On March 19, the FTC reported that the U.S. District Court for the District of Nevada held that the FTC Act “grants the FTC authority to regulate arms of Indian tribes, their employees, and their contractors,” including tribe-affiliated businesses sued by the FTC over allegedly unfair and deceptive practices in the origination and collection of payday loans. FTC v. AMG Servs., Inc., No. 12-536, 2014 WL 910302 (D. Nev. Mar. 7, 2014). The court’s order affirmed a report and recommendation issued last July by a magistrate judge in which the magistrate concluded that under controlling Ninth Circuit precedent, the FTC has authority to regulate “Indian Tribes, Arms of Indian Tribes, employees of Arms of Indian Tribes and contractors of Arms of Indian Tribes with regard to” the payday lending activities at issue in the case. The district court rejected the defendant’s objections that the magistrate erred in (i) assigning the defendants the burden of establishing whether they fall within the FTC’s jurisdiction; (ii) determining that the FTC Act is a statute of general applicability; and (iii) failing to apply Indian law canons and Supreme Court opinions the defendants argued are controlling in determining whether a federal statute of general applicability applies to Indian tribes and arms of Indian tribes.
On April 7, the U.S. District Court for the District of New Jersey denied a hotel company’s motion to dismiss the FTC’s claims that the company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to maintain reasonable and appropriate data security for customers’ personal information. FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The company moved to dismiss the FTC’s suit, arguing that the FTC (i) lacks statutory authority to enforce data security standards outside of its explicit data security authority under statutes such as the Gramm-Leach-Bliley Act (GLBA) and FCRA; (ii) violated fair notice principles by failing to first promulgate applicable regulations; and (iii) failed to sufficiently plead certain elements of the unfairness and deception claims. The court rejected each of these arguments. First, the court held that the FTC does not need specific authority under Section 5 to enforce data security standards. The court reasoned that the data-security legislation the followed the FTC Act, such as GLBA and FCRA, provide the FTC additional data security tools that complement, rather than preclude, the FTC’s general authority under Section 5. Second, the court held that, to bring a Section 5 data security claim, the FTC is not required to provide notice of reasonable standards by issuing a new regulation because regulations are not the only means of providing sufficient fair notice. According to the court, industry standards, past FTC enforcement actions, and FTC business guidance provided sufficient notice of what constitutes reasonable security measures. Third, the court held that the FTC properly pled its unfairness and deception claims under the FTC Act.
On March 20, the CFPB released its third annual report summarizing its activities in 2013 to implement and enforce the FDCPA. The report describes the CFPB’s and the FTC’s shared FDCPA enforcement authority, incorporates the FTC’s annual FDCPA update, and reiterates the intention of both the FTC and the CFPB to exercise their authority to take action—both independently and in concert—against those in violation of the FDCPA.
The report highlights the debt collection-related complaints the Bureau has received—over 30,000 since the CFPB began accepting and compiling consumer complaints in July 2013, making the third-party debt collection market the largest source of consumer complaints submitted to the CFPB. The report states that the majority of the complaints the CFPB has received involve attempts to collect debts not owed and allegedly illegal communication tactics. The report also identifies several changes within the debt collection industry over the past year that will remain points of emphasis for the CFPB, including the expansion of the debt buying market, the growth of medical debt and student loan debt in collection, and the use of expanded technologies to communicate with debtors.
On March 6, the FTC released a memorandum of understanding (MOU) it signed with the UK’s Information Commissioner’s Office (ICO), which is designed to strengthen the agencies’ privacy enforcement partnership. The FTC stated that over the last several years it has worked with the ICO on numerous investigations and international initiatives to increase global privacy cooperation. The MOU establishes a formal framework for the agencies to provide mutual assistance and exchange of information for the purpose of investigating, enforcing, and/or securing compliance with certain privacy violations. The FTC also announced a joint project with the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) economies to map together the requirements for APEC Cross Border Privacy Rules and EU Binding Corporate Rules, which is designed to provide a practical reference tool for companies that seek “double certification” under the APEC and EU systems, and shows the substantial overlap between the two.
On March 5, the FTC released a summary of its 2013 debt collection activities, which it submitted to the CFPB on February 21, 2014. The report highlights that one of the FTC’s highest priorities is to continue targeting debt collectors that engage in deceptive, unfair, or abusive conduct. In particular, the FTC is actively pursuing debt collectors that secure payments from consumers by falsely threatening litigation or otherwise falsely implying that they are involved in law enforcement. In 2013, the FTC filed or resolved seven actions alleging deceptive, unfair, or abusive debt collection conduct. The FTC also took action against the continuing rise of so-called “phantom debt collectors.” The report also summarizes the FTC’s amicus program, and education, public outreach, research, and policy activities, including its Life of a Debt Roundtable Event, which examined data integrity in debt collection and the flow of consumer data throughout the debt collection process.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
On January 21, the FTC announced agreements with 12 companies to resolve allegations that the companies falsely claimed compliance with an international privacy framework. The FTC complaints explain that the U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside of the EU that is consistent with the requirements of the European Union Directive on Data Protection. The Directive sets forth EU requirements for privacy and the protection of personal data and requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. To participate in the Framework, a U.S. company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard. The FTC claimed that the companies indicated compliance with the Safe Harbor principles, for example through privacy policies or certification marks, when the companies had allowed their self-certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. The companies did not admit the allegations, and the FTC acknowledged that the allegations do not necessarily mean that the companies committed any substantive violations of the privacy principles of the Safe Harbor framework. The proposed settlement agreements would prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
On January 15, the FTC announced that a major mobile technology company agreed to resolve allegations that it violated Section 5 of the FTC Act by failing to inform account holders that entering their password on their mobile device would open a 15-minute window in which children could incur unlimited charges within certain mobile applications with no further action from the account holder (in-app purchases). The settlement is open to public comment through February 14, 2014. Once finalized, the proposed settlement will require the company to refund at least $32.5 million to consumers who allegedly were billed for accidental or unauthorized in-app purchases by minors. The company will manage the remuneration process, including by providing notice to consumers and providing refunds promptly upon consumer request. Any funds remaining after 12 months of the final agreement must be remitted to the FTC. The company also must alter its billing practices to ensure it obtains express, informed consent before charging accountholders for in-app purchases.
On December 18, a group of House Democrats sent a letter urging the FTC to focus on the online marketing of products and services by consumer reporting agencies (CRAs). The lawmakers assert that CRAs “often require consumers to jump through hurdles, presumably in an effort to generate additional revenue.” The lawmakers suggest that certain CRAs’ websites mislead and confuse consumers, particularly with regard to the marketing of “free” consumer products and services that are conditioned upon consumers signing up for “costly add-on services such as ongoing credit monitoring.” The letter identifies the following specific practices for FTC scrutiny: (i) marketing “free” products or services that automatically convert to a monthly subscription if the consumer does not cancel within a trial period; (ii) “prominent” advertising of discount packages without disclosing that the initial small dollar enrollment fee converts into a subscription service; and (iii) requiring consumers to set up accounts before being granted access to their credit score or reports, while “barrag[ing]” consumers with add-on product offerings during the account registration process.
On December 2, the FTC announced a series of seminars to be held in 2014 dedicated to the privacy implications of: (i) mobile device tracking—tracking consumers in retail and other businesses using signals from their mobile devices; (ii) alternative scoring products—using predictive scoring to determine consumers’ access to products and offers; and (iii) consumer-generated and controlled health data—information provided by consumers to non-HIPAA covered websites, health applications, and devices. The first two topics will be examined in forums held in Washington, DC on February 19, 2014 and March 19, 2014, respectively. Details for the third event have not been finalized.
On October 30, a bipartisan group of 22 Senators sent a letter to the CFPB raising concerns about CFPB guidance affecting the indirect auto financing market and auto dealers’ ability to negotiate retail margins with consumers. The guidance at issue, contained within CFPB Bulletin 2013-02, advised bank and nonbank indirect auto financial institutions about compliance with federal fair lending requirements in connection with the practice by which auto dealers “mark up” the financial institution’s risk-based buy rate and receive compensation based on the increased interest revenues.
In August, the CFPB responded to a similar inquiry from House members. The Senate letter asserts that the CFPB still has not explained a basis for alleging that discrimination under a “disparate impact” theory of liability exists in the indirect auto financing market. Nor, the letter continues, has the CFPB released the statistical methodology it uses to evaluate disparate impact in an indirect auto lender’s portfolio. Read more…
On October 4, the CFPB and the FTC filed an amicus brief in a Fair Credit Reporting Act (FCRA) case pending in the Ninth Circuit. The brief argues that the seven-year period during which a criminal arrest can be reported starts on the date of the arrest and, contrary to the district court’s decision, is not extended by a subsequent dismissal of the charges. The brief notes that FCRA previously provided that the seven-year reporting period ran “from the date of disposition [i.e., dismissal], release, or parole,” but that Congress repealed that specific provision in 1998, replacing it with the general FCRA rule that the reporting period begins when the adverse event occurs. The brief notes that Congress prescribed a different rule from some categories of information—for example, the seven-year period for reporting that a delinquent account was placed with a collection agency begins 180 days after the commencement of the delinquency that immediately preceded the collection activity.
The brief relies heavily on the FTC’s summary of staff interpretations that it issued as part of its staff report, 40 Years of Experience with the Fair Credit Reporting Act (2011), just before the Dodd-Frank Act transferred primary enforcement authority for FCRA from the FTC and gave the CFPB general rulemaking powers under FCRA. The FTC and CFPB argue that the district court erroneously relied on the FTC’s 1990 Commentary on FCRA, which did not reflect the 1998 amendments. The extensive reliance on the 40 Years Report in the brief is significant because it reflects an endorsement of the authoritativeness of that report by the CFPB, at least as to the particular issue raised in this case.
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.
On September 26, the FTC announced that it had filed an amicus brief in the U.S. Court of Appeals for the Seventh Circuit in a class action suit against a Native American payday lender. In that case, the putative class is challenging a payday lender’s practice of requiring borrowers to submit to arbitration at a Native American reservation in South Dakota. The FTC notes that it is pursuing its own action against the same lender, challenging its jurisdiction over borrowers who do not belong to the tribe and who do not reside on the reservation or in South Dakota. In its Seventh Circuit filing, the FTC argues that Native American tribes and tribal courts have legal authority over their own members and not over non-members, unless non-members conduct activities inside the reservation or enter into a commercial relationship with the tribe or a member of the tribe. The FTC claims that borrowers who take out payday loans from these companies via the Internet do not conduct business on the reservation and should not be subject to arbitration there.