Advertising and privacy. In 2024, it’s hard to talk about one without the other. Almost like peanut butter and jelly.
A recent case from the Federal Trade Commission is an important reminder about the privacy and advertising connection and that regulators remain concerned and focused on issues involving the use of sensitive data, particularly for advertising purposes. The case is important for its focus on browsing data but also because it raises some questions about how and when the FTC can get money. I have lots of questions about this one.
The case is brought against a trio of companies that we will collectively refer to as Avast. Avast distributed software in the form of browser extensions and antivirus software for many years. In connection with the distribution of some of their software, the companies made a range of privacy representations – such as claiming that their software would block tracking cookies that collect data on your browsing activities or would protect privacy by preventing “web services from tracking your online activity.” What issues could the FTC have with software that was so privacy-centric? Well, the FTC alleges that what was happening differed notably from the representations that were being made. And not surprisingly, this story ends with lots of consumer information – particularly browsing history information – being shared with third parties for marketing and other purposes.
In particular, the FTC details that the companies allegedly made tens of millions of dollars selling user browsing information to third parties, including consulting firms, investment companies, and advertising and marketing companies. And the data shared was sensitive. The FTC – in one paragraph of the complaint – says that the agency looked at 100 entries “out of trillions retained” by the companies and found information about consumer visits to pages focused on breast cancer symptoms, job opportunities, dating websites and, yes, “cosplay erotica,” which I had to separately look up online. I don’t recommend it.
And the browsing information was allegedly combined with persistent identifiers that uniquely identified consumer devices.
The FTC alleges that the companies made deceptive representations about their practices, but the agency goes one step further. One count invokes unfairness as a liability theory and states that it is an unfair practice to collect and share consumers’ granular browsing information with third parties without adequate notice and consent from consumers. This is a novel FTC count that we will likely see pop up in future investigations and cases.
The big mystery of this case is, how did the FTC get $16.5 million? Noticeably absent from the case is any real indication that consumers paid money for the browser extensions or software (though there is one mention of some consumers who purchased a “premium” version that would remove ads). From some online research, it appears that the companies do sell software, but there are also lots of free products available, particularly browser extensions. FTC complaints almost always specify when consumers are purchasing products and how much they paid. There is no such information provided here. The complaint does not indicate that consumers paid millions of dollars to purchase software, and many paragraphs generally describe the companies as “distributing” browser extensions and refer to software that was “pre-installed” with their browser extension.
Sure, the company made money – and seemingly lots of it – from the sale of consumer data, but the FTC generally is focused on getting refunds to users with money out of pocket – those who bought something and didn’t get what they thought they were getting. So, what’s going on here?
This is an administrative complaint and there is no rule violation. Accordingly, Section 19 of the FTC Act controls and allows courts to grant such relief as “necessary to redress injury to consumers,” including refunds and payment of damages. And the conduct at issue must be fraudulent or dishonest. Notably, Section 19 does not allow for disgorgement as a form of monetary remedy. Although the FTC complaint and order are not models of clarity, it doesn’t appear that we have $16 million going back to consumers as refunds for money paid for software purchased. Instead, we appear to have the FTC getting a heck of a lot of money for damages using Section 19 of the FTC Act. The statute allows the agency to do that, but there is very little guidance as to what “damages” means under Section 19 and how that is determined. And the latest case provides zero guidance as to how the agency is viewing damages.
I have been accused – justifiably – of being a bit of an FTC nerd on occasion. But this is sort of a big deal. In almost all FTC cases where the agency gets money that is not a penalty, it is money going back to consumers who bought something through deception – perhaps a weight loss pill that doesn’t work – or who purchased software through some deceptive representation. But it seems that we have something quite different here – damages as the primary theory of recovery, as opposed to refunds. Now, I could be wrong – perhaps consumers paid $16 million or more to buy this software – but the complaint is silent on that point. The FTC has indicated that this money will be going to consumers, so it will be interesting to see what approach the agency takes toward this eventual distribution.
Always something interesting going on at 600 Pennsylvania Ave. NW these days.
[View source.]