In the Maryland matter, the state alleged multiple violations of the Consumer Protection Act (CPA) for deceptive and unfair trade practices regarding fees and pricing, including the use of “junk fees,” against car dealership DARCARS Honda and related parties. In addition to the general CPA allegations Maryland asserts in the complaint, the state also describes its interpretation of how the Maryland Transportation Article, and its corresponding regulations, regulate vehicle dealers in Maryland, “including through consumer protections that prohibit dealers from misleading consumers about vehicle pricing and that prohibit dealers from charging surprise junk fees (i.e., fees from which a consumer gets no added value and that simply add to the cost of a transaction that are, in essence, price increases under a guise).” Specifically, the Transportation Article prohibits dealers from, among other things, stating the purchase price in an ad “unless the price is the full delivered purchase price of the vehicle, excluding only taxes, title fees, and any freight or dealer processing charge” and requires the full price be printed “in the largest font used in the advertisement to provide any information related to the price of the vehicle.”

In the complaint, the Maryland AG claims Respondents charged consumers an optional fee of 2% of a vehicle’s sale price termed a “Sales Commission,” when in reality, it was an “Overhead Fee” to offset Respondents’ existing obligations. Per the complaint, neither consumers nor Respondents’ employees received added benefit when consumers paid the fee. The complaint further states consumers were not adequately informed about the ‘optional’ fee and that the fee “cannot be considered truly ‘optional’ when the onus is entirely on the consumer to notice the charge, figure it out, deduce that it can be removed while still completing the purchase of the car, and then demand that the fee be removed.”

The Rhode Island action also makes similar fee and pricing claims, including claiming Defendant UPP Global, LLC used “junk fees” in its operation of multiple parking facilities in violation of the Rhode Island Deceptive Trade Practices Act (DTPA). For example, the state alleges Defendants charged consumers a fee identified as a tax and then kept the proceeds instead of paying it to the government. At times, Defendants also charged a 10% service fee the state termed as “junk,” saying this fee was not in fact for additional services and instead was used for some other undisclosed purposes. In addition, the state alleged Defendants charged fees to consumers who stayed past their prepaid parking time under the guise of a “citation.”

Whatever industry you are in, be aware state AGs are carefully reviewing fee charges. Here are a few things to consider:

• What is the fee for and what value does the consumer get from paying the fee? Is this accurately described to the consumer?
• Is the fee mandatory or optional?
• What is disclosed to consumers regarding the fee, and when and by what method is that disclosure made?
• Are there industry- or state-specific laws or regulations defining and/or outlawing “hidden fees”?

We will continue our roundtable discussion on investigations and enforcement actions led by state attorneys general (AGs) and the broad authority the states have to perform pre-litigation discovery through investigative subpoenas, often called civil investigative demands or CIDs. In Part l, we discussed common issues that may trigger a state – or multi-state – investigation, other pre-suit investigatory authority, and the basics of a CID. Join us for Part ll, as we discuss:

• Types of objections to CIDs businesses may make

• Background and caselaw on AG CID authority

• Strategies for avoiding an AG inquiry

Register Here.

Arkansas brought the action pursuant to the Arkansas Deceptive Trade Practices Act (ADTPA), which prohibits deceptive and unconscionable business practices, and the Arkansas Personal Information Protection Act (PIPA), which requires businesses protect data concerning Arkansas residents with reasonable security practices. Numerous allegations by the state against Temu regarding app user personal information include that it is:

• Using the inducement of low-cost Chinese-made goods to lure users into unknowingly providing near-limitless access to their PII,
• Misleading users regarding how it uses their data,
• Not allowing users to avoid being tracked on the internet,
• Collecting virtually limitless amounts of data, and in addition to Bluetooth and Wi-Fi access, gaining full access to user contacts, calendars, and photo albums, plus all social media accounts, chats, and texts,
• Gaining permission from user devices upon app installation to subsequently install any further program it wishes without user knowledge or control,
• Obtaining personal information in a way that is purposely secretive and intentionally designed to avoid detection,
• Providing or selling user data to unauthorized third parties or using user data in a way that users did not authorize,
• Potentially harvesting data of non-users who have communicated with users, and
• Subjecting user data to misappropriation by Chinese authorities.

The state cites reports and third-party research throughout its complaint to support its claims against Temu. Temu, in response, said the company was “surprised and disappointed” by General Griffin filing the lawsuit without what the company called “any independent fact finding.”

In addition to the allegations regarding privacy harms of the app, the state claims defendants make deceptive representations about the quality of the goods sold, which it says are frequently counterfeit, and that users experience undelivered packages and poor customer service. The state further claims Temu uses “false-reference pricing,” in which a retailer represents to a prospective customer that a product is on sale at a steep discount when the “discounted price” is the product’s regular market price. The state’s allegations against Temu also include the use of fake and deceptive reviews, a concern to many AGs, and the claim that Temu failed to take adequate measures to protect minors, among others.

The state requests the court preliminarily and permanently enjoin defendants from treating Arkansas consumers unlawfully, unconscionably, and deceptively as described in the complaint, plus requests civil penalties and other monetary and equitable relief. Temu said, “We categorically deny the allegations and will vigorously defend ourselves.”

Arkansas is not the only state concerned about Temu’s practices. In 2023, Montana banned the download of the Temu app (and a handful of other apps) on devices issued by the state or connected to the state network based on its affiliation with foreign adversaries. The state also banned third-party firms conducting business for or on behalf of the state of Montana from using Temu and the other apps in question.

This action demonstrates the breadth of authority provided to state AGs, especially related to consumer protection. AGs routinely use UDAP laws to bring expansive matters, which can evolve from looking at one issue into many. Here, while there is much attention to the allegations related to Temu’s data collection and security practices, the other general UDAP violations on the quality of products and fake reviews show how multiple areas of misconduct claims will be addressed by AGs. All of these areas continue to be a hot topic for state AGs, as are companies with foreign affiliations thought of as problematic. As we have discussed many times before, the AGs often work together in their missions to protect consumers; only time will tell if more AGs follow with complaints against the popular shopping app.

While AGs have generally used state consumer protection laws in these enforcement actions, which are inherently broad in scope, there is also an increased legislative focus on hidden fees. For instance, California has passed a first-in-the nation law effective July 1, 2024, specifically requiring disclosures of all mandatory fees within a total price, including in the lodging industry. (The California AG’s Office has released FAQs related to the law.) Stay tuned for more on hidden fee legislation in an upcoming post.

What major actions have AGs taken to date?

The FTC first sounded the alarm in 2012 with a warning letter accusing hotels of unlawful “drip pricing” by not including resort fees in advertised daily room rates. Then, in 2016, a coalition of AGs launched a multistate investigation into whether disclosures of hotel fees violated state consumer protection laws. In 2019, Nebraska sued Hilton and Washington DC sued Marriott, beginning the resort fee enforcement actions by the states. Since that time, multiple lawsuits and settlements have been filed regarding hidden resort fees.

For instance, Choice Hotels International has settlements with Colorado, Nebraska, Oregon, Texas, and Pennsylvania. Also regarding Choice Hotels, Maryland successfully sued to enforce a subpoena served on the company and recently, the state filed a petition for constructive civil contempt for alleged failure to comply with the court order; the matter is ongoing. Another major hotel company, Omni Hotels, has settlements with Colorado, Nebraska, Pennsylvania and Texas.

Meanwhile, litigation against Marriott International continues in Washington DC, while Colorado, Nebraska, Pennsylvania, and Texas have settled with the chain. Regarding Hilton, Texas sued with litigation ongoing, while Nebraska settled its suit. In separate lawsuits, Texas also sued Hyatt Hotels Corporation and Booking Holdings Inc., which includes online travel companies such as Booking.com, Priceline, Agoda, Rentalcars.com, KAYAK, and Opentable, with litigation ongoing in each matter.

AGs are watching for so-called hidden fees, and AG staff often have first-hand knowledge as they stay in hotels just like other consumers. After Pennsylvania settled with Marriott International, the hotel chain added a new sustainability fee at some of its locations. The AG claimed the hotel had failed to comply with their agreement, which led to a court order and new settlement requiring payment of $225,000 for the alleged previous compliance shortcomings.

What acts did the States find problematic?

In general, the AGs alleged that hotels advertised low base rates to attract consumers away from competitors. Then the hotels later disclosed resort fees, amenity fees, and destination fees when travelers had already begun the booking process. These could range from $9 to $95 per room, per day. States argued failing to disclose all fees up front made it difficult for consumers to compare prices and make informed choices as they booked their stays.

AGs also questioned the purpose of some fees, alleging that hotels made confusing or contradictory claims about what fees actually covered. This included amenities fees for generally complimentary services (like internet access, local and toll-free calls, and access to a fitness center) or resort fees charged by hotels that may not provide resort-like services. States also questioned the practice of including these fees in a general “Taxes and Fees” section, which they alleged could mislead consumers into believing the fees were imposed by the government, not the hotel.

What do these settlement agreements require?

The AG settlements followed common themes requiring:

• The total price is afforded “most prominent display.” This means that all mandatory fees are clearly and conspicuously disclosed and that full price, including those add-ons, gets premium billing on booking websites.
• When a consumer sorts by price (e.g. lowest to highest), the “sorting” price includes all mandatory fees. This prohibits hotels from suggesting that a room is less expensive than others if that is not actually the case at check-out.
• Distinguish taxes from fees. The agreements require hotels draw a clear line separating their own fees from government (or quasi government) tax charges.
• The goods and services included in an “amenity” fee are clearly disclosed, before booking.

Businesses can look to these requirements to gain insight on how broadly states may interpret their current consumer protection laws as well as their expectations of businesses in industries beyond lodging. For our next installment on new legislation in this area, be sure to subscribe to the AdLaw Access blog.

The rule changes will go into effect on a rolling basis over 12 months after publication in the Federal Register. As of the date of this post, publication has not yet occurred, so affected businesses will have all of 2024 to review their current practices and update them as appropriate to comply with the new requirements.

1:1 Consent and the “Lead Generator Loophole”: Among the most significant changes adopted, the Order institutes a new requirement that, to send an autodialed telemarketing text or phone call, the texter/caller must first obtain a consumer’s prior express written consent specific to the company that will place such a text or call to the consumer’s cell phone – in other words, a 1:1 consent. In adopting this requirement, the FCC explicitly stated its intent to “close the lead generator loophole by prohibiting lead generators, texters, and callers from using a single consumer consent to inundate consumers with unwanted texts and calls when consumers visit comparison shopping websites.” Of particular importance for this consent:

• A texter/caller cannot rely on a bundled consent applicable to multiple sellers. According to the Order, “[c]omparison shopping websites can provide additional information about sellers or a list of sellers that a consumer can affirmatively select in order to be contacted,” and it does not “prescribe” the number of sellers such websites can list. However, the FCC expressly rejected a “hyperlink” list approach to identifying sellers on such websites, and was clear that “if the web page seeks to obtain prior express written consent from multiple sellers, the webpage must obtain express consent separately for each seller.”

• For consent to be considered valid, the disclosure seeking consent must be “clear and conspicuous” so the notice is apparent to a reasonable consumer, and it must comply with the ESign Act if collected online. In addition, the scope of interest in certain products or services for the consent “must be logically and topically related to that website.” The Order does not define what “logically and topically” means, but explains that “when in doubt, [companies] will err on the side of limiting that consent to what consumers would clearly expect.”

• Key Takeaway: The FCC’s new TCPA restrictions described above apply only to autodialed and prerecorded calls to wireless phone numbers. But even if a company is comfortable that it is not using an autodialer, it should still evaluate other legal and business case reasons for implementing the 1:1 consent rule, including confirming compliance with do-not-call requirements under a separate TCPA provision (in addition to the Telemarketing Sales Rule and state telemarketing laws), as well as possible contractual obligations with partners in its business flows. Further, while compliance may not be required for another twelve months, it would be prudent to start A/B testing now on the most effective (and still compliant) ways to obtain 1:1 consent for each seller in scenarios where one company is capturing consent for multiple parties, and consider what new contractual provisions may be worth instituting in agreements.

It is worth noting that although the item was generally favored by all FCC Commissioners, Commissioner Nathan Simington dissented specifically to the 1:1 consent requirement, citing concerns about its impact on small businesses. In a Second Further Notice of Proposed Rulemaking (NPRM) that was included in the item, the FCC is seeking public comment on the “potential economic impact on small businesses” of the 1:1 consent rule, and whether the Commission could “clarify or refine this requirement to further minimize any compliance costs.” Initial comments on these questions, as well as other proposals in the NPRM (discussed below) will be due 30 days after the item is published in the Federal Register, and reply comments will be due 45 days after publication.

Texting and Do-Not-Call: The Order also confirmed that Do-Not-Call list protections apply to text messages, and “[t]exters must have the consumer’s prior express invitation or permission before sending a marketing text to a wireless number in the DNC Registry.” This action is the latest iteration of the FCC’s longstanding policy that texts are equivalent to calls for TCPA purposes, and consequently means that if a consumer revokes his or her consent to receive texts, a company would be required to add that number to its internal do not call list. The FCC further suggested that a single opt-out text from a consumer should be viewed as a revocation of consent for all marketing messages from a particular company, stating in the Order that the Commission disagrees “with the contention that if a consumer revokes consent for autodialed text messages from a seller on one text messaging chain, the seller can continue to send that consumer texts or calls through a different program or chain…The Commission has never bifurcated consent in such a manner and does not endorse it here.”

• Key Takeaway: As a default posture, an opt out of a telemarketing text should be treated as a request to be placed on a company’s internal do not call list. While the Order did not expressly address this question, it would be consistent with consumer expectations and consumer protection law to maintain the discretion to offer a consumer a menu of opt out options so long as there is an option to stop receiving all telemarketing calls and texts from the company.

Text Blocking: The new rules require “terminating” mobile wireless providers “to block all texts from a particular number or numbers when notified by the Enforcement Bureau of illegal texts from that number or numbers.” The Order makes clear that this mandate is intended to supplement “voluntary blocking measures by providers” and that “providers can [and are expected to] continue to block and improve their blocking going forward.”

• Key Takeaway: Companies should recognize that carriers and texting platforms may bolster efforts to block text campaigns that are viewed as spam or which are triggering high opt out rates. To avoid being blacklisted, it will be increasingly important to ensure your company has a thoughtful approach to its marketing outreach efforts to ensure that recipients are receiving communications they both want and expect. A solid consent strategy is a durable way to prepare for and manage this risk.

Additional Proposals and Requests for Public Comment. In addition to adopting the rule changes outlined above, the NPRM portion of the item also lays the groundwork for the FCC to expand on some of these rule changes, as well as consider others. Among its proposals are a possible expansion of text blocking by “originating” service providers, whether the FCC should require or incentivize providers to block texts based on reasonable analytics,” and whether it should adopt “additional protections against erroneous text blocking” such as a notification requirement if texts are blocked based on reasonable analytics.

The NPRM also seeks to update the record on text message authentication and spoofing, including the extent to which number and/or identity spoofing is currently an issue for text messages, technical standards and tools that are in use or being developed to address authentication in text messaging, and whether the FCC should require the industry to provide regular updates to the Commission on text authentication.

Additionally, the NPRM proposes to require service providers to make email-to-text service an opt-in, rather than simply encouraging an opt-in framework (as it chose to do in the Second Report and Order). It seeks comment on several questions related to the proposal.

Initial comments on the NPRM will be due 30 days after the item is published in the Federal Register, and reply comments will be due 45 days after publication.

If you have any questions about how these changes may affect your business, or are interested in filing comments, please reach out to Alysa Hutnik or Jenny Wainwright. For more telemarketing updates, please subscribe to our blog.

Background of the Office

The New Hampshire Attorney General (AG) is appointed by the governor and confirmed by the executive council. The AG oversees the Consumer Protection & Antitrust Bureau (the Bureau) which falls under the state’s Department of Justice.

Similar to what we’ve heard from other states, AG Formella explained that the Bureau sets its priorities based on “the needs of the state and what the state is experiencing.” The Bureau learns about these needs from a variety of sources including consumer complaints.

Additionally, New Hampshire has participated in many multistate investigations. AG Formella described multistate investigations as an “opportunity to pool resources to pursue an issue that is important not only to New Hampshire, but to the country.”

Though the Bureau does not offer a formal resolution process, the Bureau reviews the complaints and sends them to the business in order to elicit a response and a potential resolution. Garod added that if a business response does not fully address the complaint, then sometimes the Bureau will use the complaint as an opportunity to push back on a business and drill down on any potential UDAP (unfair and deceptive acts and practices) violations. Garod highlighted that the Bureau has been able to recover money for consumers and achieve results through this informal resolution process.

The Consumer Protection Act

The Bureau primarily relies on the Regulation of Business Practices for Consumer Protection (“Consumer Protection Act”). The Act provides several per se violations like “advertising goods with intent not to sell them as advertised” or using “deceptive representations of geographic origin in connection with goods or services.” According to Garod, the Bureau has both criminal and civil authority, which are both used frequently.

Under New Hampshire statues, the AG and the Bureau are authorized to conduct pre-suit investigations and can conduct depositions and request documents. While the AG and the Bureau cannot issue interrogatories, they can compel the appearance of a person to the office, put them under oath, and ask questions (similar to a deposition). Garod discussed that the Consumer Protection Act itself does not provide a statute of limitations; however, there is a statute of limitations of three years for all civil actions brought by the state.

The Consumer Protection Act can carry a hefty civil penalty of up to $10,000 per violation. Though the AG does not have the authority to obtain disgorgement, they can and often recover restitution as well as the costs of bringing the lawsuit. Garod noted that the office prioritizes obtaining restitution for its consumers as well as injunctive relief.

The Bureau can enter into an Assurance of Discontinuance (AOD) to settle claims; however, any violation of this AOD can be prima facie evidence of a UDAP violation.

Outside of the Consumer Protection Act, New Hampshire does not have specific laws to address price gouging, auto-renewals, or privacy rights (yet). Garod stated that many actions that would fall under those specific types of laws could be an unfair or deceptive act or practice under the Consumer Protection Act.

Prioritizing Seniors

AG Formella stressed that the state is prioritizing protecting seniors and combatting financial exploitation. He noted that New Hampshire is an “aging state” with the population of its citizens over 65 increasing – a common trend with other states.

The AG and the Bureau focus on seniors through the following three methods:

• Education and outreach: Garod stated that the best way to combat illegal activity is to empower people to protect themselves through education. The Bureau has made efforts of educating financial institutions, medical providers, and other stakeholders in order to impact a diverse body of stakeholders throughout the state.
• Investigations and Prosecution: The Bureau has revitalized its Elder Abuse and Exploitation Unit with more resources and staff.
• Legislative Tools: RSA 631:9 criminalizes the financial exploitation of an elderly adult. The statute also empowers financial institutions to combat elder fraud and provides an extended term of imprisonment for intentionally taking advantage of a victim’s age or physical/mental disability.

The Bureau has already seen success with its education efforts, investigations, and enforcement of criminal laws against targeting seniors. Garod mentioned that the Bureau has won multiple jury trials prosecuting bad actors targeting vulnerable senior citizens.

Takeaways: States like New Hampshire are closely paying attention to consumer complaints, state trends, and nationwide concerns in determining their enforcement priorities. AG Formella’s focus on seniors is a reminder that states have special statutes and enhanced penalties that may apply where the victims are from vulnerable populations. It is crucial to have a deep understanding of each state’s laws and priorities when choosing where and how to operate your business to ensure robust compliance.

***

Be sure to join us on December 14 for a Conversation with NAAG and AGA Executive Directors. To register for the webinar, click here. To catch up and read the coverage of all our previous state AG webinars, click here.

December 14 | 2:00 p.m. – 3:00 p.m. ET

Join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Special Counsel Abby Stempson, and Senior Associate Beth Chun and the executive directors of The National Association of Attorneys General (NAAG) and the Attorney General Alliance (AGA) for a discussion on the significance of these organizations and state attorneys general to the business community. Guest speakers Brian Kane, Executive Director of NAAG and Karen White, Executive Director of AGA will highlight:

• The importance of businesses understanding AG priorities which include hot topics such as:
  • Data privacy, artificial intelligence, consumer protection, organized retail crime, and cannabis
• Each organization’s history, membership, and leadership
• How businesses can use NAAG and AGA as a resource
• State AG elections and other items of interest in the new year

Register Here

Background and Priorities of the Office

Illinois’ primary consumer protection statute is the Consumer Fraud and Deceptive Business Practices Act (CFA). The state also has a Uniform Deceptive Trade and Practices Act but it is bootstrapped into the CFA. The CFA is primarily a civil law with some criminal penalties, and is enforced by the AG and county state attorneys. There is also a private right of action.

The CFA authorizes the AG’s office to conduct pre-suit investigations which could include a civil investigative demand (CID) or subpoena depending on whether they want to ask interrogatories (a CID allows the state to ask for more information while a subpoena requires the business to appear in court or hand over specified documents). Although the CFA does not state whether the party can object or set aside a CID, under Illinois’ Rules of Procedure, the party could file a motion to quash if needed. The office does not need to provide any pre-suit notice to the proposed defendant.

According to Ellis, the office can enforce compliance with a CID through a variety of ways – such as filing an enforcement action and asking for a “broad swath of relief” from the court. This may include restraining a business from certain conduct until they respond, suspending their authority to do business in the state, etc. There is no statute of limitations for the AG to bring a violation under the CFA in contrast to the three-year limit for private right of actions.

The CFA allows the office to receive up to $50,000 total as a civil penalty with some potential enhanced penalties if the allegations include vulnerable populations. However, the civil penalty can increase to $50,000 per violation if the office can demonstrate intent.

Ellis also noted that the office receives around 20,000 consumer complaints annually and has designated staff that handle informal resolutions for those complaints. These consumer complaints are attainable by a public records request though they are redacted to remove name and contact information.

Organized Retail Crime

Since the pandemic, AG Raoul explained that organized retail crime (ORC) has continued to increase resulting in losses up to billions of dollars annually. He noted that bad actors tend to target big box stores, pharmacies, hardware stores, auto dealerships, and other retailers, and resell stolen goods below market value on online marketplaces. General Raoul said that some of the profits from ORC are frequently connected to human, gun, and drug trafficking and other crimes. As such, AG Raoul emphasized, “we cannot dismiss these thefts as isolated, brazen, retail theft because oftentimes there is an organized retail ring behind these acts.”

Due to these problems, states such as Illinois have expanded their criminal and civil authority to combat ORC. In 2021, AG Raoul created the Organized Retail Crime Taskforce. The Illinois taskforce fosters cooperation among retailers, online marketplaces, law enforcement agencies, and state’s attorneys. AG Raoul analogized the collaboration as if the platforms were “invited in the restaurant to help us cook a meal and solve the problem of ORC within the state. . . however, if they were not willing to come to the table, then they would be on the menu.”

To assist with investigations, Evans emphasized the importance of retailers working with state enforcers to help track down stolen goods and disrupt their flow into the online marketplace.

INFORM Consumers Act & States

Illinois’s enacted its version of the INFORM Consumers Act (Illinois Act) in May 2022, effective in January 2023, about six months before its federal counterpart. Ellis said that the Illinois Act provided an “interesting intersection” of criminal and civil issues as consumers are unknowingly purchasing stolen goods. Ellis also noted that the Act requires important information be provided to consumers about who they are purchasing products from, as well as a tool to report suspected activity. Evans stressed that the Illinois Act is a “start” and will be very good at resolving issues with ORC. The reporting requirements will provide better insight into how law enforcement can stop ORC.

General Raoul said that they have already seen early success with funding the Illinois Act. Evans added that the law has provided enhanced criminal penalties and enforcement provisions which have been instrumental in targeting ORC specifically.

Other than small changes, both the federal and Illinois INFORM Consumers Act are relatively similar:

• Both cover “high volume” third party sellers. For collection of information, this means 200 or more discrete sales plus $5,000 or more in aggregate gross revenues in 12-month period. For disclosure of information, this means the aforementioned requirements plus $20,000 or more in annual gross revenues.
• Both create collection requirements. An online marketplace must collect certain information within 10 days of seller qualifying as high volume and verify the information.
• Both require disclosures. An online marketplace must disclose identity information to consumers.
• Both require reporting mechanisms. The marketplace must clearly and conspicuously disclose on the product listing a reporting mechanism that allows for electronic and telephonic reporting of suspicious marketplace activity to the marketplace.
• Both require suspension. The marketplace must suspend future sales activity of high-volume seller if, after providing notice and an opportunity for compliance, the seller does not comply with these provisions. The suspension is in effect until the seller complies.
• Enforcement by Attorney General.
  • Federal Law: A state Attorney General may bring a civil action. The AG can obtain injunctive relief, civil penalties ($50,120/violation), or other remedies permitted under state law, and damages, restitution, etc.
  • Illinois State Law: The Illinois Attorney General may bring a civil action. A court can order an injunction, the revocation of authority to do business in the state, and restitution. The Illinois AG can also issue a pre-suit subpoena.

Ellis said that “it will depend” on whether the state will enforce the federal or state INFORM Act. She said that it is certainly “not a local problem” and is a “cross-jurisdictional issue” and states will need to work together to tackle the problem. AG Raoul emphasized that partnering with federal, state, and local law enforcement is “critical.”

In addition, the omnibus bill that created the Illinois INFORM Consumers Act also created enhanced criminal penalties for persons engaging in ORC. If a person is accused of committing organized retail theft (stealing merchandise worth $300 or more when acting together with one or more people), under the Act, they can be charged with a Class 3 felony, which is typically punishable by up to five years in prison. If the alleged offender stole from multiple stores, the act is punishable by up to seven years in prison.

Takeaways: As ORC presents a substantial disruption on a federal and state level, we continue seeing more collaboration between federal and state law enforcement, and also among states. Ellis concluded that there is an obligation on platforms to not turn a blind eye to criminal activity on their platforms. The AG can enforce this obligation through the INFORM Act, the CFA, or UDAP authority. Illinois’s authority is broad and covers both deceptive and unfair conduct. It’s important to understand one’s obligations, especially under the INFORM Act, to ensure that you won’t get hit with both federal and state litigation.

***

Be sure to join us this Thursday, October 19^th as we meet with New Hampshire Attorney General John Formella and his Consumer Protection office at 2:00 pm ET. To register for the webinar, click here. To catch up and read the coverage of all our previous state AG webinars, click here.

As part of its business model, Tempoe leased a variety of goods to consumers like furniture and appliances, but also goods and services that one might not normally think of in a lease – such as car parts and repairs as well as toys. The company offered their lease options after a consumer applied and was rejected for conventional financing through the retailer, and as a result the states alleged consumers were misled that they were entering into installment contracts or credit sales. States also alleged Tempoe’s leasing agreements had a complicated structure. Consumers made periodic payments for an initial term of five months. If the consumer did not affirmatively tell the company they wanted to purchase or return the product, Tempoe would auto-debit the consumers for the full month-to-month term of the contract which was typically 18 to 36 months. Confused consumers ultimately ended up having to pay double or triple the typical purchase price of the product or service, State AGs claimed.

Tempoe’s leasing agreements also allegedly lacked disclosures required by Regulation M, which implements the Consumer Leasing Act. The company did not provide some consumers with a copy of their lease agreement until after the transaction. Consequently, some consumers had to rely on oral descriptions from employees. Tempoe also trained its employees to avoid calling the product a “lease.”

States also claimed the company had complex return requirements. If a consumer wanted to cancel their lease agreement after the first 30 days, but within the initial five-month term, the consumer had to return the product to Tempoe. However, the company did not accept the returns of many items, including products that were less than $300. Instead of going through the hassle of returning, consumers would exercise the “purchase option” on the lease even though they ended up paying more than the original price due to the high leasing fees.

Tempoe entered into over 1.8 million financial agreements and generated approximately $192 million in revenue from about 325,000 consumers between 2015 and 2022. In addition to the provisions below, Tempoe must pay an additional $1 million to the states participating in the settlement, and another $1 million to the CFPB.

The settlement also includes injunctive provisions that:

• Permanently bans Tempoe from engaging in future consumer leasing activities as well as cancelling all existing leases.
• Permits consumers to keep any leased merchandise regardless of the status of their account with Tempoe, and without having to make any further payments (an in-kind financial relief estimating $33 million nationwide).
• Prohibits the company from providing any negative information regarding consumers to any consumer reporting agency.

Biggest Takeaways: State AGs and the CFPB continue to collaborate on multistates with restitution provisions uniquely tailored to the alleged consumer injuries. This collaboration leads to varied allegations as the CFPB can enforce different laws than states such as the Consumer Lending Law.

Additionally, it’s important to note what consumers are expecting –the more a product or service is out of the ordinary, the more disclosures are needed. In Tempoe’s case, their simple disclosures were not enough to cure the expectations of consumers who are unlikely to expect that some of the types of goods they were “purchasing” were actually only leased. We’re seeing this expectation all throughout regulator enforcements, particularly in the AI space where State AGs have emphasized the importance of businesses being clear and transparent about the complexities of how they are using AI in consumer products and services.

To learn more about enforcement priorities throughout the state attorneys general landscape, join us for our upcoming webinar with the New Hampshire Attorney General on October 19.

The CPA went into effect on July 1, 2023, and last week Colorado Attorney General Phil Weiser was prompt in his reminder to businesses that his office will begin enforcement.

In a statement issued on July 12, Weiser noted that the CPA is a critical tool to protect consumers’ data and privacy but that his office’s enforcement approach “will not seek to make life challenging for organizations that are complying with the law, but rather will seek to support such efforts.” Weiser said, “if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”

Among other things, the CPA provides Colorado residents with the right to opt out of targeted advertising and the sale of their personal data. Key obligations under the CPA include requirements to:

• Provide consumers with clear, understandable, and transparent information about how and why they collect, store, use, share, and sell personal data
• Respond to consumer requests to access, delete, correct, and get a portable copy of their personal data
• Allow consumers to opt out of the sale of personal data as well as targeted advertising and certain kinds of profiling
• Obtain consent before collecting or using sensitive data
• Only collect the minimum amount of personal data necessary from consumers

Beginning on July 1, 2024, controllers will need to honor user-selected universal opt-outs for targeted advertising and sales.

The Colorado Attorney General and local district attorneys have exclusive authority to enforce the CPA and can seek significant monetary penalties for non-compliance. In addition, several other states have joined the list of those that have enacted comprehensive privacy laws and may soon provide indications of their enforcement priorities.

For specific questions about what this means for you and your business, please contact Alysa Hutnik at [email protected].

In addition, please join us on July 24 for a webinar featuring special guest speakers Colorado Attorney General Phil Weiser and Nathan Blake, Deputy Attorney General for Consumer Protection, as they join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Special Counsel Abby Stempson, and Senior Associate Beth Chun for a discussion on a variety of important consumer protection topics. You may register here.

Office in Transition

The Nebraska Attorney General is an elected position. The last election was held in November 2022, thus AG Hilgers has been serving in this role for a little over six months and provided some of his thoughts on transitioning to that office.

When AG Hilgers took office, his perspective was not to come in and do things differently with entirely different people. Instead, he met with each member of the team and ensured that his team understood his core principles. But not only was AG Hilgers building relationships internally, he also believed in building relationships externally. For example, AG Hilgers highlighted that one task of a new AG is developing good communications with federal agencies in order to facilitate collaboration. AG Hilgers said he approaches the job fairly and thoughtfully, while intentionally making a few tweaks here and there to fulfill the vision he has for the office.

Consumer Protection Priorities

Though the Nebraska AG office is smaller compared to other states, AG Hilgers emphasized that the AG’s office “punches well above its weight if you look at just headcount.” Along those lines, Mr. Carlson noted that the Consumer Protection Division employs a smaller number of attorneys and staff yet houses a number of responsibilities in Nebraska, including antitrust enforcement, charities enforcement, and Nebraska’s Tobacco Unit. The Division learns about issues through multiple channels, such as communicating with other AGs, or through the news and radio. AG Hilgers highlighted that as the only state with a unicameral legislature, consumers tend to know their state legislator well and will often go to their state legislator for consumer complaints first. The AG’s office is aware of this, and will work with the state legislature to learn about the different problems facing consumers. However, before getting involved, AG Hilgers emphasized that the Office will consider whether they can play a constructive role in resolving an issue, rather than just trying to grab a headline. The overarching goal, according to AG Hilgers, is to do the most amount of good for Nebraskans with the resources available to the Office.

Mr. Carlson noted that the Consumer Protection Division includes a Consumer Affairs Response Team (CART) that takes complaints and handles dispute resolution. If a business receives a letter from CART, Mr. Carlson said they should not ignore it but rather contact the office to try to reach a voluntary resolution. When determining appropriate resolution, the Division will take the business’s cooperation into account. They recommend that businesses be proactive and thoughtful, because if there is an issue, the Office is likely going to find it. The Office seeks good, working relationships with companies and is not in the business of simply being punitive to be punitive. AG Hilgers noted that the Office is proportional in its exercise of punitive powers, noting “if it’s a five-yard penalty, then you need to call a five-yard penalty and not throw someone out of the game.”

The Consumer Protection Division addresses local problems, but AG Hilgers discussed that Nebraska also tackles national problems where they can add impact as a leader, like in the tech space. Every state has a limit on their resources, so the Office will often work with other states to combine resources and more powerfully address the issues. The Office also works with federal agencies such as the FBI and DEA.

Nebraska Consumer Protection Laws

Nebraska has two main consumer protection laws: the Consumer Protection Act (“CPA”) and the Uniform Deceptive Trade Practices Act (“UDTPA”). Both acts provide for civil enforcement and UDTPA provides for criminal enforcement – a first time violation can result in a class 2 misdemeanor and a violation of a consent order or a voluntary agreement can result in a class 4 felony. The acts have enumerated provisions unique to Nebraska, such as a provision against the mislabeling of honey, but the AG can also address issues such as price-gouging and auto-renewal issues under its general unfair acts statutes where they lack a specific law. Nebraska has a data breach notification law but does not have its own data privacy law. However, the Office can use its UDTPA and CPA authority to address privacy issues such as those found in the recent Google multistate.

Additionally, under both UDTPA and the CPA, Nebraska can use its pre-suit investigative/CID authority to request documents, take statements, and send out interrogatories. Businesses have 20 days to object to these inquiries. The responses businesses share are generally confidential, but can be shared with other law enforcement agencies. The language around Nebraska’s statute of limitations is vague and depends on the action, but generally is 4 years. Depending on the statute violated, a business may also be able to enter into an agreement of voluntary compliance (AVC) or an assurance of discontinuance (AOD). The civil penalty authority is $2,000 per violation and another $2,000 for a violation of an AVC or a consent order. However, the Office may forego monetary penalties if they can reach an agreement containing strong restitution provisions or injunctive relief.

So again from Nebraska, we have heard commonalities that competing resources and AG priorities may drive multistate enforcement, and states continue to use their broader UDAP statutes where they lack more specific authority in specific areas.

Goodbye Phil!

Since our webinar, Phil Carlson announced that he is leaving the Nebraska AG’s office. Nebraskans have certainly benefitted from his consumer protection work, but so have consumers nationwide from his multistate leadership. We all thank him for his service!

* * *

Be sure to join us for our next State AG webinar with Colorado Attorney General Phil Weiser and Nathan Blake, Deputy Attorney General for Consumer Protection, scheduled for July 24, 2023 with details to follow.

Consumer Protection Priorities

As for setting consumer protection priorities, the Connecticut AG relies on its robust and expansive UDAP law (the Connecticut Unfair Trade Practices Act (“CUTPA”)). In fact, according to AG Tong, Connecticut has used its act to address issues beyond traditional state consumer protection actions. There is no statute of limitations in Connecticut. He relies on both hard powers, that is, those delegated by statute or common law, and soft powers, such as using enforcement resources to push an actor to do the right thing. Thus, priorities are set any number of ways – and AG Tong provided a wide range of interests and enforcement efforts. Consumer actions may track major policy initiatives like climate change or may address something that “comes through the door” like the recent issue of Kia and Hyundai cars being stolen at a higher rate. AG Tong also referenced a concern with potential fraud in the solar industry. In addition, AG Tong highlighted issues that affect Connecticut youth such as the dangers of social media or harms from vaping. The Office also receives complaints from consumers through its intake team, which helps inform enforcement priorities.

Investigations and Settlements

Like most other states, the Connecticut AG can conduct a confidential pre-suit investigation with CIDs and related requests, and can also engage in pre-suit resolution discussions. But it is not the AG’s general practice to ask for anything and everything they can think of. Rather, the Office tries to keep the requests tailored to what they are investigating. There is no specific time frame for businesses to object to the CID and the Office is happy to engage in informal discussions about time to respond. Businesses should not ignore the CID however, because the Office can file an action to compel compliance.

Injunctive relief is a main component of a pre-suit negotiation as well as a building block to any settlement or Agreement of Voluntary Compliance. The AG may also include a monetary component to any settlement, such as disgorgement or restitution. Connecticut’s penalty authority is $5,000 penalty imposed per willful violation. The AG noted that there is not a statutory definition of “willful violation,” which means the Office could determine that it could be per day, per action, etc. Companies that settle may be subject to ongoing reporting requirements and if there are further violations, the company could be subject to the higher penalty of $25,000 per willful violation.

Some takeaways from CT that we have heard from many AGs and staff: AGs across the country and across the aisle are looking to use their UDAP laws creatively, but they strive to be reasonable in exercising their powers.

* * *

Be sure to join us for our next State AG webinar. Click here for more information. And be on the lookout for our Nebraska Attorney General’s Office blogpost which is just around the bend.

The 2015 environmental lawsuit named foreign defendants German automobile manufacturer, Volkswagen Aktiengesellschaft (Volkswagen), and its majority-owned subsidiary, Audi Aktiengesellschaft (Audi). The Texas AG alleged that the companies designed, created, and implemented software function to detect, evade, and defeat U.S. emissions standards. The software could detect when an emissions test was occurring, which would in turn cause the car to operate in a manner that would produce less emissions and make the testing equipment think that the car met a better pollution standard that it actually did. Volkswagen argued that the state lacked personal jurisdiction over the manufacturers in Texas courts. The manufacturers argued that, at most, they directed the conduct at issue toward the United States as a whole, not to Texas specifically. The manufacturers lost on this issue at the trial level, but won on appeal before the court of appeals. The state then appealed to the Texas Supreme Court, which rendered its decision late last month.

The Texas Supreme Court disagreed with the court of appeals and found that the manufacturers were in fact amenable to specific personal jurisdiction in Texas. The Supreme Court found that the car manufacturers “effectively (and knowingly) dropped the tampering software down a chute that guaranteed it would land in Texas.” The Supreme Court distinguished this against the more common type of personal-jurisdiction disputes in which a nonresident manufacturer has merely placed a product in a stream of commerce that then carried its product to the forum state. Instead, here, the car manufacturers “called all the shots” having developed the product and controlled the stream that brought the product to Texas. Importantly, the Supreme Court noted that personal jurisdiction is a forum-specific inquiry, and that a defendant’s contacts with another state “do not negate purposeful availment of this jurisdiction regardless of whether out-of-state contacts or more, less, or exactly the same.”

This decision marks a notable reminder of the power of attorneys general, given that the Texas AG was able to successfully exert personal jurisdiction over a foreign entity. National and international companies engaging in commerce across the United States should be mindful that directing products into the stream of commerce to purposefully reach a certain state may be enough for personal jurisdiction.

When a Chairman opens an appropriation hearing with these words, an agency seeking funds has a tough task ahead. Undaunted, FTC Chair Lina Khan turned on the charm and often mollified her critics. Appropriators pressed her about the FTC’s proposals to ban non-compete clauses and regulate auto dealers. They complained about reports of scams and fraud on the rise while the FTC pursued subjective notions of competition. In the end, she fared better than all the Commissioners did a week earlier in oversight hearings, but she did not hear an endorsement of her budget request.

Here is our rundown of the biggest issues on this Committee’s radar and the Chair’s responses:

Consumer Protection versus Competition Promotion

The FTC has requested a budget of $590 million for fiscal year 2024, a $160 million increase that would add 300 staffers to the agency. This request comes just as the House passed a bill on Wednesday, April 26, slashing trillions of dollars in government spending.

Leading the questions was Womack, Chairman of the Fiscal Services and General Government Subcommittee of the House Appropriations Committee, and he asked Khan to explain why FTC wanted larger increases for competition than consumer protection. She explained that a competition case can require two or three times as many lawyers and ten times as much money for expert witnesses. Merger activity has been “off the charts,” she said, with a 70% annual increase (although she noted a recent decline from the peak).

The FTC’s merger challenges then drew fire. Members like Joyce (R-OH) and Bishop (D-GA) criticized recent cases involving nascent competitors, and Moolenaar (R-MI) questioned FTC’s coordinating with U.K. authorities to prevent deals among American companies. Khan credited the agency’s international office to a former Republican Chair and dodged questions about individual cases, but the Members returned to concerns about dubious competition policy and declining consumer protection. They implored Khan not to lose sight of scams affecting the elderly and military families. When Ciscomani (R-AZ) relayed the concerns of his constituents about robocalls, Khan touted FTC attacks on the platforms and networks that scammers use. She reported that complaints overall had declined, but he was skeptical, responding that his constituents had not noticed the drop.

Khan reassured the Members that the Commission still addresses fraud and consumer protection along with the increased competition activity. A cut in government spending, she warned, would be devastating to consumers. FTC would have to freeze or even reduce the resources that battle fraud if funding is not maintained.

FTC Morale & Transparency

Womack, Moolenaar, and Cloud (R-TX) raised the annual Federal Employee Viewpoint Survey, which reported that the percent of employees at the FTC who strongly agreed that the senior leaders “maintain high standards of honesty and integrity” dropped from 57.6% in 2020 to 22.5% in 2022. The Members wanted to know what Khan was doing to improve morale. She admitted that mistakes were made early in her tenure and said that she had streamlined decision making and increased transparency by holding meetings with senior staff members.

Moolenaar asked if the FTC will comply with an outstanding subpoena from the House Judiciary Committee. Khan responded that FTC staff is working with the Committee staff and has offered confidential briefings as well as documents.

This was not enough for Amodei (R-NV), who inquired as to what exactly Khan means when she says she is “happy to engage with the staff and see what she can share” as she did to Rep. Duncan during last week’s Energy & Commerce committee meeting. Amodei had spoken with Rep. Duncan, who said that FTC had not yet engaged. Khan conveyed her impression that the FTC’s Office of Congressional Relations had done so. Amodei planned to check.

Motor Vehicle Trade Rule

The FTC’s proposed regulation of motor-vehicle retailing took Congressional heat for the second consecutive week. Hinson (R-IA), Carl (R-AL), and Joyce criticized the proposal for adding confusing paperwork to every transaction and other measures that had not been adequately tested or assessed. They wanted to know why the FTC had declined to extend the comment period on a rule that could add over a billion dollars to automobile prices. Comment periods in other rulemakings had been extended. These Members criticized the lack of clarity in the proposed rule and the lack of consideration for independent car dealerships.

Khan defended the proposal and refusal to grant an extension. FTC economists, she reported, had done a cost-benefit analysis indicating that consumers would save money by avoiding bait-and-switch practices and hidden fees. But doesn’t the FTC Act already reach those practices? Yes, she said, but the rule would “codify illegal practices” providing better notice about what is unlawful. Hinson delivered a stern admonition that it is Congress’s job, not the FTC’s, to decide what should be codified.

The Rule Notice received over 10,000 comments, said Khan, which the FTC is working through. Finally, she defended the comment period by citing the authority of the Dodd-Frank Act, which authorized the FTC to regulate dealers, and to follow APA procedures (rather than Magnuson-Moss). Hinson also asked whether the FTC would reverse course if the enacted rule turned out to be a damaging one, to which Khan explained that if the data showed it wasn’t working then the FTC would revisit it.

Non-Compete Rulemaking

Cloud told Khan that small businesses are concerned about the Proposed Rule eliminating non-competes and that employee contracts should be left to the marketplace to regulate. Amodei objected to a one-size-fits-all approach. Different states had long adopted different approaches. Khan did not yield any ground, noting that small and new businesses also have a hard time obtaining talent. She reported that the FTC had received 26,000 comments on the proposal, which the staff is just starting to assess. She did not say and Members did not ask how much the rulemaking would cost the Commission to complete.

Other Topics

Data Privacy. While data privacy remains a hot topic nationally, it was not as popular for this hearing as it has been in past hearings (as we reported here, here, and here). Nevertheless, both Pocan (D-WI) and Torres (D-CA) questioned Khan about the FTC’s actions regarding companies who sell sensitive data. Khan touted the GoodRx and BetterHelp settlements, as well as the ongoing litigation against Kochava, a data broker that allegedly sold sensitive geolocation data. Khan explained FTC enforcement is particularly focused on business models structured to vacuum up “endless amounts” of data, which came up in discussions of TikTok and some Ed-Tech companies.

Right to Repair. Joyce expressed concern over the increase in price of auto parts. Khan agreed that this is an important issue. She further highlighted that when congress legislates, in this case regarding the Right to Repair, it offers clarity and boosts the FTC’s enforcement authority.

Franchises. Carl asked Khan whether she had evidence of the “unfair and despicable practices” that the Request for Information regarding franchises is based on. She explained that the FTC repeatedly heard in their public meetings about practices involving franchises that were harmful enough to request information to determine if they are anecdotal stories or if it is a problem worth addressing. Carl questioned whether people at meetings could provide anything more than anecdotes in a country with many thousands of franchises.

Independent Consultants. In response to the Inspector General report that raised concerns that the FTC may have overused non-government consultants, Khan explained that the report helped the agency put in place guidance and guard rails that ensures consultants’ are not doing work that should be done by federal employees.

* * *

That’s our summary for now. Stay tuned as we continue to track updates from the FTC.

ABBY STEMPSON (Special Counsel in the Ad Law and State AG practices) will be speaking on a panel entitled Fundamentals – Consumer Protection. The session will include a fact pattern to help set the scene for the audience and will discuss potential violations of federal and state law, as well as BBB self-regulatory standards. Panelists will examine enforcement, corporate compliance, and emerging issues, with Abby focusing in particular on state consumer protection laws, AG enforcement, and business compliance strategies. This session takes place on Wednesday from 9:00-10:15.

DONNELLY MCDOWELL (Partner in the Ad Law Practice) is moderating the panel Navigating the “Green” Minefield of ESG Claims, which will offer perspectives from the FTC, in-house counsel, and plaintiff’s counsel on issues related to green marketing and environmental, social and governance (ESG) initiatives. As we’ve discussed at length on Ad Law Access in a series of posts, green marketing claims continue to generate attention and scrutiny from the FTC, NAD, and plaintiff’s attorneys and are more prevalent than ever. In addition, the FTC has solicited comment on potential revisions to the Green Guides, as we discussed here. This session will address all of these developments and more, and takes place on Wednesday from 1:45-3:15 pm.

LAURA RIPOSO VANDRUFF (Partner and Chair of the Ad Law Practice) is the Session Chair and Moderator of the panel Is AMG the Tip of the Iceberg? Two years after the Supreme Court stripped the FTC of its authority to use Section 13(b) to obtain monetary remedies in FTC v. AMG, the FTC is facing new challenges on other fronts. Laura’s panel includes a former Chairman of the FTC; an attorney representing the Petitioner in Axon v. FTC; the FTC Bureau of Consumer Protection’s Chief Litigation Counsel; and a prominent member of the FTC defense bar. Among other things, the panel will assess whether Chair Khan’s ambitious rulemaking priorities are vulnerable to constitutional challenges, including under the major questions doctrine. This panel is on Thursday from 8:30-10:00 am.

PAUL SINGER (Ad Law Partner and co-chair of the State AG practice) is the Session Chair and Moderator of this year’s Consumer Protection Year in Review panel. This panel will feature representatives from the FTC, DOJ, NAD Division of BBB National Programs, Florida AG’s Office, and the private bar. This annual panel takes a look back at the major consumer protection developments of the past year, and will include a robust discussion of many of the hot topics that emerged through enforcement efforts, including dark patterns, privacy and data security, testimonials, endorsements and reviews, green claims, and health claims. The panel will also discuss the increased collaboration among enforcers – both between federal agencies (FTC/DOJ) and state-federal partnerships (FTC/State AGs). This panel will take place on Thursday from 1:30-3:00 pm.

Please join us at any or all of these interesting and timely panels.

DDC, one of the world’s largest private DNA testing companies, suffered the breach in November 2021. The breach involved databases that were not used for any active business purpose, but had been acquired by DDC as a part of a 2012 acquisition of Orchid Cellmark. These databases contained the personal information of over 2 million individuals who received DNA testing services between 2004 and 2012, including names, payment information, and social security numbers. DDC claims it was unaware that this data was transferred as a part of its acquisition of Orchid.

DDC allegedly received indications of suspicious activity in the database from a security vendor as early as May 2021, but did not activate its incident response plan until August 2021 after the vendor identified signs of malware. The malware was loaded onto DDC’s network by threat actors that ultimately facilitated the extraction of patient data, which was subsequently used to extort a payment from DDC in exchange for its promised deletion. In its internal investigation of the incident, DDC found that an unauthorized third party had logged in via VPN on May 24 using a DDC account, having harvested credentials from a domain controller that provided password information for each account in the network. The Assurance of Voluntary Compliance (“AOC”) noted that at the time the hacker accessed the VPN, DDC had recently migrated to a different VPN, meaning no one should have been using the VPN that the hackers used. Furthermore, the AOD notes that the threat actor used a decommissioned server to exfiltrate the data.

Prior to the breach, DDC conducted an inventory assessment and penetration test on its systems, however, the legacy databases that stored sensitive personal information in plain text were not identified, as the assessments singularly focused on active customer data.

The Ohio and Pennsylvania Attorneys General alleged that DDC engaged in deceptive or unfair business practices by making material misrepresentations in its customer-facing privacy policy concerning its safeguarding of its customers’ personal information. The policy represented that the company implemented “reasonable measures to detect and prevent unauthorized access to [DDC’s] computer network.”

The settlement requires DDC to develop, implement, and maintain a comprehensive information security program that is reasonably designed to safeguard the security, integrity, and confidentiality of the company’s collected, stored, transmitted, and/or maintained personal information. Additionally, DDC’s information security program must include documented methods and criteria for handling information security risks to such personal information. On an annual basis, the company must also conduct comprehensive risk assessments, provide security awareness training to appropriate personnel, and evaluate the overall effectiveness of its information security program.

The settlement specifically requires DDC to implement the following safeguards:

• The assessment of risks associated with acquired technical assets (e.g., systems applications, or devices) containing personal information and the subsequent removal of such information serving no legitimate business purpose or utility to consumers;
• Personal information must be transmitted and stored so that it is only accessible to people and systems that need such information for a legitimate business purpose;
• The maintenance of an updated data/asset inventory of DDC’s entire network and the disabling and/or removal of any unnecessary assets;
• The implementation of an incident response plan that mandates DDC employees to respond to any alerts generated from the company’s security monitoring systems, along with the documentation of actions to such alerts;
• The detection, investigation, containment, response to, eradication, and recovery from security incidents within reasonable time periods;
• Authentication protocols to ensure that people and systems utilizing credentials are who they purport to be, including through multi-factor authentication, one-time passcodes, and location specific requirements;
• The implementation and maintenance of logging and log monitoring policies and procedures designed to collect, manage, and analyze security logs and monitor where the company stores personal information (to identify, understand, or recover from an attack);
• The maintenance and support of up-to-date software on DDC’s network; and
• Technical measures for the detection and response to suspicious network activity within DDC’s network, which may include log correlation and alerting, file integrity monitoring, data integrity monitoring, SIEM systems, intrusion detection and prevention systems, and threat management systems.

Takeaways

With this settlement, we get insight into the corrective actions that two different Attorneys General believe are appropriate to prevent future incidents from occurring. Data breaches are often caused by a string of security failures as is alleged to have happened here, including: ignored security alerts, failure to monitor network activity, such as the VPN used by the threat actor that should have no longer been in use, failure to adequately data map thoroughly enough to know that the Orchid systems needed to be in scope for penetration testing, and the failure to properly decommission a server that allowed the hackers to exfiltrate data. However, with such specific injunctive terms, this settlement provides businesses with a good example of how Attorneys General interpret the requirement that they implement “reasonable” safeguards for personal information. It’s also a reminder that companies should review their privacy policies and other public-facing representations regarding their security statements, and ensure they aren’t making promises that they aren’t living up to.

General Office Information

North Carolina elects its attorney general (AG) during the same cycle as the US presidential election. The AG oversees the Consumer Protection Division which also handles antitrust and charities matters. The division has approximately 20 attorneys, plus other staff members. The NC AGO promotes a “two-way dialogue” which takes place between the attorneys in the division and the front office to determine the office’s consumer protection priorities. The AG will set an agenda based on constituent needs. In parallel, the division continually works to spot new consumer protection issues to bring to the AG’s attention.

The NC AGO receives consumer complaints about a range of unfair or deceptive acts conducted within the state. Consumers can file complaints with the office, which in turn, sends the complaints to the businesses at issue, asking for their voluntary response, with the ultimate goal of resolving disputes. Complaint specialists handle these complaints, assisting consumers and businesses with the process, and logging complaints into a database so that the office can keep an eye on trends and issues that need investigating. Last year, the office received over 20,000 written consumer complaints—a large increase compared to ten years ago.

In regard to consumer protection investigations, like most states, the NC AGO works with other states, which is often termed a multistate investigation. This allows the NC AGO to leverage its limited resources to investigate large entities and complex matters. However, the NC AGO is also willing to forego the multistate route, undertake investigations, file lawsuits, and settle matters on its own. Determining whether to pursue a matter on a single state or multistate basis depends on the circumstances. For example, the NC AGO settled a lawsuit with JUUL on its own, even though a related multistate investigation was ongoing regarding the vaping product.

UDAP Law

North Carolina’s “UDAP” (unfair and deceptive acts and practices) law is known as the North Carolina Unfair and Deceptive Trade Practices Act (NC UDTPA). Similar to other states, the law grants the AG authority to conduct pre-suit investigations that includes the ability to serve civil investigative demands (CIDs) to request documents and take statements. Important to note, North Carolina’s CIDs are not confidential, even where some of the responsive materials may be.

The NC UDTPA does not include a provision that details how a party can object to a CID nor is there a provision that expressly prohibits parties from objecting to a CID; however, the AG can go to court to enforce compliance with the CID (though this is an unusual posture that is not common in North Carolina).

Under the NC UDTPA, the AG may enter into consent judgments with the court that is filed with the court. The AG may also enter into settlement agreements that do not require that a complaint be filed. In regard to litigation, no pre-suit notice is required, but the NC AGO may provide it as a matter of courtesy.

As for remedies, the AG may seek civil penalties of up to $5,000 per “violation,” an undefined term that may be defined differently depending on the matter. The AG may also seek restitution and disgorgement. In some cases, the office will prioritize restitution over penalties, particularly if the financial condition of the company limits the amount of money that the office can recover. Settlement agreements typically include language that allows the AG to pursue a case against the party in court if there are signs of noncompliance. Important to note is that there is no statute of limitations for allegations brought under the NC UDTPA.

Other Laws

The NC UDTPA grants the AG authority to enforce price gouging laws. Price gouging laws are triggered when the governor declares a state of emergency or there is an “abnormal market disruption.” If either occur, the law prohibits the charging of prices that are “unreasonably excessive.” Violations of price gouging fall under the NC UDTPA, which as previously stated, includes penalties of up to $5,000 per violation.

North Carolina also enforces an auto renewal statute under the NC UDTPA, but does not have a statewide privacy law.

Consumer Protection and Public Health Issues

The NC AGO is very active in the public health space, using traditional consumer protection laws to protect people’s health and safety. The NC AGO commented that opioids continue to be a priority for enforcement. Additionally, as we discussed above, North Carolina filed suit against JUUL, alleging that the company’s marketing was deceptively targeting children among other claims. The case settled and the company is required to pay $40 million in addition to terms of injunctive relief.

Notably, North Carolina was the first state to settle with JUUL and included a most favored nation clause (“MFN clause”) in its settlement agreement. A MFN clause is a provision that says if there are subsequent settlements that would be more favorable to the state than the previous settlement, then the state can petition the court to obtain that type of relief. North Carolina included this provision to ensure they get the benefit of any subsequent settlements with more favorable terms.

On trend with other states, the NC AGO is prioritizing children’s emotional and mental health as it relates to social media and has used its “power of the pen” to write letters to industry players and Congress, advocating for the protection of children. The NC AGO recently also filed an amicus brief in the Supreme Court case, Gonzalez v. Google LLC, urging the Court to interpret Section 230 of the federal Communications Decency Act (1996) narrowly to ensure technology companies remain accountable to state consumer protection laws.

Be sure to join us for our next State AG webinar on March 23 where we will learn from the Ohio Attorney General’s Office. Click here for more information.

For our first State AG webinar of the year, we dove into consumer protection in the Tennessee attorney general office with our guests, Chief Deputy Lacey Mase and Executive Counsel Jeff Hill. If you missed it, we’ve recapped what we learned.

Background of the Office

Unlike other states, Tennessee is the only state where the AG is appointed by the state Supreme Court, with the AG serving for an eight year term. Qualified attorneys submit applications to the Supreme Court and are interviewed publicly before being selected to serve as AG.

Within the AG’s office, the Consumer Protection Division handles both consumer protection and antitrust work. The AG’s consumer protection priorities are constantly shifting in order to respond to consumer needs. The office evaluates whether resources should be allocated to large scale litigation needs such as multistate actions or whether there are smaller consumer concerns that need to be addressed within the state.

The Consumer Protection Division now houses the Division of Consumer Affairs which serves as the point of contact for consumer complaints about unfair or deceptive acts conducted within the state (until a few years ago, the Division was a separate agency). Tennessee does provide complaint mediation for consumers, where the office will routinely ask businesses for a response.

UDAP Law

Tennessee’s “UDAP” (unfair and deceptive acts and practices) law is the Tennessee Consumer Protection Act. Like most UDAP statutes, its law grants the AG’s office the authority to conduct pre-suit investigations, including what is commonly known as civil investigative demands “CIDs” where they may request documents and interrogatories, and also obtain statements and sample products to obtain information about parties under review. Under the law, responses provided to the AG’s office are confidential; however, it is unclear whether the CID itself also can be treated as confidential.

Parties may object to a request within ten days or the return date, whichever is shorter. If a party refuses to comply with the office’s request, the AG may file a motion to compel. If there is still no response, then the court may issue a penalty of $1,000 in addition to injunctive relief that prohibits the business from operating.

There is no statute of limitations for the Tennessee AG’s actions under its UDAP statute; however, there is a statute of limitation for a private right of action of one year.

The office is required to provide a pre-suit notice to the respondent 10-days before filing suit unless the AG determines in writing that the purpose of the lawsuit would be substantially impaired by delay in the legal proceeding. This may be waived if the purpose would be obstructed if the office gave notice. During this period, both parties may try to reach a resolution.

Remedies

The AG may enter into two types of settlements with investigated parties: (1) filing a complaint and judgment simultaneously; or (2) filing an assurance of voluntary compliance “AVC” which must be filed in the court of the capital county of Tennessee.

The AG may issue a civil penalty of $1,000 per violation. A violation may be defined in many ways to capture different types of conduct. The AG may also obtain restitution, disgorgement, and injunctive relief. If parties do not comply with the terms of the settlement, then the office may pursue a new case against the party and use non-compliance as evidence for the lawsuit.

Other Laws

The AG may enforce several price gouging laws. Important to note that its primary price gouging act is no longer triggered by a state of emergency, but rather a more specific declaration from the governor of an “abnormal economic action” meaning a disruption or anticipated disruption to usual business conditions caused by a natural or man-made disaster or emergency resulting from a terrorist attack, war, strike, civil disturbance, tornado, earthquake, fire, flood, or any other natural disaster or man-made disaster. Price gouging laws extend to consumer food items, repair and construction services, medical supplies, among other items and services. Businesses are prohibited from charging “grossly different” prices from the prices prior to the governor’s declaration for at least fifteen days. These price gouging laws carry the same penalties as the Tennessee UDAP. Similar to other states, Tennessee also has a new, specific auto-renewal law effective in 2023, but does not have a statewide privacy law.

Consumer Protection Priorities

The Tennessee AG office has noted that social media and its impact on children will continue to be a high priority, along with big tech issues generally. The AG has also started looking into novel consumer matters such as ESGs and cryptocurrency.

Additionally, the office continues to use its “power of the pen,” collaborating with other states in bipartisan letters to parties such as the federal government and specific industries, urging for action in consumer-related matters. Though some priorities may be more partisan, the office plans to continue bipartisan collaboration where appropriate to protect consumers.

But the Tennessee staff also noted that priorities can change based upon the issues facing consumers. Nothing demonstrated this more than in November of last year, when Taylor Swift fans faced numerous issues with Ticketmaster, resulting in Tennessee leading a multistate investigation into Ticketmaster. Adapting to the changing issues of their constituents is critical to a state AG’s success, and we expect these priorities to continue to evolve in 2023.

In the wake of the Supreme Court's unanimous decision in AMG, which held the FTC could not obtain monetary redress under Section 13(b) of the FTC Act, the agency has since been exploring new ways to expand its civil penalty and restitution authority. Efforts in Congress to amend the law have so far failed. Given the cumbersome process to proceed administratively, the panel touched on the FTC’s issued rulemakings mostly brought under its Mag-Moss authority, including proposed changes to endorsement guides and an ANPR on junk fees, impersonation fraud, and earning claims. The panel also noted that it remains to be seen whether, as the FTC had previously committed, we will see more state partnerships with the FTC in combined enforcement efforts.

With emergencies ebbing and flowing this year, price gouging continued to be a focus for the states this year. New York announced a rulemaking on price gouging. Some constituents fear that New York will broaden the definition of “excessive” price, while others have noted appreciation for further clarification of the undefined standard. Like most price gouging laws, New York’s law was originally designed to address life or death emergency situations creating an irregular marketplace. Two cases will be interesting to watch as they unfold because they will give greater clarity on outer bounds of state price gouging laws. Texas v. Cal-Maine Foods Inc. and NY v Quality King were brought early in the pandemic against non-consumer-facing companies. Allegations involved pandemic-related price gouging that was trickling down to consumers. Both cases were initially thrown out on a motion to dismiss. But, over the summer, both cases went up on appeal and were overturned and remanded back to the trial court.

Similarly, states have increasingly turned their attention to automatic renewal legislation. Panelists noted that Washington announced study results on recurring charges and signaled their interest in enforcement efforts in that area. Panelists partly attributed this shift to how subscription services are playing a more prevalent role in this different economy, and others noted the similarities between these issues and so-called dark patterns.

While states realize the need to legislate for consumer protection, there is also a need to create a regulatory clarity for businesses that want to operate in this space. We will continue to provide updates as these conversations continue among State AGs.

Well, the FTC just did. On October 18, it announced a settlement with Passport Automotive Group resolving allegations (among other charges) that Passport engaged in an unfair practice when it imposed higher costs on Black and Latino customers than on similarly situated non-Latino White customers. The vote was 4-1, with Commissioner Phillips dissenting and Commissioner Wilson concurring in part and dissenting in part.

Complaint and Order

The FTC’s complaint alleges that the defendants (nine dealerships and two individuals) advertised cars at specific prices but then added fees (per the press release, “junk fees”) to the purchase price, falsely claiming that the fees were required. It also alleges that, for years, Passport discriminated against Black and Latino consumers, in violation of the Equal Credit Opportunity Act and Section 5, by charging them hundreds of dollars in extra costs and fees.

According to the complaint, Passport was alerted to the problem by a finance company, but failed to take action. Passport also had policies in place that could have detected the issue, but didn’t follow them. Finally, the complaint alleges that the individual defendants (Passport’s president and vice president) both knew about these practices but failed to stop them.

Under the order, the company must establish a fair lending program requiring, among other things, that each dealership either charge no financing markup or charge the same markup to all consumers. The order also prohibits misrepresentations about costs and fees, and requires defendants to obtain consumers’ express consent before adding any charges to the price of their cars. Additionally, defendants must pay $3.38 million in refunds to affected consumers.

The allegations here are compelling on their face, and include (besides unfairness) misrepresentations about prices and charges; evidence of a significant price difference based on race; and violations of the ECOA, under which the FTC has clearly authority to challenge racial discrimination. The defendants also chose to settle the case, rather than fight the allegations in court, where the FTC’s legal theories might have been tested. Given these circumstances, the FTC majority likely viewed this case as an ideal opportunity to allege, as it had promised to do, that the racial discrimination here (the conduct that violated the ECOA) was also unfair under Section 5.

Commissioners’ Statements

Commissioner Phillips, in a dissent released on his last day at the FTC, says that he would have voted for a complaint if it were limited to the deception and ECOA allegations. However, he argues vigorously against the unfairness allegation, stating that it is “gratuitous” (i.e., adds nothing beyond what is already addressed by the ECOA); exceeds the authority of the FTC (especially given the existence of numerous anti-discrimination laws); vague as to context or protected class; and a “gap filler” that usurps the role of Congress in determining public policy.

Using his characteristic flair, he concludes that “[o]ne obvious takeaway from all of this is that Section 5 is not an antidiscrimination statute. No beak, no feathers, no walk, no quack – Section 5 is a terrific consumer protection tool, but it is no duck.” (He also explains why he believes that the FTC’s disparate impact theory is an “odd duck.”) Phillips also agrees with Commissioner Wilson that the individuals should not have been named.

In her statement, Commissioner Wilson agrees with Phillips on the merits but frames her vote as a partial concurrence/partial dissent. Most of Wilson’s statement focuses on individual liability, arguing that there is insufficient evidence to support it.

Chair Khan and Commissioners Slaughter and Bedoya, in a joint statement, explain why they believe the unfairness count and individual liability are justified. They also stress the need for the FTC to use all available tools to protect consumers. Of note, they state that the unfairness allegation is a “straightforward application” of Section 5 (which might seem a bit flippant to some, given the complexities and nuances surrounding both the unfairness test and existing anti-discrimination laws and policies).

Lessons for Companies

The FTC, the CFPB, and some States have made clear that they plan to use one of their broadest legal tools – the prohibition against “unfair practices” – to tackle discrimination across multiple industries, not just in areas already covered by existing fair lending and civil rights laws. Regardless of how one views this legal theory, the agencies are moving forward – and, certainly, discrimination is a harmful practice to be avoided, regardless of the law.

Therefore, if you don’t already have a program in place (i.e., policies and procedures) to help prevent and detect discrimination in your business, you should seriously consider implementing one now. As the FTC’s case makes clear, the program shouldn’t just consist of written policies that you put in a drawer, but should include steps to ensure that the policies are followed – for example, employee training, ongoing monitoring and oversight, consequences for non-compliance, and regular reviews of business records and practices to ensure that discrimination isn’t occurring. While reasonable questions remain as to the scope of “unfair discrimination” (as we’ll call it), companies can certainly take action now to avoid obvious problems, like charging different prices or providing a different level of service based on race, color, religion, or sex. Companies can also look to existing anti-discrimination and civil rights laws for guidance as to the types of practices that may be viewed as discriminatory in analogous contexts.

* * *

We will continue to monitor federal and state developments regarding unfairness and discrimination and provide updates here. In related news, the FTC recently launched a rulemaking to regulate “junk fees” of the sort challenged here, which will be the topic of a later blogpost.