Although class actions are a frequently utilized vehicle for individuals seeking to vindicate their privacy rights, companies can also run the risk of an enforcement action brought by the Federal Trade Commission (“FTC”) (pursuant to the FTC’s authority under Section 5 of the FTC Act).  One recent example of the FTC’s exercise of this authority offers a cautionary note to other companies of sales and marketing practices that can run afoul of federal privacy laws.  Read on to learn more.

As many readers of CPW likely already know, MyLife is a company based in California that offers and sells consumer background information about millions of Americans over the internet.  According MyLife, it provides a comprehensive people-search service that helps people “understand and manage what information is available about them [and others] in the public domain.”

Last July, the FTC commenced an enforcement action against MyLife and MyLife’s CEO, alleging claims for (1) deceptive business practices in violation of Section 5(a) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45(a); (2) violation of the Telemarketing Sales Rule (“TSR”), 16 C.F.R. § 310.3(a)(1)-(2); (3) violation of the Restore Online Shoppers’ Confidence Act (“ROSCA”), 15 U.S.C. § 8403; and (4) violation of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681a(d), 1681b.  The FTC moved for summary judgment on all of these claims, a motion that was granted in part by a federal court last week.  United States v. MyLife.Com, Inc., 2021 U.S. Dist. LEXIS 201777 (C.D. Cal. Oct. 19, 2021).

First, let’s take a look at the facts underlying this case.  As alleged in the Complaint filed by the FTC against MyLife:

Since approximately 2009, MyLife has purchased public record data about individuals from data brokers.  MyLife uses that data to create a “public listing” or profile for these individuals, which can be accessed through its website, www.mylife.com.  On its website, MyLife has profiles purporting to cover at least 320 million individuals . . . MyLife also sells paid subscriptions that allow subscribers to access even more detailed profiles and background data about themselves and other individuals.  MyLife claims that these paid subscriptions allow subscribers to edit or remove data from their MyLife profile or even from the “original source.”

(quotations omitted).  However, MyLife cannot remove information about users from the public record and admits that it “does not have the ability to force third party websites to remove certain information.” (emphasis in original).

The Court ruled as follows.

MyLife Engaged in Deceptive Acts in Violation of the FTC Act

The Court found that the FTC established, based on the undisputed facts, that MyLife engaged in deceptive acts in violation of the FTC Act.  Section 5 of the FTC Act prohibits “deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1).  A practice falls under Section 5: “(1) if it is likely to mislead consumers acting reasonably under the circumstances and (2) in a way that is material.”

The Court found that this standard was satisfied because “MyLife’s website displays prominent red banners on over 60 million individuals’ profiles, declaring that the individual ‘DOES’ have ‘arrest or criminal records’ or ‘court, arrest or criminal records.’”  The Court held that “[t]hese banners or ‘flags’ create the deceptive and misleading impression that these individuals have criminal records, even though the flags may not be accurately matched to the profiles on the MyLife website and could refer to anything from a minor non-criminal traffic ticket or other minor infraction to a murder conviction.” (emphasis in original).

Because MyLife was classifying individuals as a “criminal or potential criminal for reasons MyLife will not disclose unless and until the consumer purchases a subscription,” the Court held that “these marketing practices are deceptive and material as a matter of law, and violate Section 5 of the FTC Act.”

MyLife Violated the Telemarketing Sales Rule

The Telemarketing Sales Rule (“TSR”) prohibits a seller or telemarketer from engaging in certain deceptive acts or practices.  Significantly, sellers (including MyLife) must: (1) disclose all material terms and conditions of their refund and cancellation policies and so-called “negative-option features”; (2) may not misrepresent such policies or features; and (3) may not misrepresent material aspects of the services offered for sale.

The Court held that MyLife committed multiple violations of the TSR, ruling that its outbound sales calls, removal calls and retention calls all violated the statute.  This ruling was based, in part, on the sales scripts used by MyLife representatives in calls.  These sales scripts revealed, among other things, that MyLife failed to disclose, before a customer consented to pay for MyLife’s services that MyLife “has a policy of not making refunds.”

MyLife Violated the Restore Online Shoppers’ Confidence Act

The Court also held that MyLife violated the ROSCA.  The ROSCA “prohibits charging consumers for services sold on the internet via a negative-option feature, which is defined as ‘an offer or agreement to sell or provide . . . services, a provision under which the customer’s silence or failure to take an affirmative action to reject . . . services or to cancel the agreement is interpreted by the seller as acceptance of the offer.’”  Moreover, it allows a seller to use a negative-option feature only if certain specifications are met.  This includes requiring that a seller: (1) clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information; (2) obtains the consumer’s express informed consent before making the charge; and (3) provides simple mechanisms to stop recurring charges.

The Court had previously held that My-Life’s automatic renewal policy is a negative-option feature regulated under the ROSCA.  Based on the factual record, the Court found that MyLife failed to provide “simple mechanisms” for stopping recurring charges and therefore violated the ROSCA.

Summary Judgment on FCRA Claim and CEO’s Individual Liability Denied

Without a discussion of the reasons underlying its decision, the Court noted in a single sentence that “there are genuine issues of material fact with respect to the Government’s FCRA claim.”  As such, summary judgment on this claim was denied.

The Court likewise held (again, without further discussion) that “are genuine issues of material fact as to whether Defendant Jeffrey Tinsley is individually liable for consumer redress under the FTC Act.”  As such, summary judgment on this claim was also denied.

Issuance of Statutory Injunction and Consumer Redress

The Court denied the FTC summary judgment on its request for civil penalties.  However, the Court’s Order provided for other relief sought by the FTC.

Unlike the higher bar for litigation brought by private parties, the United States may obtain statutory injunctive relief upon a primary facie showing of a violation in conjunction with “some reasonable likelihood of future violations.”  Based on a prior settlement MyLife entered into with Washington (state) in 2012 and with the County of Los Angeles and the City of Santa Monica in 2015, the Court held that the FTC had “demonstrated that statutory injunctive relief is appropriate.”  However, the Court ordered supplemental briefing on the appropriate scope of such relief.  Moreover, in regards to the consumer redress sought by the FTC under Section 57b of the FTC Act, the Court held that refunds (in the amount of $33,945,698) were an appropriate remedy for MyLife’s TSR and ROSCA violations.

Data privacy and cybersecurity are FTC priorities going forward.  This latest enforcement action (and the stiff consumer redress order combined with the statutory injunction) offer a cautionary note to companies that have business models built off the use of personal information.  For more developments on this area of the law, stay tuned.  CPW will be there to keep you in the loop.