In re Gateway Learning Corp.

In re Gateway Learning Corp, 138 F.T.C. 443 File No. 042-3047, was an investigatory action by the Federal Trade Commission (FTC) of the Gateway Learning Corporation, distributor of Hooked on Phonics. In its complaint, the FTC alleged that Gateway had committed both unfair and deceptive trade practices by violating the terms of its own privacy policy and making retroactive changes to its privacy policy without notifying its customers. Gateway reached a settlement with the FTC, entering into a consent decree in July 2004, before formal charges were filed.

The Federal Trade Commission's Statutory Authority
The core regulatory mission of the FTC, is to promote and ensure consumer protection and to prevent anti-competitive business practices. The consumer protection authority the FTC relied on in this action against Gateway Learning Corp was derived from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices. These two specific prohibitions, unfairness and deception, represent two distinct prongs of the FTC's consumer protection authority under Section 5. Historically, the FTC has tended to allege deception in its consumer protection actions. This action against Gateway is notable in that the FTC alleges both deception and unfairness.

Federal Trade Commission allegations against Gateway Learning
Gateway Learning Corp. is better known as the company that markets and sells the popular children's reading product "Hooked on Phonics". Gateway had been selling Hooked on Phonics to teachers and parents on its website, www.hop.com, since as early as 2000. Through the website, Gateway had been collecting personal information from visitors and customers. This information included "the parent’s first and last name, billing address, shipping address, phone number, email address, purchase history, and his or her child’s age and gender".

Gateway's privacy policy at the time, which described, amongst other things, how the company uses the information it collects from customers, had been in place since at least 2000 and remained unchanged until July 2003. In pertinent part, this initial policy made the following representations:

Our Promise of Privacy [...] We at Gateway Learning Corporation are committed to protecting the privacy of our visitors, and we treat any information you share with discretion, care and respect. This notice describes our privacy policy for the Hooked on Phonics Web site [...].

Do we share your personally identifiable information with third parties? We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive a customer’s explicit consent. We do share information with third parties that help us run our operations or provide services to customers (e.g., credit card processing and shipping companies), but only to the extent necessary to provide these services.

What about children’s privacy? The Site does not sell products for purchase by children; we sell children’s products for purchase by adults. Children under 13 years of age may not submit personal information without the consent of their parents. We do not provide any personally identifiable information about children under 13 years of age to any third party for any purpose whatsoever.

Will this policy change? If at some future time there is a material change to our information usage practices that affect your personally identifiable information, we will notify you of the relevant changes on this Site or by e-mail. You will then be able to opt-out of this information usage by sending an e-mail to: [omitted] You should also check this privacy policy for changes.

In short, the privacy policy claimed:
 * Gateway would protect personal information it collected from visitors
 * Gateway would not give away personal information without consent
 * Gateway would notify its visitors if it made significant changes to its privacy policy in the future

Deceptive trade practice allegations
Despite the representations in the privacy policy, however, in April 2003 Gateway begin selling access to the personal information it had collected. The third parties that purchased the information were marketers and direct advertisers seeking to sell products that might be of interest to parents with young children. This act on Gateway's part constituted the first of the violations that the FTC would eventually allege. Gateway had expressly told its customers and website visitors that it would not sell their personal information without first receiving their consent, but in fact the company proceeded to do precisely that. Gateway's failure to abide by its own stated policies in this regard was perhaps the principle trigger for the FTC's deceptive trade practice allegation.

There was at least one other representation in the privacy policy that Gateway failed to honor, and which the FTC considered equally deceptive. Specifically Gateway had claimed that it would notify users if the privacy policy were to undergo significant changes in the future. But, as discussed further below, in July 2003 Gateway did precisely what it had agreed not to do. It introduced significant changes to its privacy policy, and it did so without notifying its customers and site visitors, thus again violating the terms of its privacy policy. The FTC complaint referred to this specific act as "false or misleading". The FTC's use of the word "misleading" indicates that it was prepared to characterize this act as a deceptive practice, as the first element of a deception allegation is that "there must be a representation, omission or practice that is likely to mislead the consumer".

Unfair trade practice allegations
The modification of the privacy policy in July 2003 also provided the foundation for the FTC's unfairness allegation. Presumably after Gateway realized that its practice of selling customer information was in direct conflict with the representation it had made in its privacy policy, the company introduced updates to the privacy policy, which, amongst other things, made more transparent that the company would in fact release users’ personal information without consent. In pertinent part, one specific section of the privacy policy was changed to read as follows: Do we share your personally identifiable information with third parties? From time to time, we may provide your name, address and phone number (not your e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at [omitted] with the word do-not-share in the subject line.

Not only did Gateway fail to give notice about this change, but it also treated the changed policy as applying retroactively to personal information it had collected in the past, under the previous policy terms. That is, Gateway proceeded to use existing customer data, collected under the terms of the former policy, as if that data had been collected under the terms of the new policy.

This act specifically caught the attention of the Federal Trade Commission. Whether or not it considered the mere introduction of the new policy to be deceptive, the FTC clearly found the retroactive application of the new policy to be unfair. In the words of Jessica Rich, an assistant director at the FTC's' Bureau of Consumer Protection, "The unfairness […] was changing the policy and applying the new policy to information that had already been collected. We wanted to make clear that that practice in and of itself is something that is specifically wrong and illegal.  It is separate from the other [deception] violation."

The FTC's complaint itself articulated the unfairness allegation as follows: "Respondent’s retroactive application of its revised privacy policy caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers.  The practice was, and is, an unfair act or practice."

Settlement, Consent Decree, Decision and Order
On July 7, 2004, Gateway settled the complaint with the FTC by entering into a Consent Decree that required Gateway to surrender certain profits to the U.S. Treasury and placed various restrictions upon Gateway that would remain in effect for twenty years. No formal charges were ever filed against Gateway in federal, state, or administrative court. And Gateway was not required to admit any fault as part of the settlement. All five Commissioners of the FTC supported the Consent Decree.

As part of the first order of the Consent Decree, Gateway agreed that it would immediately cease, and refrain from, misrepresenting its practice of renting, selling, and loaning the personal information it had collected from customers and site visitors. As part of this same order, Gateway also agreed not to misrepresent the manner by which it will notify consumers of changes in the privacy policy. Note that this order did not flatly prohibit Gateway from engaging in renting, selling, and loaning personal information. It only prohibited Gateway from misleading its users about those practices, as it had done in its initial privacy policy.

Order II of the Decree prohibited Gateway from selling, renting, trading, or disclosing any personal information it had collected from consumers under its initial privacy policy, unless and until the company obtain express affirmative consent from the individual consumers. Order III forbade retroactive application of new privacy policy terms to data collected under previous policies. Order IV required Gateway to convey $4,608 to the United States Treasury, that is, the profits the companies had received through the alleged unfair and deceptive practices. The Order characterized this conveyance as a disgorgement.

Orders V through VIII established a number of additional administrative and procedural compliance requirements for Gateway. Order V required the company to "make available to the Federal Trade Commission for inspection […] all documents demonstrating [the company's] compliance with the terms and provisions of [the Consent Decree].   Order VI required Gateway to deliver copies of the Decision and Order to all "current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of [the] Order."    Gateway was also required, under Order VII, to notify the FTC of all future changes in the corporation that might in some way affect it compliance with the requirements of the Consent Decree.   And finally, Order VIII required that Gateway would submit ongoing detailed reports to the FTC, at the FTC's request and discretion, demonstrating the manner of the company's compliance with the Consent Decree.

Significance
At a very basic level, the Gateway investigation provided important insights for U.S. companies about the FTC's position on privacy policy violations, particularly violations pertaining to the disclosure of customer information. Had there been any doubt, the Gateway case announced that the FTC viewed consumer privacy protection as part of its mandate. The FTC made clear that companies were, in fact, bound by the terms they expressed in their privacy policies, and that retroactive applications of new privacy policies, without proper notification, would be considered an inherently unfair act.

Jessica Rich, an assistant director at the FTC's Bureau of Consumer Protection, made the following comment on the case, "[i]f you have a privacy policy and people give their information under those promises in your privacy policy, you can't then change the policy and use the information you already collected consistent with the new policy." She continued, "[y]ou have to keep the promises you made when you collected the information. Until now, the FTC certainly hasn't been on record and I don't think anyone else has challenged this practice and made it very clear that it's illegal". In the words of Howard Beales, then Director of the FTC's Bureau of Consumer Protection "It's simple – if you collect information and promise not to share, you can't share unless the consumer agrees [...] You can change the rules but not after the game has been played."

As mentioned above, The Gateway investigation is also notable as the first FTC case in which the agency alleged both deceptive and unfair practices in response to material changes in a privacy policy. The deception claim had been commonplace in prior FTC investigations, but the unfairness claim was something different. Said Rich, "[t]he unfairness [in Gateway] was changing the policy and applying the new policy to information that had already been collected. We wanted to make clear that that practice in and of itself is something that is specifically wrong and illegal.  It is separate from the other violation."

But the FTC has played down, to some extent, the significance of the unfairness allegation. "There are two prongs to our authority in this area and we can use either one. We just have tended to use deception more frequently because that's what happened.  [Citing unfair practices] is not unprecedented," said Rich. "All our cases are an interpretation of what is unfair or deceptive and in violation of the FTC Act [...] Just as in any case law, whenever a case comes out, it enunciates a new interpretation of what the law requires. But alleging unfairness doesn't uniquely establish new policy in a way that deception doesn't."

Some commentators have also expressed skepticism about the seemingly paltry sum of money that Gateway was required to pay as disgorgement for its ill-gained profits. Indeed, the $4,608 payment to Treasury was not regarded by anyone as a hefty fine. To some the small fine is indicative of the FTC's inability to effectively enforce and regulate consumer privacy matters in the marketplace. The other requirements imposed upon Gateway, however, seem to tell a different story. The administrative compliance and reporting requirements alone, articulated above in the discussion about the Consent Decree are decidedly burdensome on Gateway. The fact that some of the orders will be in effect until the year 2024 speaks further to this point. Presumably these aspects of the Consent Decree, not the monetary fine, were the aspects that the FTC intended as a deterrent against similar violations by other companies in the future.