chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2023/2024 | Volume 79, Issue 1

Developments in Advertising and Consumer Protection

Richik Sarkar and Brian Edward Schultz


  • This article summarizes federal consumer protection actions; including:
    • AI, data collection, "dark patterns"
    • FTC endorsements
    • TCPA, FCC regulations, & state-level "mini-TCPAs" and privacy laws 
Developments in Advertising and Consumer Protection

Jump to:

I. Introduction

This survey summarizes notable federal consumer protection regulatory actions, including decisions related to artificial intelligence and data collection, so-called “dark patterns” and “negative options,” and the Federal Trade Commission’s (“FTC’s”) new guidance on testimonials and endorsements (Part II). For the Telephone Consumer Privacy Act (“TCPA”), the focus turns to recent regulatory activity by the Federal Communications Commission (“FCC”) and litigation about the definition of Automatic Telephone Dialing System post-Facebook and Article III standing (Part III). The survey concludes with a brief study of state-law developments, specifically regarding so-called mini-TCPAs and privacy legislation utilized to protect consumers (Part IV).

II. Unfair and Deceptive Trade Practices

A. Continued Focus on AI and “Big Data”

Companies’ use of AI and data collection practices have remained a significant concern in UDAP enforcement. In September 2022, the FTC issued an Advanced Notice of Proposed Rulemaking, titled Trade Regulation Rule on Commercial Surveillance and Data Security. While only a proposed rule at this time, this is one of the first ANPRs advanced under the FTC’s new “streamlined” Mag-Moss Rulemaking procedures. This suggests that the FTC is preparing a more aggressive, wide-reaching strategy in the areas of AI, data collection, and privacy. Indeed, this sweeping proposal would likely affect anyone doing business on the Internet. Areas of particular focus for rulemaking include: “lax data security” practices that threaten “physical security, economic injury, psychological harm, reputation injury, and unwanted intrusion” and the potential for automated decision-making systems to err and prejudicially affect consumers—especially concerning protected categories and “algorithmic discrimination.”

While AI and data collection are FTC priorities, a particular focus has been (and continues to be) their possible discriminatory effect and the potential disclosure of sensitive personal information. In April 2023, the FTC and the CFPB joined the DOJ and EEOC in the Joint Statement on Enforcement Efforts Against Discrimination and Bias in Automated Systems. Per the Joint Statement, the agencies are focusing their existing enforcement powers on potentially harmful applications of AI arising in their respective jurisdictions. For the CFPB, this means monitoring the potentially discriminatory effects of AI in consumer finance—namely, a company’s use of AI in making credit decisions. For the FTC, this means protecting consumers from AI tools with potential discriminatory impact and monitoring the data used to “train” these AI systems to ensure it was properly obtained from consumers.

Recent litigation embodies these priorities. FTC v. Kochava, Inc. involved allegations against a “location data broker that provides . . . massive amounts of geolocation data collected from consumers’ mobile devices.” The FTC asserts Kochava makes this data public without “technical controls,” so buyers of this data can “track consumers to sensitive locations, including places of religious worship, places that may be used to infer LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.”

In light of the Supreme Court’s recent decision in Dobbs, the FTC was concerned about tracking individuals to abortion clinics or identifying medical professionals involved in those services. And the FTC described Kochava’s data brokerage practices as “an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury to consumers.” In May 2023, this case was dismissed without prejudice for failure to state a claim, allowing the FTC to amend its complaint against Kochava.

Both the FTC and the BBB recently reaffirmed that children’s privacy remains a top priority, and legislators encouraged the FTC to reexamine COPPA and enact more robust protections for kids. The FTC has resolved to address privacy in “ed tech,” putting companies on notice that “[c]hildren should not have to needlessly hand over their data and forfeit their privacy to do their schoolwork or participate in remote learning.”

The FTC made good on its warning in United States v. Edmodo, LLC, where the Edmodo “virtual classroom” platform delegated COPPA compliance to those using the platform—i.e., the duty to disclose information practices to parents and obtain parental consent. Per the FTC, this was illegal. First, Edmodo never fully revealed the extent of its data collection—including name, location, school, photo, and other personal identifiers—to anyone. Second, while a company can sometimes rely on schools or teachers to assist in COPPA compliance duties, this reliance is only in the educational context. Because Edmodo was also advertising to students, it could not pass these responsibilities onto others—Edmodo must provide notice and get parental consent.

B. “Dark Patterns”

So-called “dark patterns” have also taken center stage in consumer protection enforcement. Defined as “design practices that trick or manipulate users into making choices they would not have otherwise made and that may cause harm,” a “dark pattern” can constitute, for example, arduous processes to cancel recurring subscriptions, online retailers hiding the total cost of products, and other deceptive practices “to get consumers to part with their money or data.”

The FTC and the CFPB made “dark patterns” an enforcement priority. For example, the FTC recently assessed a permanent injunction and civil penalties against Epic Games, the developer of the video game Fortnite, for making it difficult to obtain refunds. Epic Games allegedly concealed the “undo” function for accidental or unwanted in-game transactions, requiring consumers “to find and navigate a difficult and lengthy path to request a refund.” Similarly, the FTC recently alleged that Amazon utilized dark patterns to force consumers “to proceed through multiple screens to cancel their subscription” to its Prime service.

C. Negative Option Marketing Practices

Similarly, “negative option marketing practices” convert a consumer’s failure to affirmatively reject an offer as acceptance. As with “dark patterns,” consumer protection has increased. In April of 2023, the FTC issued a notice of proposed rulemaking curtailing their use by mandating, among other things, easy cancellation methods and the consumer’s express consent to the “negative option.” Similarly, the CFPB released Circular 2023-01, clarifying what it considers unfair or deceptive “negative options.” Both agencies emphasized the ease of cancellation and the consumer’s express consent to the negative option.

Policing “negative option marketing practices,” FTC v. AH Media Group, LLC, involved a cosmetics and supplements marketer who enticed customers with a “free trial” that was nearly impossible to cancel. The court permanently enjoined this practice and ordered certain company officers and subsidiaries to disgorge $74,500,000—some of which the FTC returned to defrauded consumers in June of 2022. In United States v., Inc., the FTC has also alleged that Experian’s subscription services contain numerous “negative option” violations that do not give consumers any reasonable opportunity to opt-out.

D. Endorsements and Testimonials

The FTC has scrutinized online customer reviews over several years and pursued companies that deliberately suppressed negative reviews or used bogus positive reviews. Moreover, issues with celebrity endorsements remain a target. The FTC recently obtained consent orders against Google and iHeartMedia, Inc. for orchestrating 29,000 scripted endorsements for the Google Pixel 4 smartphone by radio personalities who had never used the device. And in June 2023, the FTC finalized revisions to its Guides Concerning the Use of Endorsements and Testimonials in Advertising.

The updated Guides expand the definition of endorser to explicitly include writers of fake reviews, as well as expressly calling out actions “that have the effect of distorting or otherwise misrepresenting what consumers think of their products”—including “boosting” or “suppressing” reviews. They clarify that a “connection” between the endorser and advertiser is unnecessary for liability to issue; for example, “retweeting” a favorable review makes it an endorsement for which the advertiser can be liable. This can expand advertiser liability exponentially.

With the updated guide came a Notice of Proposed Rulemaking. The proposed rules drill down into the FTC’s current positions on consumer reviews, hoping to codify them as Formal Rules (as opposed to the Guides, which are guidance). But many of the proposed measures overlap with the provisions of the updated Guides, as discussed above: prohibiting the purchase and sale of “fake reviews,” forbidding the suppression of negative reviews, and other conduct tending to misrepresent public perception.

III. TCPA and Telemarketing Developments

A. FCC: Targeting and Eliminating Unlawful Text Messages

On March 16, 2023, the Federal Communications Commission finalized proposed rules targeting “robotexts.” Like the FCC’s rules on blocking “robocalls,” the Report and Order takes action on “text messages that are highly likely to be illegal.” As with voice calls, text messages “that purport to originate from invalid, unallocated, or unused numbers” fall into this “highly likely to be illegal” category. It also includes texts that purport to originate from a number that the subscriber has requested be blocked—substantially similar to the FCC’s “robocall” rules on “Do Not Originate” (DNO) lists.

However, unlike the prior “robocall” rules, blocking illegal robotexts is mandatory for wireless providers. Per the Report and Order, wireless providers must adopt a “reasonable DNO list” and block texts from those numbers. A provider’s “reasonable DNO list” need not be identical to a “robocall” DNO list but must include “invalid, unallocated, or unused numbers” and numbers to be blocked at the subscriber’s request. This could begin the process of making these voluntary standards mandatory.

The FCC also included a Further Notice of Proposed Rulemaking, requesting comment on additional proposed rules about robotexts. Saliently, the FCC proposes eliminating the Lead Generator Loophole, or “the practice of obtaining a single consumer consent as grounds for delivering calls and text messages from multiple marketers on subjects beyond the scope of the original consent.” The FCC also proposes requiring wireless providers to investigate and potentially block certain senders upon notice from the Agency and clarifying that Do-Not-Call (DNC) protections apply to texting.

B. FCC: Prior Express Consent Under the TCPA

In 2019, Congress passed the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act). The TRACED Act required the FCC to promulgate regulations clarifying its exemptions from the “prior express consent” requirements under the TCPA. The TCPA generally makes it illegal “to initiate any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party”—in other words, a prohibition on “robocalls.” However, the FCC may also exempt certain kinds of calls from the “prior express consent standard,” which it has done for non-commercial calls, commercial calls that do not constitute telemarketing, and calls from tax-exempt nonprofits.

Under the TRACED Act, in 2020, the FCC adopted rules to clarify a “numerical limit” for these exempted robocalls: three in any consecutive thirty-day period, after which prior express consent would be required. These new rules did not make everyone happy, and many parties petitioned the FCC for reconsideration, including allegations that the FCC “inadvertently” enacted an express written consent requirement, though longstanding FCC precedent allowed oral TCPA consent. The FCC ultimately agreed and released a December 2022 Declaratory Ruling formally authorizing verbal consent. However, the FCC denied most other requests for reconsideration and expressly upheld its numerical limits on exempted robocalls.

Moreover, on June 8, 2023, the FCC issued a Notice of Proposed Rulemaking modifying consumer consent under the TCPA. First, it is proposed that consumers who provided consent can revoke it “in any reasonable way,” meaning that any reasonable expression of the desire to revoke must be honored—callers may not designate “an exclusive means to revoke the consent that precludes the use of any other reasonable method.” Second, the proposed rules would mandate a “timeframe for honoring Do-Not-Call or revocation requests.” Callers would have to comply with company-specific requests within twenty-four hours of receipt. Third, the FCC proposes codifying prior guidance that permits the caller to confirm a consumer’s request with a one-time text message. Fourth, the new rules would remove the blanket exemption that wireless carriers enjoy when calling their customers. If these rules became effective, there would be significant limitations on wireless carrier robocalls placed without prior express consent.

C. Post-Facebook ATDS

The Supreme Court’s 2021 decision in Facebook, Inc. v. Duguid significantly narrowed the definition of an Automatic Telephone Dialing System (“ATDS”). One remaining issue is whether the system must use a “random or sequential number generator” (“ROSNG”) to produce the telephone numbers or if the system has to use the ROSNG to store the phone numbers. The TCPA defines an ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” Courts still disagree on what “using a[n ROSNG]” means.

Borden v. eFinancial, LLC answered this question for the Ninth Circuit: “We hold that an ‘automatic telephone dialing system’ must generate and dial random or sequential telephone numbers under the TCPA’s plain text.” According to the Borden court, the “number” in “random or sequential number generator” clearly means “telephone number.” Therefore, an ATDS must be able to generate (or produce) telephone numbers—it is not enough that the equipment uses random or sequential numbers in ordering or storing pre-produced telephone numbers. Since the Borden decision, the Ninth Circuit has confirmed its position and empowered district courts to bounce TCPA claims on summary judgment.

A new liability question concerns whether the caller used an ATDS rather than whether an ATDS exists. In Panzarella v. Navient Solutions, Inc., the caller (a student loan servicer) used a system comprised of two distinct components—a telephone dialing software, which could dial calls but could not generate random or sequential telephone numbers, and a database server, which stored the phone numbers of account holders and relayed these phone numbers to the dialing software (which made the calls). The database server could generate random and sequential telephone numbers, but the caller did not use this function and instead pulled the account holders’ numbers from a separately maintained database.

The caller argued that because the dialing software could not generate numbers, no ATDS existed in this case. The district court agreed, but the Third Circuit reversed, holding that the term “equipment” in the TCPA is broad enough to encompass multi-component systems that, taken together, can generate, store, and dial phone numbers. Therefore, the dialing software and database server were “equipment” qualifying as an ATDS when taken together. In other words, the caller unquestionably possessed an ATDS in this case.

But can a plaintiff sustain a claim by merely establishing the existence of an ATDS? According to the Third Circuit, no. TCPA section 227(b)(1) does not prohibit possessing an ATDS but “using” one. And to “use” an ATDS, the court held that the caller must make use of the “functionalities” that make the device an ATDS in the first place: “Despite the text’s lack of clarity, Section 227(b)(1)(A)’s context and legislative history establish that Congress drafted this statute to prohibit making calls that use an ATDS’s autodialing functionalities.” Because the caller used “specific, curated borrower lists” rather than generating numbers randomly, though an ATDS existed it was not used. The Third Circuit upheld summary judgment on alternative grounds.

D. Standing

Several notable cases have made it easier for plaintiffs to establish standing. In Dickson v. Direct Energy, LP, the Sixth Circuit held that the receipt of a single “ringless voicemail” (“RVM”) is sufficient to confer standing. While TCPA violations involve statutory rights, the court held that receiving one RVM established a sufficiently real injury (and not merely a “procedural violation”) in conformity with Spokeo and TransUnion. The court decided the receipt of the RVM resembled the common-law tort of intrusion upon seclusion (and potentially other “invasion of privacy” torts). Because of this “close common-law analogue in kind, not degree,” and because the plaintiff was “within the ambit of what Congress deemed to be an actionable harm when it enacted the TCPA,” he had sufficiently alleged an injury despite the heightened requirements for statutory causes of action. Moreover, while the court did not address this issue, the decision came after a recent FCC ruling that classifies RVMs as “calls” under section 227(b)(1)(A) of the TCPA. These rulings may increase class action activity, requiring additional judicial guidance.

Similarly, the Eleventh Circuit recently exhibited a sea change in its position on the TCPA. In Drazen v. Pinto, the court did a complete 180 on its prior position and held that a single unwanted text message now causes a concrete injury sufficient to confer standing. As in Dickson, the court considered the tort of intrusion upon seclusion a “common-law analogue in kind, not degree.” Moreover, both Dickson and Drazen included class allegations, albeit at differing stages of the litigation process. This suggests that the TCPA allows some class actions alleging statutory harms even after Spokeo and TransUnion.

E. “Mini-TCPA” Developments

In addition to the federal TCPA, several states have opted to pass their own “mini” TCPA laws, often in a way that sustains stricter pre-Facebook interpretations of the “big” TCPA. Arizona, Florida, Maryland, Mississippi, Oklahoma, Tennessee, and Washington now have mini-TCPAs on the books, and a similar bill is progressing in Georgia. Michigan also introduced a mini-TCPA bill in 2022. However, these efforts have not come without controversy, as the Florida law has survived challenges on constitutional and preemption grounds, and litigation has ensued in the class action context. Perhaps because of the growing conflicts, the State recently trimmed the statute to abate some (but not all) of its most controversial measures. As the “big” TCPA continues to evolve, we can expect similar developments in “mini-TCPA” states.

IV. State Privacy Laws

The states continue to run ahead of the federal government regarding comprehensive privacy legislation. Since the beginning of 2023, six states have passed comprehensive privacy legislation: Indiana, Iowa, Montana, Oregon, Tennessee, and Texas. Five of the six used Virginia’s privacy statute as a model for their own, which has a reputation for being more “consumer-friendly.”

The “Virginia model” requires that consumers expressly consent when a person or entity plans to process “sensitive data,” meaning data pertaining to membership in a protected category, genetic or biometric data used for specific purposes, data related to children, or precise geolocation data. This effectively places the burden on the collector or processor of the data to obtain permission from the consumer.

In contrast, Iowa chose the more “business-friendly” Utah model and employs a “notice-and-consent” approach to sensitive data—as long as the consumer has notice and a reasonable opportunity to opt out of the data collection practices, a data collector or processor has complied with the law. This essentially requires a consumer to “opt-out” of data collection versus the “opt-in” approach of the “Virginia model.”

This brings the total number of comprehensive privacy laws to eleven, with one more (Delaware) awaiting the governor’s signature.

V. Conclusion

The survey period was marked by significant developments in cyber consumer protection law, including increased enforcement of rules regarding “dark patterns” and “negative option marketing” and updated FTC guidance on endorsements and testimonials in advertising. The FCC has finalized proposed rules targeting unlawful text messages. In addition to FTC action, the courts have further refined TCPA liability, and certain states have utilized data privacy law as an alternative method to protect consumer information. Businesses should take note of these developments and ensure that their marketing and sales practices comply with the law.