To Disclose or Not To Disclose: The FTC’s Dueling Concurrences over Deceptive Omissions in Lenovo

by Wilson Sonsini Goodrich & Rosati
Contact

On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo, Inc., regarding the company’s practice of pre-loading advertising software on its laptops that compromised consumers’ cybersecurity and privacy.1 In many respects, the case was reasonably straightforward: the facts as alleged were clear, and the terms of the settlement were not unusual. But what makes this case interesting are the dueling concurrences issued by Acting Chairman Ohlhausen and Commissioner McSweeny regarding the FTC’s authority to challenge omissions. These concurrences continue a debate that has been stirring on and off at the FTC for more than 30 years, and they raise important questions about the agency’s future enforcement priorities.

Case Background

Beginning in August 2014, Lenovo included an advertising software solution called VisualDiscovery as part of standard, pre-installed software packages on its laptops. VisualDiscovery delivered pop-up ads from its retail partners when users hovered their cursor over similar items on websites. According to the FTC’s complaint, VisualDiscovery used a “man-in-the-middle” technique to deliver its ads, allowing the software to view all of the data transmitted between the user and a website. The complaint alleges that VisualDiscovery collected a limited amount of information—the websites the user browsed and the consumer’s IP address—but the software had the ability to collect much more information, including credit card information, passwords, and Social Security numbers. The FTC also alleged that the software used an insecure method to replace digital certificates on encrypted websites without adequately verifying the websites’ digital certificates, and the “same, easy-to-crack password on all affected laptops,” leaving users’ laptops subject to attack and undermining the ability of web browsers to warn users of potentially insecure websites.

The FTC alleged that Lenovo did not make any disclosures about VisualDiscovery to consumers prior to purchase. After consumers had purchased their laptops, they were shown a one-time pop-up window the first time they visited a shopping website. This pop-up stated: “Explore shopping with VisualDiscovery: Your browser is enabled with VisualDiscovery which lets you discover visually similar products and best prices while you shop” and contained a small opt-out link that, according to the FTC, was easy for consumers to miss. Even if consumers saw and clicked on the opt-out link, the FTC alleged that the opt-out was ineffective: although clicking on the link would stop VisualDiscovery from displaying pop-up ads, the software still acted as a man-in-the-middle between consumers and all websites with which they communicated. The FTC further alleged that Lenovo did not disclose, in the pop-up ad, its privacy policy, or its terms of use, that VisualDiscovery would act as a man-in-the-middle between consumers and all websites with which they communicated, and would collect consumers’ Internet browsing data.

The FTC’s complaint charged VisualDiscovery with preventing consumers from having the benefit of basic security features provided by their Internet browsers for encrypted HTTPS connections. The complaint includes three counts, all alleging security related violations of Section 5 of the FTC Act:

  • A deceptive failure to disclose that VisualDiscovery was enabled on the laptop and that it would present ads and serve as a proxy “middle man”
  • Unfair pre-installation of VisualDiscovery without adequate notice or informed consent that the software acted as a man-in-the middle
  • Unfair security practices based on Lenovo’s failure to take reasonable measures to address security risks from this software

Dueling Concurrences

Even though Acting Chairman Ohlhausen and Commissioner McSweeny both voted to issue the FTC’s complaint and accept the settlement, they issued conflicting concurring statements about the scope of the FTC’s authority to bring deceptive omission cases. Commissioner McSweeny took the position that Lenovo’s unlawful conduct went beyond the data security allegations in the complaint. Her concurrence focused on Lenovo’s failure to disclose to consumers that the pre-installed software would inject pop-up ads and that such activity would disrupt their web browsing by reducing download and upload speeds. She argued that the failure to disclose this information constituted a deceptive omission of material facts relevant to consumers, asserting that “Lenovo deceptively omitted that VisualDiscovery would alter the very Internet experience for which most consumers buy a computer.”2

Acting Chairman Ohlhausen, on the other hand, cautioned against an overly broad application of the FTC’s deceptive omission authority. Specifically, she took the position that Lenovo’s silence about VisualDiscovery’s ad-placement issues and web-browsing effects, while perhaps irritating to consumers, did not rise to the level of a deceptive omission. Ohlhausen further stated that it is critical for the FTC to maintain a clear distinction between deceptive omissions and unfair omissions and that “[w]hen evaluating the legality of a party’s silence, [the FTC] must be careful not to circumvent unfairness’s higher evidentiary burden by simply restyling an unfair omission as a deceptive omission.”3

Legal Background

Acting Chairman Ohlhausen and Commissioner McSweeny both referenced the FTC’s 1984 opinion in a litigated administrative case, International Harvester Co.,4 which lays out the analytical framework that the commission has relied on in considering how to treat omissions.

The facts in Harvester were reasonably straightforward: International Harvester tractors were subject to dangerous “fuel geysering” when, subject to heat from the tractor’s operation, the fuel began to boil. When the operator opened the fuel cap, the fuel could blast out of the tank up to 20 feet and cause serious injury to the operator. The FTC found that there were about 90 incidents of fuel geysering, including 12 serious injuries and one death. The commission also found that the company was aware of the problem and that there were a number of simple, easy to implement safety features that the company did not take advantage of.

In its analysis of liability, the FTC presented a thorough examination of the legal framework for considering an omission to be deceptive or unfair. The commission identified two circumstances where an omission may be deceptive: (1) when a seller tells a half-truth, but fails to disclose information that qualifies or limits the statement and prevents it from being deceptive;5 and (2) where a seller remains silent under circumstances that create a false impression. According to the FTC, a seller’s silence may violate Section 5, but only where the information at issue relates to “ordinary consumer expectations as to the irreducible minimum performance standards for a particular class of goods.”6 Notably, both the Acting Chairman and Commissioner McSweeny cited this line in their Lenovo concurrences.

The FTC also found that “pure omissions”—where a seller has said nothing and, under the circumstances, there is no particular meaning that can be attributed to the silence— should not be analyzed under the deception framework for two reasons. First, doing so could easily expand the notion of deception to include virtually anything, since different consumers could have mistaken pre-conceived notions about almost anything. Second, a pure omission does not necessarily reflect a deliberate act and there is no basis for thinking that a remedial order will produce any benefits. Pure omissions are analyzed, instead, under the FTC’s unfairness authority, which requires a full cost benefit analysis.

The FTC ultimately found that International Harvester’s failure to warn consumers about fuel geysering was unfair given the modest cost involved in disclosing the issue and the very substantial and real injury that was caused.

Implications

The concurrences in Lenovo seem to center on the Harvester issue of what “ordinary consumer expectations as to the irreducible minimum performance standards for a particular class of goods” really means. Commissioner McSweeny’s statement suggests that the ordinary consumer would expect their laptop to be free of any software that would inject pop-up ads and slow down their browsing speed. Acting Chairman Ohlhausen, on the other hand, admits that these features may be “annoyances” but do not frustrate the “irreducible minimum performance standards” that a consumer would expect.

At their root, the concurrences disagree over where to draw the line on deceptive omissions: when do companies’ practices rise to the level of requiring a disclosure, and when are they merely irritating or unfriendly to consumers? To answer this question, it can be helpful to examine the practice at issue in light of what is common in the industry. For example, new computers and mobile phones often include pre-installed software, including marketing software, that has some impact on device performance. While some consumers may not want all of the software, the existence of pre-installed software on a computer or mobile phone is a common practice that a reasonable consumer should expect, and does not rise to the level of frustrating the very purpose for which the consumer purchased the machine (indeed, the consumer may be hard pressed to find a machine that does not include such software). On the other hand, if, as in Lenovo, the pre-installed software contains unusual security risks that may not be present in similar products, this information should probably be disclosed. A reasonable consumer, even one who is familiar with pre-installed marketing software, would not expect that the software would frustrate the consumer’s ability to securely access encrypted websites.

Acting Chairman Ohlhausen’s statement also signals her commitment to focus more on instances of actual injury over practices that may be undesirable to a consumer but not necessarily injurious. While the FTC grapples with what should constitute actual harm in the privacy and security space, Ohlhausen’s concurrence at least signals one clear message: mandating disclosure in the absence of a practice that causes actual injury to consumers can result in unnecessary over-disclosure. It remains to be seen how this policy position plays out in other areas of the FTC’s enforcement agenda.

1 See our September 2017 WSGR Alert reporting on the settlement.

2 See Statement of Commissioner Terrell McSweeny, In the Matter of Lenovo, Inc. (September 5, 2017), available at https://www.ftc.gov/system/files/documents/public_statements/1250843/1523134lenovotmstatement2.pdf.

3 See Statement of Acting Chairman Maureen K. Ohlhausen, In the Matter of Lenovo, Inc. (September 5, 2017), available at https://www.ftc.gov/system/files/documents/public_statements/1250833/1523134lenovomkostatement.pdf

4 International Harvester Co., 104 FTC 949 (1984).

5 For example, a claim that a company is offering a 30 day money back guarantee, but fails to disclose that there is a 50 percent restocking fee.

6 International Harvester, 104 FTC at 1058.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.