On April 4, 2022, the U.S. Department of Justice (DOJ) Civil Division's Consumer Protection Branch (CPB) released its first-ever annual "recent highlights" report. The report describes the CPB's accomplishments from October 2020 through December 2021 and gives some insight into the enforcement trends companies can expect in the future as CPB's enforcement activities continue to ramp up.

The CPB has both civil and criminal authority that its nearly 100 attorneys exercise through criminal prosecutions and civil enforcement actions across several subject areas, including violations of consumer health, safety, economic activity, and identity integrity laws and regulations.

The full text of the report is available here. We provide some of the high-level takeaways below:

• Summary of 2021: In the slightly more than a year covered by the report, the CPB resolved cases resulting in $6.38 billion in payments to the U.S. and victims. CPB attorneys filed actions against 200 defendants, handled 55 defensive cases, and entered into more than 50 corporate resolutions. In their efforts, CPB attorneys utilized new legal tools at their disposal, including criminal provisions of the Consumer Product Safety Act, civil sections of the Controlled Substances Act, and numerous statutes and rules administered by the Federal Trade Commission (FTC).
• Consumer Health and Safety: A large portion of the CPB's resources are devoted to enforcement work aimed at protecting consumer health and safety.
  • During the period covered, the CPB reported criminally charging 53 individuals and corporations and bringing civil enforcement actions against 30 individuals and corporations, together leading to 38 individual convictions and 28 corporate resolutions relating to consumer health and safety.
  • The report also highlighted the CPB's role enforcing the Federal Food, Drug, and Cosmetics Act (FDCA). Unsurprisingly, from October 2020 to December 2021, the CPB used that enforcement authority to crack down on drugs and devices marketed as treatments or cures for COVID-19 without the backing of reliable scientific support.
  • In March 2021, an Indian drug manufacturer was ordered to pay $50 million following a guilty plea in connection with allegations that it destroyed records prior to a U.S. Food and Drug Administration inspection.
  • In July 2021, a U.S. manufacturer agreed to pay $22 million to resolve a matter involving allegations that it mislabeled surgical gowns to indicate that those gowns offered a higher degree of protection from virus penetration than they actually did.
• Consumer Fraud and Privacy: The CPB handles litigation under statutes administered by the FTC related to protecting consumers from unfair and deceptive conduct and consumer privacy.
  • The report counts 43 individuals and corporations criminally charged, 82 individuals and corporations sued in civil enforcement actions, 21 individuals convicted, and 23 corporate resolutions relating to consumer fraud.
  • In December 2020, Dish Network LLC agreed to pay $210 million for violations of the Telemarketing Sales Rule (TSR) and the Federal Trade Commission Act, the largest penalty ever paid to resolve telemarketing violations. In fact, the penalty exceeded the total penalties paid to the U.S. by all prior violators of the TSR.
  • In January 2021, a U.S. data management company entered into an agreement with the CPB and the U.S. Attorney's Office for the District of Colorado admitting that certain employees knowingly sold information associated with more than 30 million Americans to clients engaged in fraudulent mass mailing schemes. The company agreed to pay $150 million and adopt substantial compliance and reporting measures.
  • In May 2021, a U.S. home security company was ordered to pay $15 million in civil penalties and $5 million in consumer redress for violations of the Fair Credit Reporting Act (FCRA). The company had failed to implement an Identity Theft Prevention Program, which allowed some sales representatives to obtain credit reports without consumer consent. The civil penalty awarded was the most ever for alleged FCRA violations.
  • In December 2021, an ad exchange was ordered to pay $2 million for, among other things, allegedly collecting and maintaining location data and other personal information from children under 13 without parental notice or consent in violation of the Children's Online Privacy Protection Act and facilitating the use of that data for targeted advertising on hundreds of child-directed apps.

Conclusion

The CPB has more than tripled in size over the last several years, and this report reinforces CPB's ongoing desire to aggressively use its enforcement mechanisms. As the report demonstrates, it is an active partner in filing cases based on investigations conducted by the FTC and other agencies. Where, for example, the FTC seeks to resolve investigations involving civil penalty matters, companies may need to engage in negotiations with both the FTC and the DOJ as civil penalty matters must be referred to the DOJ before they can be filed. Companies operating in areas subject to the CPB's enforcement authority should take steps to become familiar with its powers, processes, and procedures.

For advice and assistance about these matters, contact Chris Olsen, Lydia Parnes, Maneesha Mithal, or another member of Wilson Sonsini's privacy and cybersecurity practice.