The FTC this week has primarily focused on consumer protection, announcing successful efforts against companies who failed to protect consumers from illegal telemarketing calls and hackers. The agency’s efforts build on a series of actions focusing on consumer privacy and security, which are all the more important as, in the agency’s words, “businesses face fresh incentives to hoard data to train AI models.” These stories and more after the jump.

Monday, January 29, 2024

FTC Operations: Horceracing Rule Updates

  • The FTC has proposed a number of rules addressing the agency’s oversight of the Horseracing Integrity and Safety Authority. The rules are designed to “ensure that the Authority remains publicly accountable and operates in a fiscally prudent, safe, and effective manner.” The rules would require the Authority to (1) submit periodic records about its performance and finances; (2) create and maintain a multi-year strategic plan with public input; (3) manage risk, including ensuring data security and privacy; (4) prevent conflicts of interest, waste, fraud, embezzlement, and abuse; and (5) implement other operational requirements in areas such as recordkeeping, compensation, and customer service. The Commission is also issuing a final rule regarding procedures for overseeing the Authority’s budget.  Once published in the Federal Register, a 60-day window for public comments on these rules will open.

Bureau of Consumer Protection: Children’s Online Privacy Protection Act (COPPA)

  • The Commission has once again extended the deadline for it to respond to an application for a proposed method from the Entertainment Software Rating Board (“ESRB”) to obtain verifiable parental consent online using “Privacy-Protective Facial Age Estimation” biometric technology. This technology analyses a user’s face to confirm that they are an adult. The new deadline is March 29, 2024. The agency received over 350 comments in response to this application, and cited the need to review these comments when it previously extended the deadline in September.

Tuesday, January 30, 2024

Bureau of Consumer Protection: Robocalls

  • The FTC issued an update about Project Point of No Entry, which was implemented in April 2023 as an effort to stop illegal overseas robocalls by targeting Voice over Internet Protocol (VoIP) service providers with cease-and-desist letters. The initial efforts targeting 24 providers resulted in a 70% decrease in “tracebacks,” which represent snapshots of telemarketing campaigns. The agency sent out seven more letters in November 2023 to targets involved in 154 illegal robocall campaigns ranging from government impersonation scams to credit card debt relief schemes. The FTC also teamed up with the FCC to cut off one provider’s attempt to evade enforcement. Consumers with robocall-related concerns can report them at or by calling (877) FTC-HELP.

Wednesday, January 31, 2024

Bureau of Consumer Protection: Telemarketing

  • The Commission’s efforts against illegal, unsolicited calls doesn’t end with Project Point of No Entry.  The Commission also obtained an order from the U.S. District Court in the Northern District of Illinois against defendants Day Pacer, LLC and EduTrek, LLC. The FTC’s complaint, filed in 2019, alleged that the two companies made calls to numbers on the federal Do Not Call List to generate leads for for-profit education companies. This conduct allegedly violated the FTC’s Telemarketing Sales Rule, 16 C.F.R. § 310.4(b)(1)(iii)(B). The order holds the defendants jointly liable for a civil penalty of $28,681,863.88. The court previously issued an order in November banning the Day Pacer defendants from participating in telemarketing.

Thursday, February 1, 2024

Bureau of Consumer Protection: Data Privacy and Security

  • The Commission filed an administrative complaint and proposed consent agreement with Blackbaud, Inc. in relation to allegations that the company’s inadequate security allowed a hacker to breach the company’s network in 2020. The complaint alleges that Blackbaud, a South Carolina-based data services and financial, fundraising, and administrative software services company, failed to safeguard the large amounts of personal data it maintains for these services. In relation to the 2020 breach, the complaint further alleges that the hacker remained undetected for three months and stole millions of consumers’ unencrypted personal information, including Social Security numbers and medical information. Furthermore, Blackbaud allegedly failed to promptly notify consumers of the breach, and the initial breach notice misrepresented the scope and severity of the breach. The FTC alleged that this conduct constituted unfair and deceptive acts or practices in violation of Section 5(a) of the FTC Act. The consent order requires Blackbaud to delete all personal data not being retained for purposes of providing products or services. The company must develop a comprehensive information security program and data retention schedule, and must notify the FTC of any future data breaches. Chair Khan and Commissioners Slaughter and Bedoya issued a joint statement summarizing the allegations, reiterating the need to protect consumers’ data security, and praising the efforts of the Division of Privacy and Identity Protection.