o o f f f f i i c c e e r r s s , , a a g g e e n n t t s s , , s s e e r r v v a a n n t t s s , , e e m m p p l l o o y y e e e e s s , , aanndd aatttloorrnneeyyss,, aanndd aallll ootthheerr 4 persons in active concert or participation with thern who receive actual notice of this Order by 4 persons in active concert or participation with them who receive actual notice of this Order by 5 personal servico or othenvise, whether acting directly or tbrough any corporation 5 personal service or otherwise, whether acting directly or through any corporation, ssuubbssiiddiiaarryy,, , 6 division, or other device, are hereby pennanently restrained and enjoined from engaging in any 6 division, or other device, are hereby permanently restrained and enjoined from engaging in any 7 unfair act or practice in violation of Section 5(a) of the FI'C Act. including btzt not limited to: 7 unfair act or practice in violation of Section Sea) of the FTC Act, including but not limited to: 8 A. Continuously and repeatedly calling consumers and third parties at 8 A. Continuously and repeatedly calling consumers and third parties at 9 9 c c o o n n s s u u m m e e r r s s ' ' p p l l a a c c e e s s o o f f e e m m p p l l o o y y m m e e n n t t ;, '\n\n0 BB.. U U s s i i n n g g o o b b s s c c e e n n e e , , p p r r o o f f a a n n e e , , t t h h r r e e a a t t e c n n i i n n g g , , o or r o o t t h h e e r n w v i i s s e e a a b b u u s s i i v v e e l l a a n n g g u u a ag ge c 11 towards consumers and third parties; and 11 towards consumers and third parties; and\n\n12 Disclosing the existence of consumers' purported debts to coworkers 12 C. Disclosing the existence of consumers' purported debts to coworkers, , 13 employers, and other third parties 13 employers, and other third parties. .", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "docket_number": "CV-S-08-00590" }, { "provision_number": "III", "title": "Prohibition Against Violations of the Truth In Lending Act and Regulation Z", "category": "prohibition", "summary": "Defendants are permanently restrained and enjoined from failing to make required TILA disclosures clearly and conspicuously in writing before consummating consumer credit transactions, and from failing to comply with TILA and Regulation Z in any other manner.", "verbatim_text": "2 2 0 0 A A . . I I n n t t h h e e c c o o u u r r s s e e o o f f e e x x t t e e n n d d i i n n g g c c l l o o s s e e d d - - e e n n d d c c r r e e d d i i t t t t o o c c o o n n s s u u m m e e r r s s, ffaaiilliinngg ttoo mmaakkee . 2 21 1 t t h h e e r r e e q q u u i i r r e e d d T T I I L L A A d d i i s s c c l l o o s s u u r r e e s s, cclleeaarrllyy aanndd ccoonnssppiiccuuootulssllyy iinn wwrriittiinngg,, iinn aa ffoorrmm tthhaatt , 22 consumers can keep. before consummating a consumer credit transaction 22 consumers can keep, before consummating a consumer credit transaction, , 2 2 3 3 i i n n c c l l u u d d i i n n g g f f a a i i l l i i n n g g t t o o d d i i s s c c l l o o s s e e t t h h e e a a m m o o u u n n t t t f 'i i n n a a n n c c e e d d, iitteemmiizzaattiioonn ooff tthhee aammoouunntt , 2 2 4 4 f f i i n n a a n n c c e e d d : , t t h h e e f f i i n n a a n n c c e e c c h h a a r r g g e e, , tthhee aannnnuuaall ppeerrcceennttaaggee rraattee., tthhee ppaayymmeenntt sscchheedduullee , , tthhee 2 2 5 5 t t o o t t a a l l o o f f p p a a y y m m e e n n t t s s , , a a n n d d a a n n y y l l a a t t c c p p a a rf y m m e e n n t t f f e e g e s s, iinn vviioollaattiicomn ooff S Seeccttiioonnss 1122l1 aanndd 112288 , 26 of TILA 15 U.S.C. jj 1631 and 1638, as amended, and Scctions 226.17(a)(1), (b) 26 of TILA ,, 15 U.S.C. §§ 1631 and 1638, as amended, and Sections 226.l7(a)(1), (b) 27 and 226.18 (b)-(e), (g)-(h), and (1) of Regulation Z, 12 C.F.R.jS 226.17(a)(1) 27 and 226.18 (b)-(e), (g)-(h), and (I) of Regulation Z, 12 C.P.R.§§ 226. 17(a)(l), ((bb)) , 28 and 226. 18 (b)-(e), (g)-(h), and (1), as amended; and 28 and 226.18 (b)-(e), (g)-(h), and (I), as amended; and\n\n1 B. Failing in any other manner to meet the requirements of TIA A 1 B. Fruling in any other manner to meet the requirements of TjLA, 1155 UU.S.S.C.C. . , 2 jj 1601-1666j, as amended, and its implementing Regulation Z, 12 C.F.R. j 226 2 §§ 1601-1666j, as amended, and its implementing Regulation Z, 12 C.F.R. § 226, . 3 3 a a s s a a m m e e n n d d e e d d , , a a n n d d t t h h e e R R e e g g u u l l a a t t i i o o n n Z Z C C o o m m m m e e n n t t a a r r y y , , 1122 CC.F.F..RR. . §ë 222266,,S'Suupppp.. 11, , aass 4 amended. 4 amended.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "docket_number": "CV-S-08-00590" }, { "provision_number": "IV", "title": "Prohibition Against Violations of Nevada State Laws", "category": "prohibition", "summary": "Defendants are permanently restrained and enjoined from violating Chapter 598 of the Nevada Revised Statutes, including requirements to obtain required licenses, provide notice of material facts, and comply with state and federal statutes governing the sale of goods or services.", "verbatim_text": "10 and enjoined from violating any provision of Chapter 598 of the Nevada Revised Statutes and, ia 10 and enjoined from violating any provision of Chapter 598 of the Nevada Revised Statutes and, in li particular, when conducting business from the State of Nevada or when engaging in tbe sale of 11 particular, when conducting business from the State of Nevada or when engaging in the sale of 1 12 2 g go oo o d d s s o o r r s se e r rv v i ic ce es s t to o N Ne l v va a d da a r re es si i d d e e n nt t s s , ppeerrmmaanneenrtttllyy rreessttrraaiinneedd aaundd eennjjooiinneedd ffrroomm ff'aaiilliinngg ttoo:: , 1 13 3 A A. . O O b b t ta ai i n n a a 1 ll 1 r r e e q qu ui i r r e ed d s s t t a a t te e , , ccoouunnttyy oorr cciittyy lliicceennsseess ffoorr ddooiinngg bbuussiinneessss iinn 14 Nevada irk compliance with NRS 598.0923(1)) 14 Nevada, , in compliance with NRS 598.0923(1);\n\n1 1 5 5 B B. . P P r r o ov vi i d d e e n n o o t t i i c c e e a a n n d d d d i i s s c c l l o o s s u u r r e e o o f f a a 1 ll l m m a a t te e r r i ia a l l f f a ac c t t s s , iinn ccoommpplliiaannccee wwiitthh , 16 I'IRS 598.0923(2)', and 16 NRS 598.0923(2); and\n\n17 Comply with a11 state and federal statutes and regulations relating to the 17 C. Comply with all state and federal statutes and regulations relating to the 1S sale of goods or sra icesin compliance with NRS 598.0923(3). 18 sale of goods or services , , in compliance with NRS 598.0923(3).", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "docket_number": "CV-S-08-00590" }, { "provision_number": "V", "title": "Additional Disclosures and Other Requirements", "category": "affirmative_obligation", "summary": "Defendants must clearly and conspicuously disclose material credit terms before consummating transactions, obtain written confirmation from consumers of receipt of disclosures, and provide written itemizations of amounts paid and due upon consumer request.", "verbatim_text": "25 A A , . I I n n t t h h e e c c o o u u r r s s e e o o f f e e x x t t e e n n d d i i n n g g c c r r e e d d i i t t t t o o c c o o n n s s u u m m e e T r s s, ddiisscclloossee, , cclleeaarrllyy a anndd , 26 conspicuously in writing in a form that consumers can keep, and before 26 conspicuously in writing,, in a form that consumers can keep, and before 2 2 7 7 c c o o n n s s u u m m m m a a t t i i n n g g a a c c o o n n s s u u m m e e r r c c r r e e d d i i t t t t r r a a n n s s a a c c t t i i o o n n, tthhee ffoolllloowwiinngg:: , 28 The material terms of the transaction 28 I. The material terms of the transaction, iinncclluuddiinngg t thhee ddiisscclloossuurreess , r r e e q q u u ir ir e e d d b b y y S S e e c c t t io io n n I i I l I l h h e e r r e e i i n n , , t t h h e e i n in te te r r e e s s t t r r a a te te, aanndd a a r reeppaayymmeennt ts scchheedduulele\n\n3 Penalties for late or non-paymznt 3 2. Penalties for late or non-payment, iinncclluuddiinngg aann iitteemmiizzaattioionn ooff a allll , 4 associated fees and charges; and 4 associated fees and charges; and\n\n5 3- A statcment that payday loans may be'limited or prohibited in some 5 3. A statement that payday loans may be limited or prohibited in some 6 states'and 6 states;, and\n\n7 B. Obtain written confirmation from consumors for each consumer creclit 7 B. Obtain written confirmation from consumers for each consumer credit 8 trangactîon acknowledging that the consumer has received tho required disclosures 8 transaction acknowledging that the consumer has received the required disclosures 9 in Subsection V.A before consummating tbe consumer credit transaction 9 in Subsection V.A before consummating the consumer credit transaction, aanndd ssuucchh , 10 wlitten confirmation may be delivered via electronic mail or facsimile; and 10 written confirmation may be delivered via electronic mail or facsimile; and\n\n1 1 1 1 c. W W h h e e n n c c o ol ll l e e c c t t i i n n g g a a d d e e b b t t f f r r o o m m c c o o n n s s u u m m e e r r s s , pprroovviiddee ccoonnssuummeerrss,. uuppoonn oorraall oorr y 12 written requestno less often than 30 days after any previous request for the same 12 written request,, no less often than 30 days after any previous request for the same 1 13 3 i i n nf f o or rm m a a t ti io on n,, aa wwrriitttteenn iitteemmiizzaattiioonn ooff aammoouunnttss ppaaiidd aanndd. . aammoouunnttss dduuee,, iinnccliuucdliinngg aa 14 separate written itemization for fees paid and fees due 14 separate written itemization for fees paid and fees due, wwhhiicchh mmaayy bbee iinn tthhee ffoorrmm , 15 of a statement dellvered to consumers via electronic mail or facsimile 15 nf a statement delivered to consumers via electronic mail or facsimile.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Notification" ], "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "docket_number": "CV-S-08-00590" }, { "provision_number": "VI", "title": "Employee Monitoring by Defendants", "category": "monitoring", "summary": "Defendants must take reasonable steps to monitor and ensure that all employees and independent contractors engaged in extending consumer credit or collecting debts comply with Sections I through V of this Order, including listening to calls, maintaining a customer response center, investigating complaints, and taking corrective action.", "verbatim_text": "22 A. Failing to take reasonable steps sufticient to monitor and ensure that all 22 A. Failing to take reasonable steps sufficient to monitor and ensure that all 23 ernployees and independent contractors engaged in marketing or extending 23 employees and independent contractors engaged in marketing or extending 24 consumer creditthe collection of debts, or other customer service functions 24 consumer credit, , the collection of debts, or other customer service functions, , 2,5 comply with SecYons J tlu-ough V of this Order 25 comply with Sections I through V of this Order. SSuucchh sstctepp:s sshhaalll l inincciluuddlze aaddeeqquuaattee . 2 2 6 6 m m o o n n i i t t o o r r in in g g o o f f c c a a l U ls s w w i i th th c c u u s s tœ to m m e e r r s s,a anndd s shhaalll la alslsoo i inncclluuddce, , aat ta a m miinnimimuumm,t hthee , , 27 following'. (1) listening to oral representations made by persons engagyd in 27 following: (1) listening to oral representations made by persons engaged in 28 marketing or extending consumer loans and/or the collection of debts 28 marketing or extending consumer loans and/or the collection of debts,o or ro oththeerr , customer service functions; (2) providing a customer response center available by customer service functions; (2) providing a customer response center available by FEDERAL TRADE CO~IMI5S10N 9\\5 Sccnml A.'c., Su, 28% P P er e m rm . . I n I j n u ju n n ct c . t. A A s s T T o o A A ll l l C C o o rp rp or o a r t a e t e D D ef e a f n en d d an an ts t s a n an d d G G e e rs r h sh ti f e ie ld Jd s s - - P P a a ge g e 9 9 S~nlll~. WWlhiu!lI\"fI iJ811.1 (20G) 220·6350 Case 3:08-cv-00590-RCJ-VPC Document 84 Filed 10/27/2009 Page 10 of 23 C C a a s s e e 3 3 : : 0 O 8 8 - - c c v v - - 0 O 0 O 5 5 9 9 0 O - - R R C C J J - - V V P P C C D D o o c c u u m m e e n n t t 8 8 1 1 FFiileledd 0099//1177//22000099 PPaaggee 1100 ooff 2222 1 ttoollll--ffrreeee nnuummbbeerr oorr bbyy eemmaaiill tthhaatt wwiillll rreecceeiivvee aanndd rreessppoonndd ttoo ccuussttoommeerr ccoommppllaaiinnttss 2 aanndd iinnqquuiirriieess wwiitthhiinn aa rreeaassoonnaabbllee aanndd ssppeecciiffiieedd ttiimmee ppeerriioodd;; aanndd ((33)) aasscceerrttaaiinniinngg the number and nature of customer complaints regarding transactions in which 3 the number and nature of customer complaints regarding transactions in which 4 eeaacchh eemmppllooyyeeee oorr iinnddeeppeennddeenntt ccoonnttrraaccttoorr iiss iinnvvoollvveedd;; pprroovviiddeedd tthhaatt tthhiiss SSeeccttiioonn 5 ddooeess nnoott aauutthhoorliizzee oorr rrecqquuiirree DDeeffeennddaannttss ttoo ttaakkee aannyy sstteeppss tthhaatt vviioollaattee aannyy ffeeddeerraall, 6 ssttaattee,, oorr llooccaall llaaww;',\n\nBB.. FFaaiilliinngg ttoo iinnvveessttiiggaattee pprroommppttllyy aanndd ffuullllyy aannyy ccuussttoommeerr ccoommppllaaiinntt rreecceeiivveedd 8 bbyy aannyy bbuussiinneessss ttoo wwhhiicchh tthhiiss SSeeccttiioonn aapppplliieess;; aanndd\n\n9 C. FFaaiilliinngg ttoo ttaakkee ccoornreeccttiivvee aaccttiioonn wwiitthh rreessppeecctt ttoo aannyy mmaarrkkeettiinngg ppeerrssoonn oorr debt collector whom Defendants determine is not complying with this Order 10 debt collector whom Defendants determine is not complying with this Order, , 11 wwhhiicchh mmaayy iinncclluuddee ttrraaiinniinngg,, ddiisscciipplliinniinngg,, aanndd/loorr tteerrmmiinnaattiinngg ssuucchh ppeerrssoonn.", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "docket_number": "CV-S-08-00590" }, { "provision_number": "VII", "title": "Monetary Judgment", "category": "affirmative_obligation", "summary": "Judgment of $1,000,000 is entered jointly and severally against all Defendants, with $970,125.00 paid to the FTC and $29,875.00 to the State of Nevada within 10 days of entry of this Order, to be used for equitable relief including consumer restitution.", "verbatim_text": "14 AA.. JJuuddggmmeenntt iiss eenntteerreedd aaggaaiinnsstt DDeeffeennddaannttss jjooiinnttllyy aanndd sseevveerraallllyy iinn tthhee aammooutmntt 15 o o f f $$ 1 1 m m i il l l li io on n d d o ol l l l a a r r s s ( ($ $1 1, , 0 00 00 0, ,0 0 0 00 0 . . 0 00 0 ) ) ( ( h h e e r r e e a a f f t t e e r r t t h h e e ' \" 'j j u ud d g g m m e en n t t a a m mo o u un nt t \" '' ) ) . . O Of f t th he e 16 ffuunnddss ccoolllleecctteedd p pu u r r ~ su ua a n n t t ttoo tthhiiss SSeeccttiioonn,, tthhee CCoommmmïissssiioonn sshhaallll bbee ppaaiidd $$997700,,112255.0.010),. 17 a a n n d d t t h h e e S S t t a a t t : e o o f f N N e e v v a a d d a a s s h h a a l l l l b b e e p p a a i i d d $$ 2 2 9 9 , , 8 8 7 7 5 5. . 0 00 0, , t t o o r r e e i i m m b b u ur rs s e e t t h h e e f f e e e es s a a n n d d expenses the State of Nevada expended in its investigation and litigation of this 18 expenses the State of Nevada expended in its investigation and litigation of this matter. Judgment shall be paid to the Commission and the State olr Nevada within 19 matter. Judgment shall be paid to the Commission and the State of Nevada within 20 tteenn ((1100)) ddaayyss ooff eenntt:ryy ooff tthhiiss OOrrddeerr..\n\n21 B B. . A A 1 l 1 l f f u u n nd ds s p p a a i i d d t t o o t t h h e e C C o o m m m m i i s s s s i i o o n n p p u u r r s s u u a a n n t t t t o o t t h h i i s s S S e e c c t t i i o o n n, ootthheerr tthhaann tthhee : 22 f f u u n n d ds s p p a a i i d d t t o o t t l h le e S S t t a a t t e e o o f f N N e e v v a a d d a a , , s s h h a a l l l l b b e e d d e e p p o o s s i i t t e e d d i i n n t t o o a a f f u u n n d d a a d d m m i i n n i i s s t t e e r r e e d d b b y y 23 t t h h e e C C o o m m m m i i s s s s i i o o n n o o r r i i t t s s a a g g e e n n t t t t o o b b c e u u s s e e d d f f o o r r e e q q u u i i t t a a b b l l e e r r e e l l i i e e f f, iinncclluuddiinngg bbuutt nnoott lliimmiitteedd , to consumer restitution and any attendant expenses for the administration of any 24 to consumer restitution and any attendant expenses for the administration of any restitution fund. lf the Connn-zissioll determines in its sole discrstion that rcstitutton 25 restitution fund. If the ComrrJssioll determines in its sole discretion that restitution 26 t t o o c c o o n n s s u u m m e e r r s s i i s s w w h h o o l l l l y y o o r r p p a a r r t t i i a a l l l l y y i i m m p p r r a a c c t t i i c c a a b b l l e e o o r r f f u u n n d d s s r r e e m m a a i i n n a a f f t t e e r r r r e e s s t t i i t t u u t t i i o o n n i i s s completed, the Commission may apply any remaining funds fbr such other 27 completed, the Commission may apply any remaining funds for such other equitable relief, including consumcr infonnation remedies, as it determines to be 28 equitable relief, including consumer information remedies, as it determines to be reasonably ralated to the Defendants' practices alleged in the Cofnplaint reasonably related to the Defendants' practices alleged in the Complaint. AAnnyy . FEDERAL l'JL.\\DE COMMISSION 915 Sn.,md r\\v~., Suo 21196 P P c e r n m n . . l I n n j j u u n n c c t t . . A A s s T T o o X A l l l l C C o o p rp o o r r a a t t e e D D t e f f e e n n c d la a n n t t s s a a n n l d l G G e e r r s s h h th fi e e l l d d s s - - P P a a g g e e 1 l 0 O Sellttl\", Wn.lhjlJ~toli 91117-1 (206) 220·GJSO Case 3:08-cv-00590-RCJ-VPC Document 84 Filed 10/27/2009 Page 11 of 23 C C a a s s e e 3 3 : : 0 0 8 8 - - c c v v - - 0 0 0 0 5 5 9 9 0 0 - - R R C C J J - - V V P P C C D D o o c c u u m m e e n n t t 8 8 1 1 FFiilleedd 0099//1177//22000099 PPaaggee 11 11 ooff 2222 1 l ffuunnddss nnoott uusseedd ffoorr ssuucchh eeqquuiittaabbllee rreelliieeff sshhaallll bbee ddeeppoossiitteedd iinn tthhee UUnniitteedd SSttaatteess 2 Treasury as disgorgement. Defendants shall have no right to challenge the Treasury as disgorgement. Defendants shall have no right to challenge the 3 Commission's choice of remedies under this Section. 3 Commission's choice of remedies under this Section.\n\n6 28 U.S.C. # 1961, as amended. shall immediately begin to accrue.on the unpaid 6 28 U.S.c. § 1961, as amended, shall immediately begin to accrue'on the unpaid 7 balance. 7 balance.\n\n8 D. In accordance with 31 U.S.C. j 7701, each Defendant is hereby required 8 D. In accordance with 31 U.S.C. § 7701, each Defendant is hereby required, , 9 9 uunnlleessss tthhaatt DDeeffeennddaanntt hhaass ddoonnee ssoo aallrreeaaddyy,. ttoo ffuurmniisshh ttoo tthhee CCoomntmmiissssiioonn aanndd tthhee 1100 SSttaùttee ooff NNeevvaaddaa tthhee DDeeffeennddaanntt''ss ttaaxxppaayyeerr iiddeennttiiffyyiinngg nnuummbbeerr ((ssoocciiaall sseeccuurriittyy 1 1 1 1 nnuummbbeerr oorr eemmppllooyyeerr iiddeennttiiffiiccaattiioonn nnuummbbeerr)),, wwhhiicchh sshhaallll bbee uusseedd:Tffoorr ppuurrppoosseess ooff 12 collecting and reporting on any delinquent amount arising out oflthat Defendant's 12 collecting and reporting on any delinquent amount arising out orthat Defendant's 13 relationship with the federal government and the State of Nevada 13 relationship with the federal govemment and the State of Nevada.\n\n1 1 4 4 EE.. D D e e f f e en nd d a a n n t t s s r r e e l li in nq qu u i i s s h h a a l l l 1 d do o m mi in n i io on n, , c c o o n n t tr r o o l l, aanndd ttiittllee ttoo tthhee ffuunnddss ppaaiidd ttoo tthhee , 1155 ffuulllleesstt eexxtteenntt ppeenrmniitllteedd bbyy llaaww.. DDeeffeennddaannttss sshhaallll mmaakkee nnoo ccllaaiimm ttoo oorr ddeemmaanndd 16 retum of the funds. directly or indirectly, through counsel t:r othem ise 16 return of the funds, directly or indirectly, through counselor otherwise, .\n\n17 F. Defendants agree that the facts as alleged in the Complaint filed in this 17 F. Defendants agree that the facts as alleged in the Complaint filed in this 18 action shall be taken as true without further proof in any bankruptcy case or 18 action shall be taken as true without further proof in any bankruptcy case or 19 subsequent civil litigation purstled by tho Commission or the State of Nevada to 19 subsequent civil litigation pursued by the Commission or the State of Nevada to 20 enforce their rights to any payment or moneyjudgment pursuant to this Order, 20 enforce their rights to any payment or money judgment pursuant to this Order, 21 including but not limitcd to a nondischargeability compfaint in any bankruptcy 21 including but not limited to a nondischargeability complaint in any bankruptcy 22 case. Defendants further stipulate and agree that the facts alleged in the Complaint 22 case. Defendants further stipulate and agree that the facts alleged in the Complaint 2 2 3 3 e e s s t t a a b b l l i i s s h h 1 a 11 l 1 l e e l l e e m m e e n n t t s s n n e e c c e e s s s s a a r r y y t t o o s s u u s s t t a a i i n n a a n n a a c c t t i i o o n n p p u u r r s s u u a a n n t t t t o o, aanndd tthhaatt tthhiiss OOrrddeerr , 2 2 4 4 s s h h a a l l l l h h a a v v e e c c o o l l l l a a t t e e r r a a l l e e s s t t o o p p p p e e l l e e f f f f e e c c t t f f o o r r p p u u m rp o o s s e e s s o o f f, SSeeccttiioonn 552233((aa))((22))((AA)) ooff t thhee , 25' Banlkruptcy Code, 11 U.S. C. j 523(a)(2)(A). 25 Bankruptcy Code, 11 U.S, C. § 523(;)(2)(A).", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "docket_number": "CV-S-08-00590" }, { "provision_number": "VIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor and investigate compliance with this Order by requiring Defendants to submit written reports, produce documents, appear for depositions, provide access to business locations, and by posing as consumers or suppliers.", "verbatim_text": "1 A. WWiitthhiinn tteenn ((1100)) ddaayyss ooff rreecceeiipptt ooff wwrriitttteenn nnoottiiccee ffrroomm aa rreepprreesseennttaattii v v ~ q ooff t:hhee . 2 2 C C o o m m m m i i s s s s i i o o n n , , D D e e f f e e n n d d a a n n t t s s e e a a c c h h s s h h a a l l l l s s u u b b m m i i t t a a d d d d i i t t i i o o n n a a l l w w r r i i t t t t e e n n r r e e p p o o r r t t s s , wwhhiicchh aarree , 3 true and accurate and swom to under penalty of perjury; produce documents for 3 true and accurate and sworn to under penalty of perjury; produce documents for 4 inspection and copying; appear for deposition-, and provide entry duling normal 4 inspection and copying; appear for deposition; and provide entry during normal 5 business hours to any business location in each Defendant's possession or direct or 5 business hours to any business location in each Defendant's possession or direct or ' 6 6 i i n n d d i i r r e e c c t t c c o o n n t t r r o o l l t t o o i i n n s s p p e e c c t t t t h h e e b b u u s s i i n n e e s s s s o o p p e e r r a a t t i i o o n n . .\n\nI I n n aaddddiittiioonn,, tthhee CCoommmmiissssiioonn iiss aauutthhoordizzeedd ttoo uussee aal1l1 ootthheerr llaawwffuull mmeeaannss, . 8 including but not limited to: 8 including but not limited to: 9 9 1 1 . . o ob b t t a ai in ni i n ng g d d i i s sc co ov v e e r r y y f f r r o om m a a n ny y p p e e r rs s o o n n , wwiitthhoouutt ffuurrtthheerr lIeeaavvee ooff ccoouurrtt,. , 11'00 uussiinngg tthhee pprroocceedduurreess pprreessccrriibbeedd bbyy FFeedd.. RR.. CCiivv. PP.. 3300,, 3311,,.3333,, 3344,, 3366,, 4455,, . 1 1 and 69*, 11 and 69; 1 1 2 2 2 2 . . p p o o s si i n ng g a a s s c co on n s s u um m e e r r s s a a n n d d s su u p pp p l li i e e r rs s t t o o D De e f fe e n n d d a a n n t t s s , tthheeiirr eemmppllooyyeeeess,, , 1.3 or any other entity managed or controlled in whole or in part by any 13 or any other entity managed or controlled in whole or in part by any 1 1 4 4 DDeeffeennddaanntt,. wwiitthhoouutt tthhee nneecceessssiittyy ooff iiddeennttiiffiiccaattiioonn oorr pprriioorr nnoottiiccee;; aanndd\n\n15 Defendants each shall pennit representatives of the Commission to interview 15 C. Defendants each shall permit representatives of the Commission to interview 1 l' 5 i a a n n y y e em rn p p l l o o y ye e r r, , c cO ol H ts s u u i l t t a a n n t t, , i i n n d d e e p p e e n n d d e e n n t t c co on nt tr r a a c c t t o o r r , , rreepprreesseennttaattiivvee,, q ~g g e e n n t t , , oorr eemmppllooyyeeee 1177 wwhhoo hhaass aaggrreeeedd ttoo ssuucchh aann iinntteerrvviieeww,, rreellaattiinngg iinn aannyy wwaayy ttoo aannyy ccoonndduucctt ssuubbjjeecctt ttoo 18 this Order. The person interviewed may have counsel present 18 this Order. The person interviewed may have counsel present. .", "violation_type": "both", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "docket_number": "CV-S-08-00590" }, { "provision_number": "IX", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "For a period of three years from entry of this Order, Defendants must notify the FTC of changes in residence, employment, business ownership, and corporate structure, and must file annual sworn compliance reports beginning 180 days after entry of the Order.", "verbatim_text": "27 Each lndividual Delkndant shall notify the Commission of the 27 1. Each Individual Defendant shall notify the Commission of the 28 following: 28 following: FFEEDDPmJStAALL .T T R R A A D D E E C C C O IM M M M IS IS S S IO IO S N ;9l155 S Sx=u.mndd A Avvee.. .,S 5t1u1 .2 22S9!6l6 P P e e r r m m . . l I r n j j u u n n c c t t . . A A s s T T o o A A $ l l l C C o o p rp o o r r a a t t e e D D e e f f e e n n d d a a c n t t s s a a n n d d G G t e r r s s h h f f it ie ld ld s s - - P P a a g g p e 1 1 2 2 S S r ~ u u l l t t l ( l r 2( \" 20 , W 0 W 66) a ) i 2 lh : 5 2U0 ihr O lig . n 6- l!o (3 ! , l 35 nlm S! 4 )0 l8) S17I744 Case 3:08-cv-00590-RCJ-VPC Document 84 Filed 10/27/2009 Page 13 of 23 CCaassee 33::0088--ccvv--000O559900--RRCCJJ--VVPPCC DDooccuummeenntt 8811 FFilileedd 0099//1177//22000099 PPaaggee 1133 ooff 2222 a. AAnnyy cchhaannggeess iinn ssuucchh IInnddii vviidduuaall DDeeffeennddaanntt''ss rreessiiddecnnccee,, mailing addresses. and telephone numbers, within ten (10) days of the 2 mailing addresses, and telephone numbers, within ten (10) days of the 3 ddaattee ooff ssuucchh cchhaannggee;',\n\n4 b. AAnnyy cchhaannggeess iinn ssuucchh Ilnnddiivviidduuaall DDeeffeennddaanntt''ss eemmppllooyymmeenntt 5 ssttaattuuss ((iinncclluuddiinngg sseellff--eemmppllooyymmeenntt)),, aanndd aannyy cchhaannggee iinn ssuucchh 6 IJnnddiivviidduuaall DDeeffeennddaanntt''ss oowwnneerrsshhiipp iinn aannyy bbuussiinneessss eennttiittyy,, wwiitthhiinn tteenn 7 ((1100)) ddaayyss ooff tthhee ddaattee ooff ssuucchh cchhaannggee.. SSuucchb nnoottiiccee sshhaallll iinncclluuddee tthhee 8 nnaammee aanndd aaddddrreessss ooff eeaacchh bbuussiinneessss tthhaatt ssuucchh IInnddiivviidduuaall DDeeffeennddaanntt iiss affiliated with, employed by. creates or forms, or performs services 9 affiliated with, employed by, creates or forms, or performs services 10 f f o o r r ; ; a a d d e e t t a a i il l e ed d d d e e s s c c r ri ip p t t i io on n o of f t t h he e n n a a t t u ur re e o of f t t h h e e b b u u s s i i n n e e s s s s ; ' aanndd aa ddeettaaiilleedd , description of such Individual Defendant's duties and responsibilities 11 description of such Individual Defendant's duties and responsibilities in connection with the business or employment; and 12 in connection with the business or employment; and\n\n13 c. AAnnyy cchhaannggeess iinn ssuucchh Ilnnddiivviidduuaall DDeeffeennddaanntt''ss nnaammee oorr uussee ooff 14 aannyy aalliiaasseess oorr tfiiccttiittiioouuss nnaammeess..\n\nDDeeffeennddaannttss sshhaallll nnoottiiffyy tthhee CCDommmmiissssiioonn oDff aannyy cchhaannggcess iinn ssttrruuccttuurree of any Corporate Defendant or any business entity that any Defendant 16 Df any Corporate Defendant or any business entity that any Defemlant 17 ddiirreeccttlJyy oorr iinnddiirreeccttllyy ccoonnttrroollss,, oDrr hhaass aann oowwnneerrsshhiipp iinntteerreesstt iinn,, tthhaatt mmaayy aaffffcecctt 18 ccoommpplliiaannccee oobblliiggaattiioonnss aarriissiinngg uunnddeerr tthhiiss OOrrddeerr,, iinncclluuddiinngg bbuutt nnoott Iliimmiitteedd ttoo:: incop oration or other organization', a dissolution, assignment, sale 19 incorporation or other organization; a dissolution, assignment, sale, nmneerrggeerr,, , 20 o o r r o o t t h h e e r r a a c c t t i i o o n n; ; t t h h e e c c r r e e a a t t i i o o n n o o r r d d i i s s s s o o l l u u t t l i o o n n o o f f a a s s u u b bs si i d d i i a a z r y y, ppaarreenntt,, oorr aaffffiilliiaattee , 21 tthhaatt eennggaaggeess iinn aannyy aaccttss oorr pprraaccttiicceess ssuubbjjeecctt ttoo tthhiiss OOrrddeerr;; oorr aa cchhaannggee iinn tthhee business name or address, at least thirty (30) days prior to such change, 22 business name or address, at least thirty (30) days prior to such change, provided that, with respect to any proposcd change in the business entity 23 provided that, with respect to any proposed change in the business entity 24 a a b b o o u u t t w w h h i i c c h h a a D D e e f f e e n n d d a a n n t t l l e e a a r r n n s s l l e e s s s s t t h h a a n n t t h h i i r r t t y y ( ( 3 3 0 0 ) ) d d a a y y s s p p r r i i o o r r t t o o t t h h e e d d a a t t e e ' such actit')ll is to take place, such Defendant shall notify the Commissicn as 25 . such actioll is tD take place, such Defendant shall nDtify the CommiE~icn as 26 s s o D o o n n a a s s i i s s p p r r a a c c t t i i c c a a b b l l e e a a f f t t e e r r o D b b ta ta in in i i n n g g s s u u c c h h k k n n o D w w l l e e d d g g e e. .\n\nB. One hundred eighty (180) days after the datc of cntry of this Order and 27 B. One hundred eighty (180) days after the date of entry of this Order and 28 a a n n n n u u a a l l l l y y t t b h e e r r e e a a f f t t e e r r f f o o r r a a p p e e r r i i o o d d o o f f t t h h r r e e e e ( ( 3 3 ) ) y y e e a a r r s s , , D D e e f f e e n n d d a a n n t t s s e e a a c c h h s s h h a a l l l l p p r r o o v v i i d d e e a a written report to the FT'C which is true and accurate and sworn to under penalty of written report to the FfC, which is true and accurate and sworn to under penalty of FfP.EDDEERRAALL T TRRAADDEE C COO5M1MMISISSSIIOONN 991155 S Seetzclntgnld A Au.'c, ,. .S Suu. .2 28899:6 P P e e r r m m . . l I n n ju ju n n c c t t . . A A s s T T ll o A A 1 l l l C C o o r r p p o o r r a a t t e e D D e e f f e e n n d d a a r n tt. t s s a a n n d d G G e e r r s s h h f f i i e e l l d d : s - - P P a a g g e e 1 1 3 3 5 S T ~ a nt l1 t 1 ( r l 2 \" ( 2 . p s 06 v W 6 l ) a 1 )1 s 5 l h 22 û i 20 l : l 0 g . I 6 ~ · l 6 l e 3 I 3 l 5 . l 5 m 0 9 0 98 g11774-l Case 3:08-cv-00590-RCJ-VPC Document 84 Filed 10/27/2009 Page 14 of 23 C C a a s s e e 3 3 : : 0 O 8 8 - - c c v v - - 0 O 0 O 5 5 9 9 0 O - - R R C C J J - - V V P P C C D D o o c c u u m m e e n n t t 8 8 1 1 FFiilleedd 0099//1177//22000099 PPaaggee 1144 ooff 2222 1 ppeeIrjjuurl'yy,, sseettttiinngg ffoorrtthh iinn ddeettaaiill tthhee mmaannnneerr aanndd ffoorrmm iinn wwhhiicchh tthheeyy hhaavvee ccoommpplliiecdd aanndd \" a a r r e e c c o o m m p p l l y y i i n n g g w w i i t t h h t t h h i i s s O O r r d d e e r r . , T T h h i i s s r r e e p p o o r r t t s s h h a a l l l l i i n n c c l l u u d d e e , , b b u u t t n n o o t t b b e e l Ii im m i i t t e e d d t t o o : : 3 1. FFoorr eeaacchh flunddiivviidduuaall DDeeffeennddaanntt:: 4 il. ssuucchh IInnddiivviidduuaall DDeeffeennddaanntt''ss tthheenn--ccuurrrreenntt rreessiiddeennccee aaddddrreessss,, 5 mmaaiilliinngg aaddddrreesssseess,, aanndd tteelleepphhoonnee nnuummbbeerrss;; 6 b. ssuucchh Ifnuddiivviidduuaall DDeeffeennddaanntt''ss tthheenn--ccuurrrreenntt eemmppllooyymmeenntt ssttaattuuss 7 ((iinncclluuddiinngg sseellff--zemmppllooyymmeenntt)),, iinncclluuddiinngg tthhee nnaammee,, aaddddrreesssseess,, aanndd 8 tteelleepphhoonnee nnuummbbeerrss ooff eeaacchh bbuussiinneessss tthhaatt ssuucchh IInnddiivviidduuaall DDeeffeennddaanntt iiss 9 aaffffiilliiaatteedd wwiitthh,, eemmppllooyyeedd bbyy,, oorr ppeerrffoornmnss sseerrvviicceess ffoorr;; aa ddeettaaiilleedd 10 ddeessccrriippttiioonn ooff tthhee nnaattuurree ooff tthhee bbuussiinneessss;; aanndd aa ddeettaaiilleedd ddeessccrriippttiioonn ooff 11 ssuucchh IInnddiivviidduuaall DDeeffeennddaanntt''ss dduuttiieess aanndd rreessppoonnssiibbiilliittiieess iinn ccoonnnneeccttiioonn 12 wwiitthh tthhee bbuussiinneessss oorr eemmppllooyymmeenntt;; aanndd 13 c. AAnnyy ootthheerr cchhaannggeess Treeqquuiirreedd ttoo bbee rrezpp0olz1-teedd uunnddeerr SSuubbsseeccttiioonn AA 14 ooff tthhiiss SSeeccttiioonn.. 15 22.. FFoorr aallll DDeeffeennddaannttss:: 16 a. AA ccooppyy ooff eeaacchh aacckklnloowwlleeddggmmeenntt ooff rreecceeiipptt ooff tthhiiss OOrrddeerr,, 17 oobbttaaiinneedd ppuurrssuuaanntt t t o o tthhee SSeeccttiioonn tliittlleedd '\"DDiissttrriibbuuttiioonn ooff OOrrddeerri;'\"' aanndd 18 b. AAnnyy ootthhzerr cchhaannggeess rreeqquuiirreedd ttoo bbee rreeppoorrtteedd uunnddeerr SSuubbsseeccttiioonn AA of this Section. 19 of this Section.\n\nc. EEaacchh DDeeffcennddaanntt sshhaaIlll nnoottiiffyy tthhee CCoommmmiissssiioonn ooff tthhee tfiilliinngg ooff aa bbaannkkrruuppttccyy 21 ppeettiittiioonn bbyy ssuucchh DDeeftkennddaanntt wwiitthhiinn ffiifftteeeenn ((1155)) ddaayyss ooff tf'iilliinngg..\n\n22 D. For the purposes of this Order, Defendants shall, unless otherwise directed by the Commission's authorized representatives, send by overnight courier a11 23 by the Commission's authorized representatives, send by overnight courier all reports and notifications required by this Order to the Comrnission, to the following 24 reports and notifications required by this Order to the Commission, to the following addfess: 25 address: 26 AAssssoocciiaattee DDiirreeccttoorr ffoorr EEnnffoorrcceemmeenntt Federal Trade Cornmission Federal Trade Commission 27 66Q000 PPoennnnssyyllvvaanniiaa AAvveennuuee,, NN..WW..,, RRoooomm NNJJ--22112222 W aghington. D.C. 20580 Washington, D.C. 20580 28 RREE:: FFFTCC !v?.. CCaasshh TTooddaayy,, eetl aalt.. FEDE.RAl. TRADE. CO\"'tMISSION 915 S~cl1l11l/wc .• Su. 2896 PPoernmn.. IInnjjtumncctt.. A A s i; TToo AAllll CCoorrppoorraattee DDteffeennddaannt.t