Advertising Law - March 2016

by Manatt, Phelps & Phillips, LLP

In This Issue:

  • Tech Company Settles With FTC Over Installation of Apps Without Permission
  • Fake News Sites, False Celebrity Endorsements, Spam E-Mails Cost Marketing Company $10M
  • FTC Hits Hardware Maker With Enforcement Action
  • Processor Receives Ban After Enabling Scammer

Tech Company Settles With FTC Over Installation of Apps Without Permission

A technology company that allegedly replaced a Web browser game with a program that installed apps on mobile devices without permission has settled charges that it violated the Federal Trade Commission Act.

Vulcun purchased Running Fred, a Google Chrome browser extension game used by more than 200,000 consumers. According to the FTC's complaint, the technology company then replaced the game with its own extension, Weekly Android Apps, without notifying consumers. The Vulcun app claimed to offer unbiased recommendations of Android applications, but actually installed apps directly without consumer permission—or as Jessica Rich, the agency's Director of Consumer Protection said in a statement, "commandeer[ed] people's computers and bombard[ed] them with ads."

Google received "a number" of consumer complaints about the Vulcun app, the FTC alleged, not just about the installation of apps without permission, but also that the extension opened multiple tabs and windows on the browser that advertised various other applications and reset users' browser homepages. Consumers also griped that even when they deleted the unwanted apps, Vulcun reinstalled them.

These actions violated the Section 5 prohibition on unfair practices in the FTC Act, the agency alleged in its complaint. "By bypassing the permissions process in the Android operating system, the apps placed on consumers' mobile devices also could have easily accessed users' address books, photos, location, and device identifiers," the agency said. "Indeed, once installed, the apps could have gained further access to even more sensitive data by using their own malicious code."

Vulcun further misled consumers by claiming its extensions provided "independent and impartial" reviews of apps and also it misrepresented the extent of third-party endorsements and media coverage, the FTC added. The company claimed that its app had 200,000 users and a 4.5 rating—a claim that was true for Running Fred, but not for the Weekly Android Apps, according to the agency.

Under the terms of the settlement, the company and two individual defendants must inform consumers about how the information accessed by a product or service will be used, and must also obtain express affirmative consent for the installation or material change of a product or service. Any built-in permissions notices associated with the product must be displayed prior to consent.

Several types of misrepresentations are banned by the proposed consent order. Vulcan cannot mislead consumers as to how personal information is collected and used or how much control they can exercise over the collection, use, and sharing of their data. It cannot misrepresent that a product has been endorsed by a third party or the efforts Vulcan has made to maintain privacy and security of the information collected from consumers.

To read the complaint and proposed consent order in In the Matter of General Workings, Inc., click here.

Why it matters: The case offers several lessons for advertisers, the FTC noted in a blog post. It reminds marketers to clearly disclose material information before consumers download a product and to obtain express consent prior to download. In addition, even after a product or service is on a consumer device, companies must stay within the confines of the activities that were disclosed to consumers. Finally, the agency emphasized the importance of disclosures to consumers, particularly where a material connection exists between a product and an endorser. The proposed consent order is currently open for public comment.

Fake News Sites, False Celebrity Endorsements, Spam E-Mails Cost Marketing Company $10M

With up to $10 million available as restitution for consumers, a California marketing company agreed to stop using fake news websites featuring false celebrity endorsements and spam e-mails to market weight loss products.

Last May, the Federal Trade Commission filed suit against Sale Slash and individual defendants over the company's marketing techniques. The agency asserted that the defendants, in order to sell weight loss products, used fake news websites peppered with phony endorsements from celebrities such as Oprah Winfrey, and they also made unsupported efficacy claims with headlines such as "Insider Report: Oprah and Other Celebrities Lose 4lbs/Week of Belly Fat With This Secret Our Readers Can Try Now!"

Millions of illegal spam e-mails were sent to promote the defendants' weight loss supplements, including Pure Garcinia Combogia, Premium White Kidney Bean Extract, and Premium Green Coffee, with messages such as "Breaking news …" or "Hi! Oprah says its excellent" with hyperlinks, the FTC complaint alleged. The e-mails were sent by affiliate marketers using stolen e-mail accounts, so the messages appeared to be from a friend or family member without including information on how to opt-out of future messages.

To settle the charges, the defendants agreed to change their conduct and provide roughly $10 million in restitution, a suspended amount from the $43.4 million judgment.

With regard to their actions, the defendants are prohibited from making or assisting others in making weight loss or health-related product claims, absent competent and reliable scientific evidence (specifically including a human clinical test or study as substantiation) as well as making misrepresentations about the "existence, contents, validity, results, conclusions, or interpretations" of any text, study, or research related to the human clinical test or study used to support their advertising claims.

In addition, the defendants are banned from making a host of various misrepresentations related to the advertising and marketing of their products and in emails it sends that are covered by the CAN-SPAM Act (such as sending messages that fail to identify the sender or e-mails that lack a proper opt-out option for recipients). The consent order also includes specific requirements on how the defendants must police the actions of their affiliate marketers.

As for the money, the company and five individual defendants must turn over assets that, when combined with money already secured by a court-appointed receiver, will total almost $10 million. The remainder of the $43.4 million judgment—reflecting the amount of consumer harm caused by the defendants, the FTC said—was suspended.

To read the complaint and stipulated order in FTC v. Sale Slash, click here.

Why it matters: As demonstrated by the enforcement action, affiliate arrangements won't insulate advertisers from liability with the FTC. The action also underscores the FTC's focus on weight loss claims and its efforts to eradicate the use of false endorsements and fake news websites.

FTC Hits Hardware Maker With Enforcement Action

A computer hardware maker reached a deal with the Federal Trade Commission, settling charges that the defendant had security flaws in its router that put thousands of consumers' home networks at risk and that compromised connected storage devices by using insecure cloud services.

The flaws were present in ASUSTeK Computer, Inc., products despite advertisements touting the security features of the routers with claims that they could "protect computers from any unauthorized access, hacking, and virus attacks" and that they would "protect [the] local network against attacks from hackers."

In actuality, the company was aware of design flaws and bugs in the products, the agency alleged, and failed to take reasonable steps to secure its software. In one example, a malware researcher revealed a bug that allowed hackers to reconfigure vulnerable routers and commandeer consumers' Web traffic. ASUS also set the same default login credentials for every router (with "admin" as both username and password) and permitted users to retain the default credentials instead of requiring a change to increase security.

The cloud storage provided by ASUS similarly failed to pass muster. AiCloud and AiDisk services allowed consumers to plug a USB hard drive into the ASUS router to create their own cloud storage that was accessible from any device. But contrary to the company's claim that the services offered a "private personal cloud for selective file sharing" and a way to "safely secure and access your treasured data through your router," a vulnerability in the service permitted hackers to bypass the login screen and gain access to the storage device without any credentials, the FTC alleged.

Contributing to the insecurity, AiDisk did not encrypt files in transit and the default privacy settings for the service allowed public access to the device. These security flaws resulted in hackers gaining unauthorized access to almost 13,000 consumers connected storage devices in February 2014, the agency said, when ASUS router owners received the following message on their device: "This is an automated message being sent out to everyone affected [sic]. Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection."

Despite knowledge of the security weaknesses, ASUS neglected to fix the problems in a timely manner and failed to notify consumers about the risks or the availability of security updates. For more than one year a software update tool on the router often told consumers their router was up to date when new software—with critical security updates—was actually available.

The Taiwan-based company reached a deal with the FTC requiring ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. The company must also notify consumers about updates or other means to protect themselves from security flaws and refrain from misleading consumers about the security of its products, including whether a product is using up-to-date software.

To read the complaint and proposed consent order in In the Matter of ASUSTeK Computer, Inc., click here.

Why it matters: "The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Jessica Rich, Director of the FTC's Bureau of Consumer Protection, said in a statement. "Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information." Comments on the proposed consent order in the case—which the agency noted is part of its "ongoing effort to ensure that companies secure the software and devices that they provide to consumers"—will be accepted until March 24.

Processor Receives Ban After Enabling Scammer

Halting an alleged telemarketing scheme, the Federal Trade Commission settled charges that payment processor Capital Payments LLC enabled a scammer to process consumer card payments in violation of the Federal Trade Commission Act and the Telemarketing Sales Rule.

The defendants turned a blind eye to the actions of The Tax Club, an entity that the FTC said was engaged in a telemarketing scam that tricked consumers into launching a home-based business. The Independent Sales Organization (ISO) allowed The Tax Club to use merchant accounts to process credit card payments, despite multiple red flags, including a high rate of chargebacks, alerts from financial institutions, and chargeback requests from consumers stating that the charges were unauthorized or fraudulent.

Only when the FTC (joined by state Attorneys General in Florida and New York) filed suit against The Tax Club in 2013 did Capital terminate its relationship with the company.

For assisting and facilitating the scam, Capital—now known as Bluefin Payment Systems LLC—violated the Telemarketing Sales Rule and engaged in unfair and deceptive conduct in violation of the FTC Act, according to the agency's complaint.

To settle the charges, Capital agreed to cease operating as a payment processor or as an ISO for multiple categories of clients, or from assisting or facilitating any merchant it knows, or should know, is violating the TSR or FTC Act.

Going forward, Capital must screen its prospective clients and monitor their sales activity for potential deceptive conduct and terminate contracts with those who defy the law. A $2.6 million judgment was partially suspended upon payment of $750,000.

To read the complaint and stipulated order in FTC v. Capital Payments LLC, click here.

Why it matters: The stipulated order against Capital set forth very detailed requirements for the company as to what constitutes "reasonable screening" of potential clients. It must gather information, such as the name of all persons with a majority ownership interest in the entity and a list of all business and trade names and Internet websites the prospective client has marketed its goods and services to for the past two years. It must also obtain bank references. Once a client has been accepted, the work doesn't end for Capital, which must monitor existing clients by regularly reviewing their chargeback rates and total return rates and by reviewing the reasons provided for the rates. If the review reveals that the chargebacks and non-credit card return rates exceed a certain percentage of transactions, it must terminate the relationship.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.