KPMG Regulatory Insights
- Increasing scrutiny of technology adoption and use (e.g., cloud, AI) against effective risk management and consumer protections, including:
- Modern technology risk management, technology resiliency and operational resiliency
- Risk management and governance, data collection and privacy (see 2023 Regulatory Challenges: Technology and Resiliency; Data and Cybersecurity)
The Federal Trade Commission (FTC) announces:
- Orders to social media and video streaming companies seeking information on corporate oversight of commercial advertising and efforts to mitigate potential “deception, fraud, and abuse”.
- A Request for Information (RFI) on business practices of cloud service providers and potential impacts on competition and data security.
These actions are highlighted in detail below:
Digital Advertising Information Collection Orders
In February 2023, the FTC released its annual Data Book Report finding that eleven (11) percent of frauds reported in 2022 noted “social media” as a contact method as well as associated consumer losses of $1.2 billion. (See KPMG Regulatory Alert, here.)
The FTC has now released orders seeking detailed information covering the calendar year 2019 through the information submission date from eight (8) companies regarding their policies, procedures, and practices to detect, prevent, and reduce potential deceptive commercial advertising and online shopping fraud. The FTC intends to use the information to better understand the potential for deceptive advertising on social media and video streaming platforms, associated consumers who “may be harmed”, and the effectiveness of companies’ oversight.
In summary, the information requested in the orders includes:
- Advertising standards and policies related to paid commercial ads (to include potentially misleading, deceptive, or fraudulent paid ads; online shopping fraud; impersonator scams; affiliate marketing; and algorithmic, machine learning, or automated systems, including generative AI systems) and processes for screening and monitoring for compliance with, and the efficacy of, those standards and policies, including through human review and the use of automated systems.
- Policies and procedures to scrutinize and restrict paid commercial advertising that is deceptive or exposes consumers to fraud related to health-care products, financial scams, counterfeit and fake goods, or other frauds.
- Advertising performance metrics, such as ad revenue, impressions/views, and other metrics, including for ads involving categories of products and services “more prone to deception” and consumer groups “most affected by deceptive ads and online shopping fraud”.
- Policies, plans, and directives “for ensuring” consumers are able to distinguish advertising and other commercial messages from other types of content, including disclosure tools for endorsers and influencers.
Compliance Period. Companies subject to the orders are expected to file the requested information and documents within 45 days of the “date of service”.
RFI on Cloud Service Providers
The RFI seeks information on the business practices of cloud service providers and their impact on end users, customers, companies, and other businesses across the economy. The FTC is seeking this information as part of its study on market power, competition, and security risks; it is also seeking information about the impact of cloud computing on specific industries including healthcare, finance, transportation, eCommerce, and defense.
The RFI poses twenty (20) questions for public comment, covering multiple topics, including (as summarized by the FTC):
- “The extent to which particular segments of the economy are reliant on a concentration of cloud service providers.
- The ability of cloud customers to negotiate contracts with cloud providers or [whether they] are experiencing “take-it-or-leave it” standard contracts.
- Incentives providers offer customers to obtain more of their cloud services from a single provider.
- The extent to which cloud providers compete on ability to provide secure storage for customer data.
- Types of products or services cloud providers offer related to artificial intelligence and the extent to which those products or services are proprietary or “provider-agnostic”.
- The extent to which cloud service providers identify and notify customers of security risks related to security design, implementation, or configuration.”
Comment Period. The deadline for public comment on the RFI is May 22, 2023.
Note: The Department of the Treasury recently released a report on the adoption of cloud services in the financial services sector. (See KPMG Regulatory Alert, here.)