Statement of Commissioner Orson Swindle Consurring in Part
and Dissenting in Part
I have reason to believe that the defendants engaged in the deception alleged in each of the four counts of the proposed complaint, and I think that Commission action is needed to prevent the defendants from engaging in the same or similar misconduct in the future. I also think that the Commission should strongly encourage other federal and state agencies to take action under their own statutes and regulations with regard to the defendants' conduct (such as a physician's writing Viagra prescriptions for patients without a physical examination) that might harm consumers but not violate the FTC Act. Nevertheless, although law enforcement action by the Commission (and perhaps other agencies) is warranted, I believe that some of the relief in the proposed consent order is not justified.
Count IV of the proposed complaint alleges that the defendants claimed that they would use the personal information of customers only for medical consultations and billing, and this claim was false because the defendants used some of this information to develop a target marketing list. To remedy this false claim, Parts I.B.1 and II.A. of the proposed consent order would prohibit the same or similar misrepresentations in the future. I support these restrictions. Parts III, IV, and V of the proposed consent order, however, also would impose extensive privacy requirements to remedy this false claim.(1) I do not believe that the complaint allegations warrant the imposition of these privacy requirements.
The complaint alleges that the defendants misused the personal information of their customers, but there is no allegation that the defendants ever transferred the information to any third party.(2) In the absence of a transfer to a third party, I do not believe that a false claim as to how personal information will be used is sufficient to justify imposing privacy requirements.(3) Many past Commission cases have involved misrepresentations as to how the personal information of customers will be used, but we have not imposed privacy requirements. For example, we have not imposed privacy requirements on numerous defendants that made egregious misrepresentations to consumers as to how their credit card account numbers would be used. We should not transform every case involving a false claim as to how personal information will be used into a case warranting the imposition of privacy requirements.
Similarly, in the absence of a transfer of personal information to a third party, the receipt of unwanted solicitations as a result of misrepresentations does not justify imposing privacy requirements. The defendants here used a target marketing list derived from personal information to send unsolicited commercial e-mail back to their own customers. Some customers who did not want to be contacted may feel that this contact violated their "privacy," simply because they did not want to receive the e-mail. However, the only difference between the unwanted contact here and the unwanted e-mails, telemarketing calls, direct mail pieces, and in-person solicitations that consumers often receive in the wake of a purchase is that the target marketing list used here is the product of a misrepresentation about how personal information would be used. In my view, the solution is not to impose privacy requirements but simply to prohibit the defendants from making false claims regarding how they will use personal information. This should prevent the defendants from creating and using similar target marketing lists in the future.
In the absence of a transfer of the names of their customers (or their customers' medical history information or billing information) to a third party, I do not think that the defendants violated the privacy of their customers. Without an actual privacy violation, rather than a mere misuse of customer information, I do not think that imposing privacy requirements is justified.(4) Accordingly, I dissent from Parts III, IV, and V of the proposed consent order.(5)
1. The privacy requirements also are intended to some extent to remedy the false claim concerning the defendants' security technology that is challenged by Count II of the proposed complaint, but the prohibition on misrepresentations concerning the defendants' "services or facilities" in Part I.B.2 is sufficient by itself to protect consumers. Indeed, when a defendant makes the false claim that its product is efficacious, the usual remedy is to prohibit the defendant from making the same or similar false efficacy claims, not to mandate that the defendant make its product "reasonably efficacious." See Part IV.A. (requiring that the defendants establish and maintain "reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from consumers").
2. The personal information of customers was transferred from one defendant (Focus Medical, Inc.)
to another defendant (International Outsourcing Group, Inc.), but the proposed complaint also alleges that these
two defendants were operating as part of a "common enterprise." See ¶¶ 13, 22, 23, and 35 of the proposed complaint. Given that ostensibly separate corporations are acting as a "common enterprise" when they are in fact being operated as a single entity, the transfer of information within such an entity is not a transfer to a third party.
3. In certain exceptional circumstances, a misrepresentation as to how personal information will be used internally may warrant limited privacy requirements in an order. See Liberty Financial Cos., Inc., Dkt. No. C-3891 (1999) (misrepresentation that financial information obtained from children would be maintained in an anonymous manner).
4. If a transfer to a third party had occurred, I would have supported privacy requirements like those imposed in GeoCities, Inc., Dkt. No. C-3850 (1999).
5. I also dissent from Part I to the extent that it requires the defendants, in connection with selling prescription drugs on-line, to disclose the states from which purchases can be made and the fact that dispensing a prescription drug without a valid prescription is a violation of federal law. These disclosures are not necessary to prevent deception and are unrelated to the allegation that the defendants made a false claim concerning their facilities.