Penalty Amount
$370,000
Consumers Affected
20,044
The FTC settled with CafePress for failing to implement reasonable data security measures, leading to multiple breaches that exposed Social Security numbers and other sensitive data. As part of the settlement, over $370,000 in refunds are being distributed to 20,044 consumers who filed valid claims.
The FTC is sending payments totaling more than $370,000 to 20,044 consumers who filed a valid claim before the deadline, via checks and PayPal.
In-house legal teams should review vendor agreements, customer contracts, and any data processing agreements (DPAs) that involve the handling of sensitive personal data (e.g., Social Security numbers). Focus on clauses addressing data security obligations, data retention limits, and breach notification requirements. Specific changes may include: mandating encryption for sensitive data at rest and in transit; implementing clear data minimization and retention schedules; requiring prompt breach notification to affected individuals and regulators (e.g., within 72 hours); and adding provisions for regular security audits and vulnerability assessments. Contracts should also prohibit storing sensitive data in clear, readable text and require reasonable access controls.
Entity
CafePress
Industry
TechnologyOfficial Press Release
https://www.ftc.gov/news-events/news/press-releases/2024/09/ftc-sends-refunds-consumers-harmed-cafepresss-data-security-failures
ftc takes action against cafepress data breach cover
https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover
ftc announces claims process consumers affected cafepresss d
https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-announces-claims-process-consumers-affected-cafepresss-data-security-failures
Federal Trade Commission Enforcement Page
https://www.ftc.gov/enforcement
"CafePress"
"CafePress failed to implement reasonable security measures to protect the sensitive information stored on its network. In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary. As a result of its shoddy security practices, CafePress’ network was breached multiple times allowing hackers to access sensitive user data including Social Security numbers. The company also failed to adequately inform consumers about these breaches."
"20,044 consumers"
$500K
The FTC finalized an order against CafePress for failing to secure consumer data and covering up a data breach. The company must implement comprehensive security measures, and its former owner must pay $500,000 in redress to victims.
$2.0M
New Jersey joined a multistate $2 million settlement with online retailer CafePress over a 2019 data breach that exposed personal information of approximately 22 million consumers nationwide, including over 540,000 in New Jersey. The settlement requires CafePress to implement a comprehensive cybersecurity program, incident response plan, and third-party assessments for five years, with payment suspended pending compliance.
The FTC sent warning letters to 12 companies offering 'nudify' tools that generate nonconsensual intimate images, for failing to comply with the TAKE IT DOWN Act (TIDA) by not providing a mechanism for victims to request removal of such content. The letters urge immediate compliance with TIDA, which requires platforms to remove nonconsensual intimate images within 48 hours of a valid request. Noncompliant companies may face future legal action and civil penalties of up to $53,088 per violation.
The FTC began enforcing the TAKE IT DOWN Act on May 19, 2026, a law requiring covered platforms to establish a process for victims to request removal of nonconsensual intimate images and delete such content within 48 hours of a valid request. The agency launched a consumer complaint portal, issued compliance guidance for businesses and consumers, and sent reminder letters to major platforms including Meta, TikTok, and X about their obligations under the law. No specific penalties or enforcement actions against individual companies were announced in this release.
$6.5M
A federal court held Cliq Inc. and its executives Andrew Phillips and John Blaugrund in civil contempt for multiple violations of a 2015 FTC order requiring the payment processor to prevent enabling consumer fraud. The court found the defendants facilitated fraud by processing transactions for high-risk merchants, avoiding fraud monitoring, failing to conduct required underwriting, and ignoring chargeback thresholds. The court imposed $6.5 million in civil contempt sanctions against the defendants.
$795.8M
The FTC and State of Nevada settled charges with lead defendants of the IM Mastery Academy MLM scheme, including Chris and Isis Terry and their affiliated companies, over false earnings claims used to promote financial training programs and a multi-level marketing venture. The stipulated order imposes a $795.8 million judgment, with defendants surrendering nearly $90 million in assets including luxury real estate, vehicles, jewelry, and a yacht, totaling over $100 million with prior judgments from other involved defendants. The order also bans defendants from selling trading-training services, prohibits false earnings claims, and restricts deceptive practices including negative-option misrepresentations and telemarketing violations.