On June 27, the Federal Trade Commission (FTC) announced an enforcement action against Publishers Clearing House (PCH) in connection with the company’s long-running sweepstakes promotions. Though the FTC’s complaint alleges a range of deceptive and misleading behavior from PCH, it is perhaps most notable for its focus on dark patterns, asserting that PCH’s consumer-facing interfaces served to pressure and deceive sweepstakes participants into ordering products even when they were not required to.
The FTC’s emphasis on PCH’s use of dark patterns is the latest manifestation of a recent trend, with the Commission having issued guidance on the topic last year, and having incorporated the concept into several recent complaints. Companies can expect dark patterns to continue to be an area of focus for FTC enforcement and should ensure that their customer experiences are sufficiently transparent and intuitive to pass FTC muster.
Moreover, the FTC is not the only entity that has expressed an interest in regulating dark patterns. Indeed, several state comprehensive privacy laws — including statutes and regulations now in effect in California, Colorado, and Connecticut — impose restrictions on companies’ use of dark patterns. Thus, companies should expect regulatory interest in dark patterns at both the federal and state levels.
In this post, we summarize key elements of the FTC’s complaint against PCH, identify notable features of the proposed stipulated order, and highlight key takeaways for companies to consider as they continue to refine their privacy compliance programs.
Publishers Clearing House (PCH) is a direct marketing company that markets a range of products, most notably merchandise and magazine subscriptions. Though the company historically focused on direct mail advertising efforts, it has, in recent decades, broadened its operations to include a substantial online presence.
PCH is perhaps best-known for its long-running sweepstakes promotions. Notably, as the FTC complaint points out, PCH “is required to allow consumers to participate in its sweepstakes promotions without purchasing a product.” The thrust of the complaint, however, is that PCH used a wide range of deceptive practices — including dark patterns — to coerce or mislead sweepstakes participants into ordering products, even though such purchases were not necessary for sweepstakes entry.
1. Use of Dark Patterns. Chief among the FTC’s allegations is that PCH’s user interfaces constituted dark patterns that “deceive[d] consumers into believing that they [had to] order products before they [could] enter a sweepstakes or that ordering products increase[d] their odds of winning a sweepstakes.” The complaint points to several examples of dark patterns present in PCH’s consumer experience, including: “linking and conflating ‘ordering’ products and ‘entering’ the sweepstakes through the use of trick wording and visual interference; placing disclosures in small and light font and in places where a consumer is unlikely to see them; bombarding consumers with emails that pressure them to take immediate action by clicking on the email or purportedly risk losing the opportunity to enter or win the sweepstakes; and making it difficult for consumers to enter the sweepstakes without an order.”
2. Violation of CAN-SPAM Act. Though most of the complaint’s counts allege deceptive acts or practices under Section 5 of the FTC Act, the FTC also includes one count under the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, a statute that, among other things, prohibits the transmission of commercial email messages with subject headings that “would be likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.” See 15 U.S.C. § 7704(a)(2). For this count, the FTC focused on PCH’s practice of sending emails to consumers with subject headings referencing fictitious documents with names that resembled those of documents used by government entities such as the IRS (e.g., “High Priority Doc. W-10 Enclosed” or “Enclosed Doc. W8 CERTIFIED. OPEN NOW!”).
3. Privacy Policy Misrepresentation. The complaint alleges that PCH’s privacy policy contained misrepresentations about the company’s sharing of consumers’ personal information. Specifically, the complaint notes that PCH’s privacy policy, until around January 2019, asserted that the company “did ‘not rent, license, or sell’ consumers’ information to third parties” even though PCH did, in fact, share that information with third parties (including “marketing cooperatives, advertisers, and publishing companies”) “who used the information to target consumers with third-party advertising on PCH’s websites and other third-party platforms.”
4. Other False or Misleading Statements. Finally, though less relevant to the cybersecurity and privacy issues that are the focus of this blog, the complaint also contains numerous allegations that PCH made false or misleading statements to consumers on topics such as the total cost of product purchases and the “risk-free” nature of customer orders.
The Proposed Order
1. Prohibition of Dark Pattern Practices: The proposed order imposes a number of requirements on PCH aimed at preventing the company from engaging in future use of dark patterns. For example, the company is broadly prohibited from representing (whether explicitly or implicitly) that a consumer must make a purchase to enter a sweepstakes, or that purchasing a product “will improve an individual’s chances of winning a Sweepstakes.” More specifically, the order requires PCH to adhere to several conditions intended to rid its user interface of dark patterns, including clearly separating sweepstakes-related content from product ordering-related content; presenting clear and conspicuous disclosures to consumers that they do not have to purchase products to participate in sweepstakes; and requiring that a consumer’s attempt to submit a sweepstakes entry result in them actually entering the sweepstakes (rather than, for example, routing the consumer through other screens related to product purchases).
2. Preservation of Dark Pattern-Relevant Records: PCH is required to retain a range of records that the FTC asserts (in its press release announcing the enforcement action) are potentially relevant to the use of dark patterns, including “records of any market, behavioral, or psychological research, or user, customer, or usability testing, including any A/B or multivariate testing, copy testing, surveys, focus groups, interviews, clickstream analysis, eye or mouse tracking studies, or analyses regarding consumers’ impressions of any advertisements, marketing, or promotions of Sweepstakes or Products.”
3. Prohibition Against Violating CAN-SPAM: PCH is prohibited from violating Section 5 of the CAN-SPAM Act, see 15 U.S.C. § 7704, including by sending commercial emails with misleading subject headings.
4. Prohibition Against Data Use Misrepresentations: PCH is prohibited from making a range of misrepresentations, including regarding the extent to which it “[c]ollects, uses, stores, or discloses” consumer personal information or protects the privacy of that information.
5. Destruction of Consumer Personal Information: PCH is required to destroy personal information that it collected from consumers prior to January 2019, subject to limited exceptions.
6. Monetary Judgment: PCH must pay the FTC $18.5 million, which the Commission intends to use for consumer refunds.
Key Takeaways
1. Continued FTC Enforcement Focus on Dark Patterns. Coming on the heels of last year’s dark pattern guidance and several recent enforcement actions addressing companies’ use of dark patterns, the PCH enforcement action demonstrates the FTC’s continued focus on this issue. Companies looking to avoid FTC scrutiny in this arena should ensure that their customer-facing interfaces could not be perceived as working to subvert consumers’ decision-making processes.
2. Ensuring Legally Compliant Commercial Emails. This enforcement action also illustrates that, while commercial and marketing emails may not be as prominent an FTC enforcement priority as, for example, dark patterns, CAN-SPAM remains a legal framework that the Commission is ready to enforce. Companies that send commercial emails should ensure that those emails are compliant with CAN-SPAM’s requirements, such as its prohibition on deceptive email subject headings.
3. Avoiding Privacy Policy Misrepresentations. The PCH complaint stands as yet another reminder of the importance of ensuring that your company’s privacy policy disclosures regarding the use of consumer data are consistent with your actual practices. In this case, the FTC alleged that PCH’s assertion that it did not “rent, license, or sell” consumer personal information was inconsistent with its actual practice of sharing consumer information with third parties for targeted advertising purposes. Before publishing privacy policies, companies should carefully vet the accuracy of their data use disclosures, as privacy policy misrepresentations have been a mainstay of recent FTC enforcement actions.