On June 27, the Federal Trade Commission (FTC) announced an enforcement action against Publishers Clearing House (PCH) over the company’s long-standing sweepstakes promotions. While the FTC complaint alleges a number of deceptive and misleading practices by PCH, it is perhaps most notable for its focus on dark patterns, alleging that PCH’s user interfaces served to coerce and mislead of lottery participants to order products even when they were not required to.
The FTC’s emphasis on PCH’s use of dark patterns is the latest manifestation of a recent trend, with the Commission issuing guidance on the topic last year and including the concept in several recent complaints. Companies can expect dark patterns to continue to be an area of focus for FTC enforcement and must ensure that their user experiences are transparent and intuitive enough to pass FTC scrutiny.
Additionally, the Federal Trade Commission is not the only organization that has expressed interest in regulating dark patterns. Indeed, several state comprehensive privacy laws—including laws and regulations now in effect in California, Colorado, and Connecticut—impose restrictions on companies’ use of dark patterns. Thus, companies should expect regulatory interest in dark models at both the federal and state levels.
In this post, we summarize key elements of the FTC’s complaint against PCH, identify salient features of the proposed specified order, and highlight key takeaways for companies to consider as they continue to improve their privacy compliance programs.
The complaint
Publishers Clearing House (PCH) is a direct marketing company that markets a range of products, primarily merchandise and magazine subscriptions. Although the company has historically focused on direct mail advertising efforts, in recent decades it has expanded to include a significant online presence.
PCH is perhaps best known for its long-running sweepstakes promotions. In particular, as the FTC complaint states, PCH “is required to allow consumers to participate in its sweepstakes promotions without purchasing a product.” The gist of the complaint, however, is that PCH used a wide range of deceptive practices — including dark patterns — to coerce or mislead sweepstakes participants into ordering products even though such purchases were not necessary to enter a sweepstakes.
1. Using dark patterns. Chief among the FTC’s charges is that PCH’s user interfaces constitute dark patterns that “mislead[d] consumers to believe that they [had to] order products before them [could] enter a lottery or that the order of products increases[d] their chances of winning a sweepstakes.” The complaint cites several examples of dark patterns present in PCH’s user experience, including: “linking and bundling of ‘ordering’ products and ‘entering’ into the sweepstakes through the use of gimmicky wording and visual intervention; placing disclosures in small and light font and in places where the user is unlikely to see them; bombarding users with emails that pressure them to take immediate action by clicking on the email or allegedly risk losing their chance to enter or win the sweepstakes; and makes it difficult for users to enter the lottery without an order.”
2. Violation of the CAN-SPAM Act. Although most of the allegations in the complaint relate to deceptive acts or practices under Section 5 of the FTC Act, the FTC also includes one count under the Controlling Offensive Pornography and Unsolicited Marketing (CAN-SPAM) Act, a law , which, among other things, prohibits the transmission of commercial e-mail messages with subject headings that “could mislead the recipient, acting reasonably under the circumstances, as to a material fact regarding the content or subject matter of the message.” See 15 USC § 7704(a)(2). For this count, the FTC focused on PCH’s practice of sending emails to consumers with subject headings referring to fictitious documents with names that resemble those of documents used by government agencies such as the IRS (eg, “High Priority Document W-10 Enclosed” or “Document attached. W8 CERTIFIED. OPEN NOW!”).
3. Misrepresentation of privacy policy. The complaint alleges that PCH’s privacy policy contains false statements about the company’s sharing of users’ personal information. Specifically, the complaint notes that until around January 2019, PCH’s privacy policy claimed that the company “did not rent, license or sell” user information to third parties, although PCH did in fact share that information with third parties (including “marketing affiliates, advertisers and publishing companies”) “who have used the information to target third-party advertisements to users on PCH’s websites and other third-party platforms.”
4. Other false or misleading statements. Finally, although less related to the cybersecurity and privacy issues that are the focus of this blog, the complaint also contains numerous allegations that PCH made false or misleading statements to consumers about topics such as the total cost of product purchases and the “risk-free” nature of client orders.
The proposed order
1. Prohibition of dark pattern practices: The proposed order imposes a number of requirements on PCH aimed at preventing the company from engaging in future use of dark patterns. For example, a company is broadly prohibited from representing (whether expressly or impliedly) that a consumer must make a purchase to enter a sweepstakes, or that purchasing a product “will improve a person’s chances of winning a sweepstakes.” Specifically, the order requires PCH to adhere to several conditions designed to rid its user interface of dark patterns, including clearly separating content related to sweepstakes from content related to ordering products; providing clear and visible disclosures to consumers that they do not need to purchase products to participate in sweepstakes; and requiring that the user’s attempt to submit a sweepstakes entry results in actual entry into the sweepstakes (rather than, for example, redirecting the user through other screens related to product purchases).
2. Storage of Dark Pattern Related Records: PCH is required to keep a set of records that the FTC claims (in its press release announcing the enforcement action) are potentially related to the use of dark patterns, including “records of any market, behavioral, or psychological research, or user, customer, or usability testing, including any A/B or multivariate testing, copy testing, surveys, focus groups, interviews, clickstream analysis, eye or mouse tracking studies, or analysis of user impressions of any advertisements, marketing or promotions of sweepstakes or Products.”
3. CAN-SPAM Infringement Prohibition: PCH is prohibited from violating Section 5 of the CAN-SPAM Act, see 15 USC § 7704, including by sending commercial emails with misleading subject lines.
4. Prohibition against misrepresentation when using data: PCH is prohibited from making a range of false statements, including as to the extent to which “[c]collect, use, store or disclose” user personal information or protect the privacy of that information.
5. Destruction of the user’s personal information: PCH is required to destroy personal information it collected from users before January 2019, subject to limited exceptions.
6. Monetary decision: PCH must pay the FTC $18.5 million, which the Commission intends to use to reimburse consumers.
Key findings
1. FTC continues to focus on dark patterns. Following last year’s guidance on dark patterns and several recent enforcement actions targeting companies’ use of dark patterns, PCH’s enforcement action demonstrates the FTC’s continued focus on this issue. Companies that want to avoid FTC scrutiny in this arena must ensure that their customer-facing interfaces cannot be perceived as working to subvert consumer decision-making processes.
2. Provision of legally compliant commercial emails. This enforcement action also illustrates that while commercial and marketing emails may not be as high an enforcement priority for the FTC as, for example, dark patterns, CAN-SPAM remains a legal framework the Commission is willing to enforce. Companies that send commercial emails must ensure that these emails comply with CAN-SPAM requirements, such as the ban on deceptive email headers.
3. Avoid Misrepresentation of Privacy Policy. PCH’s complaint is yet another reminder of the importance of ensuring that your company’s privacy policy disclosures regarding the use of user data are consistent with your actual practices. In that case, the FTC argued that PCH’s claim that it did not “rent, license or sell” users’ personal information was inconsistent with its actual practice of sharing user information with third parties for targeted advertising purposes. Before publishing privacy policies, companies should carefully review the accuracy of their data usage disclosures, as privacy policy misrepresentation has been a mainstay of recent FTC enforcement actions.