CafePress; Analysis of Proposed Consent Orders To Aid Public Comment, 16187-16189 [2022-06022]
Download as PDF
<![CDATA[
Federal Register / Vol. 87, No. 55 / Tuesday, March 22, 2022 / Notices
• Email: Arthur Pearlstein,
apearlstein@fmcs.gov;
• Mail: Arthur Pearlstein, HQ Office
of Arbitration, One Independence
Square, 250 E St. SW, Washington, DC
20427. Please note that at this time, the
FMCS office is not open for visitors and
mail is not checked daily. Therefore, we
encourage emailed comments.
FOR FURTHER INFORMATION CONTACT:
Arthur Pearlstein, 202–606–8103,
apearlstein@fmcs.gov.
SUPPLEMENTARY INFORMATION: Copies of
the agency form are available here.
Paper copies are available from the
Office of Arbitration Services by
emailing Arthur Pearlstein at the email
address above. Please ask for the
Arbitrator’s Report and Fee Statement
(Agency Form R–19).
lotter on DSK11XQN23PROD with NOTICES1
I. Information Collection Request
Agency: Federal Mediation and
Conciliation Service.
Form Number: OMB No. 3076–0003.
Type of Request: Reinstatement
without change of a previously
approved collection.
Affected Entities: Individual
arbitrators who render decisions under
FMCS Arbitration policies and
procedures.
Frequency: This form is completed
each time an Arbitrator hears an
arbitration case and issues a decision.
Abstract: Pursuant to 29 U.S.C. 171(b)
and 29 CFR part 1404, FMCS assumes
responsibility to monitor the work of the
arbitrators who serve on its Roster. This
is satisfied by requiring the completion
and submission of a Report and Fee
Statement, which indicates when the
arbitration award was rendered, the file
number, the company and union, the
issues, whether briefs were filed and
transcripts taken, if there were any
waivers by parties on the date the award
was due, and the fees and days for
services of the arbitrator. FMCS
publishes this information in the
agency’s annual report, to inform the
public about the arbitration services
program and certain national trends in
arbitration.
Burden: FMCS receives
approximately 2,000 responses per year.
The form is filled out each time an
arbitrator hears a case and the time
required is approximately ten minutes.
FMCS uses this form to review arbitrator
conformance with its fee and expense
reporting requirements.
II. Request for Comments
FMCS solicits comments to:
i. Evaluate whether the proposed
collections of information are necessary
for the proper performance of the
VerDate Sep<11>2014
18:24 Mar 21, 2022
Jkt 256001
functions of the agency, including
whether the information will have
practical utility.
ii. Enhance the accuracy of the
agency’s estimates of the burden of the
proposed collection of information.
iii. Enhance the quality, utility, and
clarity of the information to be
collected.
iv. Minimize the burden of the
collections of information on those who
are to respond, including the use of
appropriate automated, electronic
collection technologies or other forms of
information technology.
III. The Official Record
The official records are electronic
records.
List of Subjects
Labor-Management Relations.
16187
A. Federal Reserve Bank of Chicago
(Colette A. Fried, Assistant Vice
President) 230 South LaSalle Street,
Chicago, Illinois 60690–1414:
1. Elizabeth M. Hodgson, Ann Arbor,
Michigan; to retain voting shares of
Charlevoix First Corporation, and
thereby indirectly retain voting shares of
Charlevoix State Bank, both of
Charlevoix, Michigan.
Board of Governors of the Federal Reserve
System, March 17, 2022.
Michele Taylor Fennell,
Deputy Associate Secretary of the Board.
[FR Doc. 2022–06033 Filed 3–21–22; 8:45 am]
BILLING CODE P
FEDERAL TRADE COMMISSION
[File No. 192 3209]
Dated: March 15, 2022.
Anna Davis,
Acting General Counsel.
CafePress; Analysis of Proposed
Consent Orders To Aid Public
Comment
[FR Doc. 2022–06070 Filed 3–21–22; 8:45 am]
AGENCY:
BILLING CODE 6732–01–P
ACTION:
FEDERAL RESERVE SYSTEM
The consent agreements in
this matter settle alleged violations of
Federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis of Proposed Consent Orders to
Aid Public Comment describes both the
allegations in the draft complaint and
the terms of the consent orders—
embodied in the consent agreements—
that would settle these allegations.
DATES: Comments must be received on
or before April 21, 2022.
ADDRESSES: Interested parties may file
comments online or on paper by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Please write ‘‘CafePress; File No.
192 3209’’ on your comment and file
your comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Mohammed Aijaz (214–979–9386),
Federal Trade Commission Southwest
Region, 1999 Bryan Street, Suite 2150,
Dallas, TX 75201–6808.
Change in Bank Control Notices;
Acquisitions of Shares of a Bank or
Bank Holding Company
The notificants listed below have
applied under the Change in Bank
Control Act (Act) (12 U.S.C. 1817(j)) and
§ 225.41 of the Board’s Regulation Y (12
CFR 225.41) to acquire shares of a bank
or bank holding company. The factors
that are considered in acting on the
applications are set forth in paragraph 7
of the Act (12 U.S.C. 1817(j)(7)).
The public portions of the
applications listed below, as well as
other related filings required by the
Board, if any, are available for
immediate inspection at the Federal
Reserve Bank(s) indicated below and at
the offices of the Board of Governors.
This information may also be obtained
on an expedited basis, upon request, by
contacting the appropriate Federal
Reserve Bank and from the Board’s
Freedom of Information Office at
https://www.federalreserve.gov/foia/
request.htm. Interested persons may
express their views in writing on the
standards enumerated in paragraph 7 of
the Act.
Comments regarding each of these
applications must be received at the
Reserve Bank indicated or the offices of
the Board of Governors, Ann E.
Misback, Secretary of the Board, 20th
Street and Constitution Avenue NW,
Washington, DC 20551–0001, not later
than April 6, 2022.
PO 00000
Frm 00026
Fmt 4703
Sfmt 4703
Federal Trade Commission.
Proposed consent agreement;
request for comment.
SUMMARY:
E:\FR\FM\22MRN1.SGM
22MRN1
16188
Federal Register / Vol. 87, No. 55 / Tuesday, March 22, 2022 / Notices
Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreements containing consent
orders to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, have been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreements and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained at https://
www.ftc.gov/news-events/commissionactions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before April 21, 2022. Write ‘‘CafePress;
File No. 192 3209’’ on your comment.
Your comment—including your name
and your state—will be placed on the
public record of this proceeding,
including, to the extent practicable, on
the https://www.regulations.gov
website.
Due to the COVID–19 pandemic and
the agency’s heightened security
screening, postal mail addressed to the
Commission will be subject to delay. We
strongly encourage you to submit your
comments online through the https://
www.regulations.gov website.
If you prefer to file your comment on
paper, write ‘‘CafePress; File No. 192
3209’’ on your comment and on the
envelope, and mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580; or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible website at
https://www.regulations.gov, you are
solely responsible for making sure your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include sensitive personal information,
such as your or anyone else’s Social
Security number; date of birth; driver’s
license number or other state
identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
lotter on DSK11XQN23PROD with NOTICES1
SUPPLEMENTARY INFORMATION:
VerDate Sep<11>2014
18:24 Mar 21, 2022
Jkt 256001
responsible for making sure your
comment does not include sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c),
16 CFR 4.9(c). In particular, the written
request for confidential treatment that
accompanies the comment must include
the factual and legal basis for the
request and must identify the specific
portions of the comment to be withheld
from the public record. See FTC Rule
4.9(c). Your comment will be kept
confidential only if the General Counsel
grants your request in accordance with
the law and the public interest. Once
your comment has been posted on the
https://www.regulations.gov website—as
legally required by FTC Rule 4.9(b)—we
cannot redact or remove your comment
from that website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
Visit the FTC website at https://
www.ftc.gov to read this Notice and the
news release describing the proposed
settlement. The FTC Act and other laws
that the Commission administers permit
the collection of public comments to
consider and use in this proceeding, as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before April 21, 2022. For information
on the Commission’s privacy policy,
including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/
site-information/privacy-policy.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission
(‘‘Commission’’) has accepted, subject to
final approval, agreements containing
consent orders from Residual Pumpkin
Entity, LLC (‘‘Residual Pumpkin’’) and
PlanetArt, LLC (‘‘PlanetArt’’)
(collectively, ‘‘Respondents’’).
The proposed consent orders
(‘‘Proposed Orders’’) have been placed
PO 00000
Frm 00027
Fmt 4703
Sfmt 4703
on the public record for thirty (30) days
for receipt of comments by interested
persons. Comments received during this
period will become part of the public
record. After thirty (30) days, the
Commission will again review the
agreements and the comments received
and will decide whether it should
withdraw from the agreements and take
appropriate action or make final the
Proposed Orders.
This matter involves Respondents’
data security and privacy practices.
Respondent Residual Pumpkin owned
CafePress until September 2020, when
Residual Pumpkin sold CafePress to
Respondent PlanetArt. The CafePress
website allows users, known as
shopkeepers, to earn commissions from
sales of merchandise offered to
consumers. CafePress collected
information such as names, email
addresses, telephone numbers and—
from shopkeepers—Social Security
numbers (‘‘Personal Information’’).
CafePress claimed to keep this
information safe, but in fact failed to
provide reasonable security. For
example, CafePress failed to: Guard
against well-known and reasonably
foreseeable threats, such as SQL
injection and cross-site scripting attacks;
encrypt Social Security numbers; and
implement a process for receiving and
addressing third-party security
vulnerability reports. CafePress also
claimed to adhere to principles set forth
in the EU-U.S. and Swiss U.S. Privacy
Shield frameworks, specifically that it
would honor user requests to delete data
and user choices about how email
addresses would be used. Instead,
CafePress failed to delete Personal
Information when it was requested to do
so and sent marketing emails to nearly
all its consumers, even those who had
not opted in to receive such messages.
As a result of CafePress’ data security
practices, consumers’ Personal
Information was stolen and sold on the
dark web. CafePress learned of the
breach but failed to notify affected
consumers. After some shopkeepers
learned of the breach and closed their
accounts, CafePress withheld up to $25
in payable commissions from each of
those shopkeepers.
The complaint alleges that
Respondents violated Section 5(a) of the
FTC Act by: (1) Misrepresenting the
measures CafePress took to protect
Personal Information; (2)
misrepresenting the steps CafePress took
to secure consumer accounts following
security incidents; (3) failing to employ
reasonable data security practices; (4)
misrepresenting how CafePress would
use email addresses; (5) misrepresenting
CafePress’s adherence to the Privacy
E:\FR\FM\22MRN1.SGM
22MRN1
Federal Register / Vol. 87, No. 55 / Tuesday, March 22, 2022 / Notices
lotter on DSK11XQN23PROD with NOTICES1
Shield frameworks; (6) misrepresenting
whether CafePress would honor
deletion requests; and (7) unfairly
withholding commissions payable to
shopkeepers.
The Proposed Orders contain
provisions designed to prevent
Respondents from engaging in the same
or similar acts or practices in the future.
Summary of Proposed Order With
Residual Pumpkin
Part I prohibits Residual Pumpkin
from misrepresenting: (1) Privacy and
security measures it takes to prevent
unauthorized access to Personal
Information; (2) the extent to which
Residual Pumpkin is a member of any
privacy or security program sponsored
by a government, self-regulatory, or
standard-setting organization; (3)
privacy and security measures to honor
users’ privacy choices; (4) information
deletion and retention practices; and (5)
the extent to which it maintains and
protects the privacy, security,
availability, confidentiality, or integrity
of Personal Information.
Part II requires Residual Pumpkin to
establish and implement, and thereafter
maintain, a comprehensive information
security program (‘‘Security Program’’)
that protects the privacy, security,
confidentiality, and integrity of Personal
Information. Part III requires Residual
Pumpkin to obtain initial and biennial
data security assessments for 20 years.
Part IV requires Residual Pumpkin to
disclose all material facts to the assessor
and prohibits Residual Pumpkin from
misrepresenting any fact material to the
assessment required by Part II. Part V
requires Residual Pumpkin to submit an
annual certification from a senior
corporate manager (or senior officer
responsible for its Security Program)
that Residual Pumpkin has
implemented the requirements of the
order and is not aware of any material
noncompliance that has not been
corrected or disclosed to the
Commission. Part VI requires Residual
Pumpkin to notify the Commission of a
‘‘Covered Incident’’ within thirty days
of discovering such incident.
Parts VII and VIII require Residual
Pumpkin to pay to the Commission
$500,000 and describe the procedures
and legal rights related to that payment.
Part IX requires Residual Pumpkin to
provide customer information to enable
the Commission to administer consumer
redress. Part X requires Residual
Pumpkin to submit an
acknowledgement of receipt of the
order, including all officers or directors
and employees having managerial
responsibilities for conduct related to
the subject matter of the order, and to
VerDate Sep<11>2014
18:24 Mar 21, 2022
Jkt 256001
obtain acknowledgements from each
individual or entity to which a Residual
Pumpkin has delivered a copy of the
order.
Part XI requires Residual Pumpkin to
file compliance reports with the
Commission and to notify the
Commission of bankruptcy filings or
changes in corporate structure that
might affect compliance obligations.
Part XII contains recordkeeping
requirements for accounting records,
personnel records, consumer
correspondence, advertising and
marketing materials, and claim
substantiation, as well as all records
necessary to demonstrate compliance
with the order. Part XIII contains other
requirements related to the
Commission’s monitoring of
Respondent’s order compliance.
Part XIV provides the effective dates
of the order, including that, with
exceptions, the order will terminate in
twenty (20) years.
Summary of Proposed Order With
PlanetArt
Part I prohibits PlanetArt from
misrepresenting: (1) Privacy and
security measures it takes to prevent
unauthorized access to Personal
Information; (2) the extent to which
PlanetArt is a member of any privacy or
security program sponsored by a
government, self-regulatory, or
standard-setting organization; (3)
privacy and security measures to honor
users’ privacy choices; (4) information
deletion and retention practices; and (5)
the extent to which it maintains and
protects the privacy, security,
availability, confidentiality, or integrity
of Personal Information.
Part II requires PlanetArt to establish
and implement, and thereafter maintain,
a comprehensive information security
program that protects the privacy,
security, confidentiality, and integrity of
Personal Information. Part III requires
PlanetArt to obtain initial and biennial
data security assessments for 20 years.
Part IV requires PlanetArt to disclose all
material facts to the assessor and
prohibits PlanetArt from
misrepresenting any fact material to the
assessment required by Part II.
Part V requires PlanetArt to submit an
annual certification from a senior
corporate manager (or senior officer
responsible for its Security Program)
that PlanetArt has implemented the
requirements of the order and is not
aware of any material noncompliance
that has not been corrected or disclosed
to the Commission. Part VI requires
PlanetArt to notify the Commission of a
‘‘Covered Incident’’ within thirty days
of discovering such incident. Parts VII
PO 00000
Frm 00028
Fmt 4703
Sfmt 4703
16189
requires PlanetArt to provide notice to
consumers to inform them of the breach
and the settlement with the FTC.
Part VIII requires PlanetArt to submit
an acknowledgement of receipt of the
order, including all officers or directors
and employees having managerial
responsibilities for conduct related to
the subject matter of the order, and to
obtain acknowledgements from each
individual or entity to which a
PlanetArt has delivered a copy of the
order.
Part IX requires PlanetArt to file
compliance reports with the
Commission and to notify the
Commission of bankruptcy filings or
changes in corporate structure that
might affect compliance obligations.
Part X contains recordkeeping
requirements for accounting records,
personnel records, consumer
correspondence, advertising and
marketing materials, and claim
substantiation, as well as all records
necessary to demonstrate compliance
with the order. Part XI contains other
requirements related to the
Commission’s monitoring of PlanetArt’s
order compliance.
Part XII provides the effective dates of
the order, including that, with
exceptions, the order will terminate in
20 years.
The purpose of this analysis is to
facilitate public comment on the
Proposed Orders, and it is not intended
to constitute an official interpretation of
the complaint or Proposed Orders, or to
modify the Proposed Orders’ terms in
any way.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2022–06022 Filed 3–21–22; 8:45 am]
BILLING CODE 6750–01–P
GENERAL SERVICES
ADMINISTRATION
[Notice MG–2022–01; Docket No. 2022–
0002; Sequence No. 1]
Office of Federal High-Performance
Green Buildings; Green Building
Advisory Committee; Notification of
Upcoming Web-Based Public Meeting
Office of Government-wide
Policy, General Services Administration
(GSA).
ACTION: Notice of public meeting.
AGENCY:
Notice of this web-based
public meeting is being provided in
accordance with the Federal Advisory
Committee Act. This notice provides the
date for the Green Building Advisory
SUMMARY:
E:\FR\FM\22MRN1.SGM
22MRN1
]]>Agencies
[Federal Register Volume 87, Number 55 (Tuesday, March 22, 2022)]
[Notices]
[Pages 16187-16189]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-06022]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 192 3209]
CafePress; Analysis of Proposed Consent Orders To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; request for comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreements in this matter settle alleged
violations of Federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis of Proposed Consent Orders to Aid
Public Comment describes both the allegations in the draft complaint
and the terms of the consent orders--embodied in the consent
agreements--that would settle these allegations.
DATES: Comments must be received on or before April 21, 2022.
ADDRESSES: Interested parties may file comments online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Please write ``CafePress; File
No. 192 3209'' on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based
form. If you prefer to file your comment on paper, mail your comment to
the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
20024.
FOR FURTHER INFORMATION CONTACT: Mohammed Aijaz (214-979-9386), Federal
Trade Commission Southwest Region, 1999 Bryan Street, Suite 2150,
Dallas, TX 75201-6808.
[[Page 16188]]
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreements
containing consent orders to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, have been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreements and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
at https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before April 21, 2022.
Write ``CafePress; File No. 192 3209'' on your comment. Your comment--
including your name and your state--will be placed on the public record
of this proceeding, including, to the extent practicable, on the
https://www.regulations.gov website.
Due to the COVID-19 pandemic and the agency's heightened security
screening, postal mail addressed to the Commission will be subject to
delay. We strongly encourage you to submit your comments online through
the https://www.regulations.gov website.
If you prefer to file your comment on paper, write ``CafePress;
File No. 192 3209'' on your comment and on the envelope, and mail your
comment to the following address: Federal Trade Commission, Office of
the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580; or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
20024. If possible, submit your paper comment to the Commission by
courier or overnight service.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include sensitive
personal information, such as your or anyone else's Social Security
number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c), 16 CFR 4.9(c).
In particular, the written request for confidential treatment that
accompanies the comment must include the factual and legal basis for
the request and must identify the specific portions of the comment to
be withheld from the public record. See FTC Rule 4.9(c). Your comment
will be kept confidential only if the General Counsel grants your
request in accordance with the law and the public interest. Once your
comment has been posted on the https://www.regulations.gov website--as
legally required by FTC Rule 4.9(b)--we cannot redact or remove your
comment from that website, unless you submit a confidentiality request
that meets the requirements for such treatment under FTC Rule 4.9(c),
and the General Counsel grants that request.
Visit the FTC website at https://www.ftc.gov to read this Notice
and the news release describing the proposed settlement. The FTC Act
and other laws that the Commission administers permit the collection of
public comments to consider and use in this proceeding, as appropriate.
The Commission will consider all timely and responsive public comments
that it receives on or before April 21, 2022. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, agreements containing consent orders from Residual
Pumpkin Entity, LLC (``Residual Pumpkin'') and PlanetArt, LLC
(``PlanetArt'') (collectively, ``Respondents'').
The proposed consent orders (``Proposed Orders'') have been placed
on the public record for thirty (30) days for receipt of comments by
interested persons. Comments received during this period will become
part of the public record. After thirty (30) days, the Commission will
again review the agreements and the comments received and will decide
whether it should withdraw from the agreements and take appropriate
action or make final the Proposed Orders.
This matter involves Respondents' data security and privacy
practices. Respondent Residual Pumpkin owned CafePress until September
2020, when Residual Pumpkin sold CafePress to Respondent PlanetArt. The
CafePress website allows users, known as shopkeepers, to earn
commissions from sales of merchandise offered to consumers. CafePress
collected information such as names, email addresses, telephone numbers
and--from shopkeepers--Social Security numbers (``Personal
Information''). CafePress claimed to keep this information safe, but in
fact failed to provide reasonable security. For example, CafePress
failed to: Guard against well-known and reasonably foreseeable threats,
such as SQL injection and cross-site scripting attacks; encrypt Social
Security numbers; and implement a process for receiving and addressing
third-party security vulnerability reports. CafePress also claimed to
adhere to principles set forth in the EU-U.S. and Swiss U.S. Privacy
Shield frameworks, specifically that it would honor user requests to
delete data and user choices about how email addresses would be used.
Instead, CafePress failed to delete Personal Information when it was
requested to do so and sent marketing emails to nearly all its
consumers, even those who had not opted in to receive such messages. As
a result of CafePress' data security practices, consumers' Personal
Information was stolen and sold on the dark web. CafePress learned of
the breach but failed to notify affected consumers. After some
shopkeepers learned of the breach and closed their accounts, CafePress
withheld up to $25 in payable commissions from each of those
shopkeepers.
The complaint alleges that Respondents violated Section 5(a) of the
FTC Act by: (1) Misrepresenting the measures CafePress took to protect
Personal Information; (2) misrepresenting the steps CafePress took to
secure consumer accounts following security incidents; (3) failing to
employ reasonable data security practices; (4) misrepresenting how
CafePress would use email addresses; (5) misrepresenting CafePress's
adherence to the Privacy
[[Page 16189]]
Shield frameworks; (6) misrepresenting whether CafePress would honor
deletion requests; and (7) unfairly withholding commissions payable to
shopkeepers.
The Proposed Orders contain provisions designed to prevent
Respondents from engaging in the same or similar acts or practices in
the future.
Summary of Proposed Order With Residual Pumpkin
Part I prohibits Residual Pumpkin from misrepresenting: (1) Privacy
and security measures it takes to prevent unauthorized access to
Personal Information; (2) the extent to which Residual Pumpkin is a
member of any privacy or security program sponsored by a government,
self-regulatory, or standard-setting organization; (3) privacy and
security measures to honor users' privacy choices; (4) information
deletion and retention practices; and (5) the extent to which it
maintains and protects the privacy, security, availability,
confidentiality, or integrity of Personal Information.
Part II requires Residual Pumpkin to establish and implement, and
thereafter maintain, a comprehensive information security program
(``Security Program'') that protects the privacy, security,
confidentiality, and integrity of Personal Information. Part III
requires Residual Pumpkin to obtain initial and biennial data security
assessments for 20 years. Part IV requires Residual Pumpkin to disclose
all material facts to the assessor and prohibits Residual Pumpkin from
misrepresenting any fact material to the assessment required by Part
II. Part V requires Residual Pumpkin to submit an annual certification
from a senior corporate manager (or senior officer responsible for its
Security Program) that Residual Pumpkin has implemented the
requirements of the order and is not aware of any material
noncompliance that has not been corrected or disclosed to the
Commission. Part VI requires Residual Pumpkin to notify the Commission
of a ``Covered Incident'' within thirty days of discovering such
incident.
Parts VII and VIII require Residual Pumpkin to pay to the
Commission $500,000 and describe the procedures and legal rights
related to that payment. Part IX requires Residual Pumpkin to provide
customer information to enable the Commission to administer consumer
redress. Part X requires Residual Pumpkin to submit an acknowledgement
of receipt of the order, including all officers or directors and
employees having managerial responsibilities for conduct related to the
subject matter of the order, and to obtain acknowledgements from each
individual or entity to which a Residual Pumpkin has delivered a copy
of the order.
Part XI requires Residual Pumpkin to file compliance reports with
the Commission and to notify the Commission of bankruptcy filings or
changes in corporate structure that might affect compliance
obligations. Part XII contains recordkeeping requirements for
accounting records, personnel records, consumer correspondence,
advertising and marketing materials, and claim substantiation, as well
as all records necessary to demonstrate compliance with the order. Part
XIII contains other requirements related to the Commission's monitoring
of Respondent's order compliance.
Part XIV provides the effective dates of the order, including that,
with exceptions, the order will terminate in twenty (20) years.
Summary of Proposed Order With PlanetArt
Part I prohibits PlanetArt from misrepresenting: (1) Privacy and
security measures it takes to prevent unauthorized access to Personal
Information; (2) the extent to which PlanetArt is a member of any
privacy or security program sponsored by a government, self-regulatory,
or standard-setting organization; (3) privacy and security measures to
honor users' privacy choices; (4) information deletion and retention
practices; and (5) the extent to which it maintains and protects the
privacy, security, availability, confidentiality, or integrity of
Personal Information.
Part II requires PlanetArt to establish and implement, and
thereafter maintain, a comprehensive information security program that
protects the privacy, security, confidentiality, and integrity of
Personal Information. Part III requires PlanetArt to obtain initial and
biennial data security assessments for 20 years. Part IV requires
PlanetArt to disclose all material facts to the assessor and prohibits
PlanetArt from misrepresenting any fact material to the assessment
required by Part II.
Part V requires PlanetArt to submit an annual certification from a
senior corporate manager (or senior officer responsible for its
Security Program) that PlanetArt has implemented the requirements of
the order and is not aware of any material noncompliance that has not
been corrected or disclosed to the Commission. Part VI requires
PlanetArt to notify the Commission of a ``Covered Incident'' within
thirty days of discovering such incident. Parts VII requires PlanetArt
to provide notice to consumers to inform them of the breach and the
settlement with the FTC.
Part VIII requires PlanetArt to submit an acknowledgement of
receipt of the order, including all officers or directors and employees
having managerial responsibilities for conduct related to the subject
matter of the order, and to obtain acknowledgements from each
individual or entity to which a PlanetArt has delivered a copy of the
order.
Part IX requires PlanetArt to file compliance reports with the
Commission and to notify the Commission of bankruptcy filings or
changes in corporate structure that might affect compliance
obligations. Part X contains recordkeeping requirements for accounting
records, personnel records, consumer correspondence, advertising and
marketing materials, and claim substantiation, as well as all records
necessary to demonstrate compliance with the order. Part XI contains
other requirements related to the Commission's monitoring of
PlanetArt's order compliance.
Part XII provides the effective dates of the order, including that,
with exceptions, the order will terminate in 20 years.
The purpose of this analysis is to facilitate public comment on the
Proposed Orders, and it is not intended to constitute an official
interpretation of the complaint or Proposed Orders, or to modify the
Proposed Orders' terms in any way.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2022-06022 Filed 3-21-22; 8:45 am]
BILLING CODE 6750-01-P
