CafePress; Analysis of Proposed Consent Orders To Aid Public Comment

CourtFederal Trade Commission
Citation87 FR 16187
Record Number2022-06022
Published date22 March 2022
Federal Register, Volume 87 Issue 55 (Tuesday, March 22, 2022)
[Federal Register Volume 87, Number 55 (Tuesday, March 22, 2022)]
                [Notices]
                [Pages 16187-16189]
                From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
                [FR Doc No: 2022-06022]
                =======================================================================
                -----------------------------------------------------------------------
                FEDERAL TRADE COMMISSION
                [File No. 192 3209]
                CafePress; Analysis of Proposed Consent Orders To Aid Public
                Comment
                AGENCY: Federal Trade Commission.
                ACTION: Proposed consent agreement; request for comment.
                -----------------------------------------------------------------------
                SUMMARY: The consent agreements in this matter settle alleged
                violations of Federal law prohibiting unfair or deceptive acts or
                practices. The attached Analysis of Proposed Consent Orders to Aid
                Public Comment describes both the allegations in the draft complaint
                and the terms of the consent orders--embodied in the consent
                agreements--that would settle these allegations.
                DATES: Comments must be received on or before April 21, 2022.
                ADDRESSES: Interested parties may file comments online or on paper by
                following the instructions in the Request for Comment part of the
                SUPPLEMENTARY INFORMATION section below. Please write ``CafePress; File
                No. 192 3209'' on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based
                form. If you prefer to file your comment on paper, mail your comment to
                the following address: Federal Trade Commission, Office of the
                Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
                Washington, DC 20580, or deliver your comment to the following address:
                Federal Trade Commission, Office of the Secretary, Constitution Center,
                400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
                20024.
                FOR FURTHER INFORMATION CONTACT: Mohammed Aijaz (214-979-9386), Federal
                Trade Commission Southwest Region, 1999 Bryan Street, Suite 2150,
                Dallas, TX 75201-6808.
                [[Page 16188]]
                SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
                Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
                notice is hereby given that the above-captioned consent agreements
                containing consent orders to cease and desist, having been filed with
                and accepted, subject to final approval, by the Commission, have been
                placed on the public record for a period of thirty (30) days. The
                following Analysis to Aid Public Comment describes the terms of the
                consent agreements and the allegations in the complaint. An electronic
                copy of the full text of the consent agreement package can be obtained
                at https://www.ftc.gov/news-events/commission-actions.
                 You can file a comment online or on paper. For the Commission to
                consider your comment, we must receive it on or before April 21, 2022.
                Write ``CafePress; File No. 192 3209'' on your comment. Your comment--
                including your name and your state--will be placed on the public record
                of this proceeding, including, to the extent practicable, on the
                https://www.regulations.gov website.
                 Due to the COVID-19 pandemic and the agency's heightened security
                screening, postal mail addressed to the Commission will be subject to
                delay. We strongly encourage you to submit your comments online through
                the https://www.regulations.gov website.
                 If you prefer to file your comment on paper, write ``CafePress;
                File No. 192 3209'' on your comment and on the envelope, and mail your
                comment to the following address: Federal Trade Commission, Office of
                the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
                Washington, DC 20580; or deliver your comment to the following address:
                Federal Trade Commission, Office of the Secretary, Constitution Center,
                400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
                20024. If possible, submit your paper comment to the Commission by
                courier or overnight service.
                 Because your comment will be placed on the publicly accessible
                website at https://www.regulations.gov, you are solely responsible for
                making sure your comment does not include any sensitive or confidential
                information. In particular, your comment should not include sensitive
                personal information, such as your or anyone else's Social Security
                number; date of birth; driver's license number or other state
                identification number, or foreign country equivalent; passport number;
                financial account number; or credit or debit card number. You are also
                solely responsible for making sure your comment does not include
                sensitive health information, such as medical records or other
                individually identifiable health information. In addition, your comment
                should not include any ``trade secret or any commercial or financial
                information which . . . is privileged or confidential''--as provided by
                Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
                16 CFR 4.10(a)(2)--including in particular competitively sensitive
                information such as costs, sales statistics, inventories, formulas,
                patterns, devices, manufacturing processes, or customer names.
                 Comments containing material for which confidential treatment is
                requested must be filed in paper form, must be clearly labeled
                ``Confidential,'' and must comply with FTC Rule 4.9(c), 16 CFR 4.9(c).
                In particular, the written request for confidential treatment that
                accompanies the comment must include the factual and legal basis for
                the request and must identify the specific portions of the comment to
                be withheld from the public record. See FTC Rule 4.9(c). Your comment
                will be kept confidential only if the General Counsel grants your
                request in accordance with the law and the public interest. Once your
                comment has been posted on the https://www.regulations.gov website--as
                legally required by FTC Rule 4.9(b)--we cannot redact or remove your
                comment from that website, unless you submit a confidentiality request
                that meets the requirements for such treatment under FTC Rule 4.9(c),
                and the General Counsel grants that request.
                 Visit the FTC website at https://www.ftc.gov to read this Notice
                and the news release describing the proposed settlement. The FTC Act
                and other laws that the Commission administers permit the collection of
                public comments to consider and use in this proceeding, as appropriate.
                The Commission will consider all timely and responsive public comments
                that it receives on or before April 21, 2022. For information on the
                Commission's privacy policy, including routine uses permitted by the
                Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
                Analysis of Proposed Consent Order To Aid Public Comment
                 The Federal Trade Commission (``Commission'') has accepted, subject
                to final approval, agreements containing consent orders from Residual
                Pumpkin Entity, LLC (``Residual Pumpkin'') and PlanetArt, LLC
                (``PlanetArt'') (collectively, ``Respondents'').
                 The proposed consent orders (``Proposed Orders'') have been placed
                on the public record for thirty (30) days for receipt of comments by
                interested persons. Comments received during this period will become
                part of the public record. After thirty (30) days, the Commission will
                again review the agreements and the comments received and will decide
                whether it should withdraw from the agreements and take appropriate
                action or make final the Proposed Orders.
                 This matter involves Respondents' data security and privacy
                practices. Respondent Residual Pumpkin owned CafePress until September
                2020, when Residual Pumpkin sold CafePress to Respondent PlanetArt. The
                CafePress website allows users, known as shopkeepers, to earn
                commissions from sales of merchandise offered to consumers. CafePress
                collected information such as names, email addresses, telephone numbers
                and--from shopkeepers--Social Security numbers (``Personal
                Information''). CafePress claimed to keep this information safe, but in
                fact failed to provide reasonable security. For example, CafePress
                failed to: Guard against well-known and reasonably foreseeable threats,
                such as SQL injection and cross-site scripting attacks; encrypt Social
                Security numbers; and implement a process for receiving and addressing
                third-party security vulnerability reports. CafePress also claimed to
                adhere to principles set forth in the EU-U.S. and Swiss U.S. Privacy
                Shield frameworks, specifically that it would honor user requests to
                delete data and user choices about how email addresses would be used.
                Instead, CafePress failed to delete Personal Information when it was
                requested to do so and sent marketing emails to nearly all its
                consumers, even those who had not opted in to receive such messages. As
                a result of CafePress' data security practices, consumers' Personal
                Information was stolen and sold on the dark web. CafePress learned of
                the breach but failed to notify affected consumers. After some
                shopkeepers learned of the breach and closed their accounts, CafePress
                withheld up to $25 in payable commissions from each of those
                shopkeepers.
                 The complaint alleges that Respondents violated Section 5(a) of the
                FTC Act by: (1) Misrepresenting the measures CafePress took to protect
                Personal Information; (2) misrepresenting the steps CafePress took to
                secure consumer accounts following security incidents; (3) failing to
                employ reasonable data security practices; (4) misrepresenting how
                CafePress would use email addresses; (5) misrepresenting CafePress's
                adherence to the Privacy
                [[Page 16189]]
                Shield frameworks; (6) misrepresenting whether CafePress would honor
                deletion requests; and (7) unfairly withholding commissions payable to
                shopkeepers.
                 The Proposed Orders contain provisions designed to prevent
                Respondents from engaging in the same or similar acts or practices in
                the future.
                Summary of Proposed Order With Residual Pumpkin
                 Part I prohibits Residual Pumpkin from misrepresenting: (1) Privacy
                and security measures it takes to prevent unauthorized access to
                Personal Information; (2) the extent to which Residual Pumpkin is a
                member of any privacy or security program sponsored by a government,
                self-regulatory, or standard-setting organization; (3) privacy and
                security measures to honor users' privacy choices; (4) information
                deletion and retention practices; and (5) the extent to which it
                maintains and protects the privacy, security, availability,
                confidentiality, or integrity of Personal Information.
                 Part II requires Residual Pumpkin to establish and implement, and
                thereafter maintain, a comprehensive information security program
                (``Security Program'') that protects the privacy, security,
                confidentiality, and integrity of Personal Information. Part III
                requires Residual Pumpkin to obtain initial and biennial data security
                assessments for 20 years. Part IV requires Residual Pumpkin to disclose
                all material facts to the assessor and prohibits Residual Pumpkin from
                misrepresenting any fact material to the assessment required by Part
                II. Part V requires Residual Pumpkin to submit an annual certification
                from a senior corporate manager (or senior officer responsible for its
                Security Program) that Residual Pumpkin has implemented the
                requirements of the order and is not aware of any material
                noncompliance that has not been corrected or disclosed to the
                Commission. Part VI requires Residual Pumpkin to notify the Commission
                of a ``Covered Incident'' within thirty days of discovering such
                incident.
                 Parts VII and VIII require Residual Pumpkin to pay to the
                Commission $500,000 and describe the procedures and legal rights
                related to that payment. Part IX requires Residual Pumpkin to provide
                customer information to enable the Commission to administer consumer
                redress. Part X requires Residual Pumpkin to submit an acknowledgement
                of receipt of the order, including all officers or directors and
                employees having managerial responsibilities for conduct related to the
                subject matter of the order, and to obtain acknowledgements from each
                individual or entity to which a Residual Pumpkin has delivered a copy
                of the order.
                 Part XI requires Residual Pumpkin to file compliance reports with
                the Commission and to notify the Commission of bankruptcy filings or
                changes in corporate structure that might affect compliance
                obligations. Part XII contains recordkeeping requirements for
                accounting records, personnel records, consumer correspondence,
                advertising and marketing materials, and claim substantiation, as well
                as all records necessary to demonstrate compliance with the order. Part
                XIII contains other requirements related to the Commission's monitoring
                of Respondent's order compliance.
                 Part XIV provides the effective dates of the order, including that,
                with exceptions, the order will terminate in twenty (20) years.
                Summary of Proposed Order With PlanetArt
                 Part I prohibits PlanetArt from misrepresenting: (1) Privacy and
                security measures it takes to prevent unauthorized access to Personal
                Information; (2) the extent to which PlanetArt is a member of any
                privacy or security program sponsored by a government, self-regulatory,
                or standard-setting organization; (3) privacy and security measures to
                honor users' privacy choices; (4) information deletion and retention
                practices; and (5) the extent to which it maintains and protects the
                privacy, security, availability, confidentiality, or integrity of
                Personal Information.
                 Part II requires PlanetArt to establish and implement, and
                thereafter maintain, a comprehensive information security program that
                protects the privacy, security, confidentiality, and integrity of
                Personal Information. Part III requires PlanetArt to obtain initial and
                biennial data security assessments for 20 years. Part IV requires
                PlanetArt to disclose all material facts to the assessor and prohibits
                PlanetArt from misrepresenting any fact material to the assessment
                required by Part II.
                 Part V requires PlanetArt to submit an annual certification from a
                senior corporate manager (or senior officer responsible for its
                Security Program) that PlanetArt has implemented the requirements of
                the order and is not aware of any material noncompliance that has not
                been corrected or disclosed to the Commission. Part VI requires
                PlanetArt to notify the Commission of a ``Covered Incident'' within
                thirty days of discovering such incident. Parts VII requires PlanetArt
                to provide notice to consumers to inform them of the breach and the
                settlement with the FTC.
                 Part VIII requires PlanetArt to submit an acknowledgement of
                receipt of the order, including all officers or directors and employees
                having managerial responsibilities for conduct related to the subject
                matter of the order, and to obtain acknowledgements from each
                individual or entity to which a PlanetArt has delivered a copy of the
                order.
                 Part IX requires PlanetArt to file compliance reports with the
                Commission and to notify the Commission of bankruptcy filings or
                changes in corporate structure that might affect compliance
                obligations. Part X contains recordkeeping requirements for accounting
                records, personnel records, consumer correspondence, advertising and
                marketing materials, and claim substantiation, as well as all records
                necessary to demonstrate compliance with the order. Part XI contains
                other requirements related to the Commission's monitoring of
                PlanetArt's order compliance.
                 Part XII provides the effective dates of the order, including that,
                with exceptions, the order will terminate in 20 years.
                 The purpose of this analysis is to facilitate public comment on the
                Proposed Orders, and it is not intended to constitute an official
                interpretation of the complaint or Proposed Orders, or to modify the
                Proposed Orders' terms in any way.
                 By direction of the Commission.
                April J. Tabor,
                Secretary.
                [FR Doc. 2022-06022 Filed 3-21-22; 8:45 am]
                BILLING CODE 6750-01-P
                

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT