IDAC to Ed Tech: Get Your Act Together
Post-COVID-19 learning app boom puts kids at risk, watchdogs say
An Embarrassment of Horrors
As if school-age children didn’t have enough to worry about.
From the headline-grabbing terror of school shootings to the more quotidian – but still harmful – effects of social media (e.g., depression and anxiety), kids are contending with novel pressures that their parents never had to cope with. And that’s on top of all the mundane stressors that have always been a part of growing up.
If, after that cheery lead, you want to read on, our present subject is a recent post by the watchdogs over at the International Digital Accountability Council (IDAC) (you can find them at the appropriately registered digitalwatchdog.org). The post provides a brief tour of the group’s investigations into yet another set of problems kids face – alongside some more recent, dispiriting news.
From Data to Grave
IDAC investigated “nearly 500 global ed tech apps” that were gaining popularity with the advent of COVID-19-inspired school closures. “We found that some apps shared personal user information, such as email addresses, names, cities[] and [G]oogle advertising IDs[,] in the query parameters of the URL,” IDAC states. And while most of the slips weren’t “egregious or intentional misconduct,” IDAC still urged the industry to “review the privacy gaps our team has identified in this report in order to promote user trust as users continue to look for ed tech tools to assist in distance learning during the pandemic.”
The Takeaway
But the “highlights” of the post are two stories referencing data breaches that exposed information about millions of children across the country. The first story, which appeared in The New York Times, describes how Illuminate Education, a provider of student-tracking software, was hacked. The incident spilled not only the personal data of millions of students but also their progress and disciplinary reports, which included information regarding “tardiness rates, migrant status, behavior incidents and descriptions of disabilities.”
Great.
The second, which appeared in the Chicago Sun-Times, outlines how the local school system’s teacher evaluation service was hacked, exposing the personal data of nearly “500,000 CPS students and close to 60,000 employees.”
While expressing hope about recent regulatory attention paid to the ed tech industry’s data problems, IDAC ends its missive with a cri de coeur urging developers to “prioritize data privacy and security in their work.” The government can’t handle the problem on its own, IDAC argues: “Developers must not only ensure that they have the strongest cybersecurity measures that are feasible in place, but they must also limit the amount of user data they collect to what is absolutely necessary for their product to function.”
Journalist Calls Out Nationwide Local Endorsements
Elemy.com has the same three satisfied customers – in 20+ states
Hot Gossip
Janice, Maria and Michael get around.
How do we know? All three avail themselves of the services of Elemy.com, a company that, according to itself, is “changing the landscape of access and care” for pediatric behavioral health, offering services for autism, ADHD, and anxiety and depression.
Their testimonials, which rave about the company, allegedly appeared “tied” to multiple locations across the several states in which Elemy operates. Janice, for instance, said, “The care that the staff shows to my son and me has been amazing.” Depending on what location you were visiting the Elemy site from, she might have been Janice B. from San Francisco. Or Janice B. from Austin. Or Janice B. from Orlando.
Intrepid Forbes healthcare reporter Katie Jennings spotted the issue, noticing how Janice, Maria and Michael seemed to hail from all over the country – more than 20 different cities each, in fact.
When Do We Get 50 over 50?
A brief aside on Elemy’s history. It was co-founded by a Forbes 30 under 30 nominee with an unintelligible signature and great hair.
His childhood “was filled with mental health challenges.” “Growing up, I do not recall a time when I wasn’t wrestling with how my brain worked,” the co-founder writes on the Elemy site. “I was diagnosed with severe ADHD, and the psychologist said that it was some of the worst he had seen.”
Through access to expert practitioners and therapists, he “cultivate[d] coping strategies to guide me through challenging situations,” and later in life took up the mission of helping children who faced similar struggles.
Which is, without a doubt, admirable.
The Takeaway
So how did Elemy respond to Jennings’ reporting?
“You found an unfortunate bug on a recent deployment of our website’s location pages,” Elemy’s chief communications officer responded to her. “The quotes are real, but they were unintentionally propagated across each of the location pages with a city designation.” The CCO claimed to have fixed the problem, but according to Forbes, the fix involved nothing more than removing the names of the various cities attached to the quotes.
As Jennings reports, simply removing a point of origin for the quotes may not be enough – it may, in fact, raise more questions than it quells. The removal of the cities of origin might lead people to believe that the quotes were completely made up in the first place. But even if they did originate from actual people who hailed from particular cities, it might be argued that their enthusiasm was informed by limited experience with local Elemy practitioners. Without the city tags, the endorsements appear to describe services nationwide, which, by definition, they cannot.
What a headache! Take steps to avoid these situations by carefully matching endorsements to specific products and specific individuals. Have backup so that you can prove who said what, about what, and when and where they said it – and thus you’ll be able to eliminate “unfortunate bugs” without stirring up new ones.
Dog Toy Auto-Renewal Bites Barkbox in the Butt
Class action claims the subscription service disclosure was buried in the front yard
Doggie Decadence
We love dogs. We do. And we don’t judge anyone for lavishing their canine companions with all sorts of over-the-top craziness, including a $4,000+ doggie hot tub, dog perfumes or the full dog track suit we once saw on a pup being walked down Manhattan’s 5th Avenue. For real.
Nonetheless, whenever we see gilded collars and “gourmet” foods lavished on dogs, a voice in our head intones: These animals drink out of the toilet and lick their own butts. Isn’t there a better way to spend your money than on a Versace Crete de Fleur print dog coat? (Yes, it exists.)
In the grand scheme of canine opulence, then, Barkbox, a subscription box service that delivers a “totally customized box of themed toys and treats for your pup, every month,” isn’t the worst offender. The boxes are themed more for the pet owner than for the dog itself – Harry Potter boxes, “Bark 2 School” boxes and so on – but fine, to each their own. Owners can sign up for 12-month, 6-month and 1-month subscriptions.
Monthly treats we can understand. But new dog toys every month? Just tie up a couple of old socks and throw them across the room, and watch what happens. How much novelty do dogs need?
Chasing Tails
But as you may have guessed, it is not dog owner extravagance that is the point of this post but merely its inspiration. Barkbox’s subscription service has landed it in the middle of a class action lawsuit.
Plaintiff Amber Farmer claims that after she ordered her first box subscription in 2021, she opted for the 6-month plan, spending more than $25 per box over the course of the subscription. “She believed that she was signing up for a single, non-renewing subscription that would last 6 months[] and that she was purchasing a total of 6 boxes.”
But although the 6-month anniversary of her first order came and went, Farmer alleges that the Barkboxes kept coming, month after month, and that she continued to be charged for each. She claims that she tried to cancel the service but was stymied by technical problems. “Because cancellation was a hassle and her dog was using the boxes,” her complaint reads, “she resigned herself to keep receiving and paying for [the] boxes.”
The Takeaway
At some point, Farmer decided to take action and opened a suit against Barkbox under California’s Automatic Renewal Law (ARL), Unfair Competition Law and Consumer Legal Remedies Act.
Farmer’s complaint claims that the auto renewal notice on Barkbox’s subscription page – it’s there, we checked – is displayed “in pale grey text that blends into the white background (in contrast to the black, bold, colored[] or all capitals text used to convey other information)” and that “[i]t is designed to go unnoticed.”
In addition, the “continue” button that the customer clicks after selecting a subscription plan “does not tell consumers that they are agreeing to anything by clicking.”
The case is still in its infancy, but Farmer does provide a succinct summary of the ARL that’s worth review if you do business in the state: “If a company violates the ARL, all recurring shipments it makes to consumers are deemed ‘unconditional gifts,’” the complaint states. “Consumers have no obligation to return the recurring shipments or cancel, even after they discover that they have been enrolled in an autorenewal plan. This gives the law teeth.”
Fall afoul of the ARL and you may wind up financing your customer’s subscription habit – and having to cancel the plan yourself.
Credit Karma Makes Loan Applicants Feel Like Tools
FTC fines website $3 million for false ‘pre-approval’ of loans
‘Free’ Is Just Another Word for …
Here’s an interesting scam, courtesy of the Federal Trade Commission (FTC) – false “pre-approval” ads allegedly deployed by financial tool website Credit Karma.
According to the commission’s complaint, the company’s website, creditkarma.com, offered “mobile application market credit monitoring and other tools such as financial calculators for approximating the effect of certain credit choices (like obtaining a loan) on a consumer’s score.”
To gain access to the Credit Karma tools, consumers were required to provide a wealth of personal and financial information – in all, more than 2,500 data points, including birth dates and the last four digits of their Social Security numbers.
Based on this data, Credit Karma allegedly sent promotional materials to the same customers, all with a common theme – that the consumer in question had been “pre-approved” for a third-party credit card or other financial product. And the third parties were heavy hitters, e.g., American Express.
Quick, Alert Alanis!
If the consumer clicked through, they’d be asked to enter information to finalize an application.
But the third-party company hadn’t pre-approved the credit card or loan at all; instead, it initiated its normal loan application procedure and approved or disapproved of the application according to the criteria defined by its standard process.
According to the FTC, “almost a third of consumers who received and applied for ‘pre-approved’ offers were subsequently denied based on the financial product companies’ underwriting review.” To make matters worse, the underwriting of the real loan application triggered a “hard inquiry” on the applicant’s credit report, which, in some cases, even damaged their credit ratings.
Ironic, isn’t it?
The Takeaway
The commission sued Credit Karma for false, misleading or unsubstantiated claims under the FTC Act. The resultant consent order fines Credit Karma $3 million, to be awarded to consumers for the “significant” time they wasted in the loan application process as well as the possible damage to their credit scores.
With the possible exception of our cousin’s husband who ran that shady telemarketing company in the mid-’90s, we don’t know anyone foolish enough to take the FTC lightly. But if anyone out there needs convincing, check out the exhibits in this case – the commission got its hands on Credit Karma training materials featuring canned, questionable responses to upset applicants who had their “pre-approved” loans denied.
In a Trump-era flourish, there’s also a comically redacted page summarized in the complaint – just a block of black ink in the final exhibit document – demonstrating that Credit Karma understood that it would boost click rates by promising pre-approval instead of saying that approval was “likely.”
We’ll have to take the FTC’s word for it.
Check Out Our Lastest Blog Posts
Color Us Majorly Surprised – Company Gets the FTC to Change Its Press Release
A few weeks ago, we wrote about an interesting development in what had been a fairly standard Federal Trade Commission (FTC) Made in the USA (MUSA) settlement. In short, the company had some major beef with the FTC’s press release about its case.
Instead of Shining a Light on Dark Patterns, New FTC Report Leaves Many Questions Unanswered
For some time now, dark patterns have been quite the trending topic for both marketers and privacy professionals. Regulators have frequently railed against dark patterns that purport to manipulate user choices, usually through manipulative user interfaces. A bipartisan group of lawmakers introduced legislation called the DETOUR Act that would ban dark patterns.
Coinbase Decision Highlights Importance of Official Rules’ Dispute Provisions
In a rare example of a sweepstakes leading to litigation, Coinbase and its promotion agency, Marden-Kane, were sued over a sweepstakes run by Coinbase and administered by Marden-Kane titled “Trade Doge. Win Doge.” As part of that sweepstakes, Coinbase offered prizes totaling $1.2 million of Dogecoin to individuals who purchased or sold $100 worth of the DOGE cryptocurrency on the Coinbase exchange.
The 14th Public Commission Meeting – Dark Patterns, Imposter Rulemaking and Yet Another Policy Statement
After a surprise three-month hiatus, we are back in business with our Federal Trade Commission public and totally unscripted meetings. Candidly, we were a bit surprised to see the return of these meetings, but not quite as surprised as the realization that Kate Bush had the Song of the Summer in 2022.