On August 14, the Center for Digital Democracy (CDD) announced that it filed a complaint with the FTC claiming that 30 U.S. companies are compiling, using, and sharing EU consumers’ personal information without their awareness and meaningful consent, in violation the U.S.-EU Safe Harbor Framework. The U.S.-EU Safe Harbor Framework established a self-certification program that allows a company to collect information from European consumers without strictly following the EU’s more stringent data protection standards, provided the company (i) provides clear notice of their data-collection practices and data uses; and (ii) allows consumers to “opt-out” of data collection practices to which they did not previously agree. According to its press release, the CDD wants the FTC to investigate the companies for “relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though [U.S.-EU] Safe Harbor requires meaningful transparency and candor.” The complaint identifies several broad concerns that the CDD claims illustrate the inadequacy of the U.S.-EU Safe Harbor Framework, including: (i) the failure of U.S.-EU Safe Harbor declarations and required privacy policies to provide accurate and meaningful information to EU consumers; (ii) a lack of transparency by companies about their data collection; and (iii) the failure of companies to provide meaningful opt-out mechanisms. The FTC has already taken more than a dozen actions this year to enforce the U.S.-EU Safe Harbor Framework.
On August 19, the FTC approved final orders resolving allegations that two companies: (i) misrepresented the level of security of their mobile applications; and (ii) failed to secure the transmission of millions of consumers’ sensitive personal information. The FTC alleged that one company’s application assured consumers that their credit card information was stored and transmitted securely even though the company disabled a higher level of security validation, which allowed such credit card information to be intercepted. In addition, the company allegedly failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties. The FTC alleged that the second company also disabled enhanced security validation despite claiming that it followed industry-leading security precautions, which also left consumers’ information vulnerable to interception. The final settlement orders require both companies to establish comprehensive programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit the companies from misrepresenting the level of privacy or security of their products and services.
On August 1, the FTC released a staff report on the agency’s review of shopping apps—those used for comparison shopping, to collect and redeem deals and discounts, and to complete in-store purchases. The FTC staff examined information available to consumers before they download the software onto their mobile devices—specifically, information describing how apps that enable consumers to make purchases dealt with fraudulent or unauthorized transactions, billing errors, or other payment-related disputes. The staff also assessed information on how the apps handled consumer data. The FTC staff determined that the apps studied “often failed to provide pre-download information on issues that are important to consumers.” For example, according to the report, few of the in-store purchase apps provided any information prior to download explaining consumers’ liability or describing the app’s process for handling payment-related disputes. In addition, according to the FTC, most linked privacy policies “used vague language that reserved broad rights to collect, use, and share consumer data, making it difficult for readers to understand how the apps actually used consumer data or to compare the apps’ data practices.” The FTC staff recommends that companies that provide mobile shopping apps to consumers: (i) disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions; (ii) clearly describe how they collect, use, and share consumer data; and (iii) ensure that their strong data security promises translate into strong data security practices. The report also includes recommended practices for consumers.
On July 23, the CFPB, the FTC, and 15 state authorities coordinated to take action against foreclosure relief companies and associated individuals alleged to have employed deceptive marketing tactics to obtain business from distressed borrowers. The CFPB filed three suits, the FTC filed six, and the state authorities collectively initiated 32 actions. For example, the CFPB claims the defendants (i) collected fees before obtaining a loan modification; (ii) inflated success rates and likelihood of obtaining a modification; (iii) led borrowers to believe they would receive legal representation; and (iv) made false promises about loan modifications to consumers. The CFPB and FTC allege that the defendants violated Regulation O, formerly known as the Mortgage Assistance Relief Services (MARS) Rule, and that some of the defendants also violated the Dodd-Frank Act’s UDAAP provisions and Section 5 of the FTC Act, respectively. The state authorities are pursuing similar claims under state law. For example, New York Attorney General Eric Schneiderman announced that he served a notice of intent to bring litigation against two companies and an individual for operating a fraudulent mortgage rescue and loan modification scheme that induced consumers into paying large upfront fees but failed to help homeowners avoid foreclosure.
On May 27, the FTC released a report that claims—based on a study of nine data brokers—that data brokers generally operate with a “fundamental lack of transparency.” The FTC describes data brokers as companies that collect personal information about consumers from a wide range of sources and then provide that data for purposes of verifying an individual’s identity, marketing products, and detecting fraud or otherwise mitigating risk. The report is based in part on the nine brokers’ responses to FTC orders that required the brokers to provide information about: (i) the nature and sources of the consumer information the data brokers collect; (ii) how they use, maintain, and disseminate the information; and (iii) the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold or shared. The report summarizes the companies’ data acquisition processes, their product development and the types of products they provide, the quality of the data collected and sold, the types of clients to whom the data is sold, and consumer controls over the information. The FTC recommends that Congress consider enacting data broker legislation that would, among other things: (i) require data brokers to give consumers access to their data and the ability to opt out of having it shared for marketing purposes; (ii) require data brokers to clearly disclose that they not only use raw data, but that they also derive certain inferences from the data; (iii) address gaps in FCRA to provide consumers with transparency when a company uses a data broker’s risk mitigation product that limits a consumer’s ability to complete a transaction; and (iv) require brokers who offer people search products to allow consumers to access their own information and opt out of the use of that information, and to disclose the sources of the information and any limitations of the opt out.
On May 1, the White House’s working group on “big data” and privacy published a report on the findings of its 90-day review. In addition to considering privacy issues associated with big data, the group assessed the relationship between big data and discrimination, concluding, among other things, that “there are new worries that big data technologies could be used to ‘digitally redline’ unwanted groups, either as customers, employees, tenants, or recipients of credit” and that “big data could enable new forms of discrimination and predatory practices.” The report adds, “[t]he same algorithmic and data mining technologies that enable discrimination could also help groups enforce their rights by identifying and empirically confirming instances of discrimination and characterizing the harms they caused.” The working group recommends that the DOJ, the CFPB, and the FTC “expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law in such cases,” and adds that the President’s Council of Economic Advisers should assess “the evolving practices of differential pricing both online and offline, assess the implications for efficient operations of markets, and consider whether new practices are needed to ensure fairness.” The working group suggests that federal civil rights offices and the civil rights community should collaborate to “employ the new and powerful tools of big data to ensure that our most vulnerable communities are treated fairly.” With regard to privacy the report states that the “ubiquitous collection” of personal information and data, combined with the difficulty of keeping data anonymous, require policymakers to “look closely at the notice and consent framework that has been a central pillar of how privacy practices have been organized for more than four decades.” Among its policy recommendations, the working group urges (i) enactment of a Consumer Privacy Bill of Rights, informed by a Department of Commerce public comment process, and (ii) the adoption of a national data breach bill along the lines of the Administration’s May 2011 Cybersecurity legislative proposal. It also calls for data brokers to provide more transparency and consumer control of data.
FTC Settles Suit Against Tribe-Affiliated Lenders; Dispute Over CFPB Investigation Of Tribe-Affiliated Lenders Moves To Federal Court
On April 11, the FTC announced that a tribe-affiliated payday lending operation and its owner agreed to pay nearly $1 million to resolve allegations that they engaged in unfair and deceptive acts or practices and violated the Credit Practices Rule in the collection of payday loans. The FTC alleged that the lenders illegally tried to garnish borrowers’ wages and sought to force borrowers to travel to South Dakota to appear before a tribal court, and that the loan contracts issued by the lenders illegally stated that they are subject solely to the jurisdiction of the Cheyenne River Sioux Tribe. The announced settlement payment includes a $550,000 civil penalty and a court order to disgorge $417,740. The companies and their owner also are prohibited from further unfair and deceptive practices and are barred from suing any consumer in the course of collecting a debt, except for bringing a counter suit to defend against a suit brought by a consumer.
Also on April 11, in a separate matter related to federal authority over tribe-affiliated lending, a group of tribe-affiliated lenders responded in opposition to a recent CFPB petition to enforce civil investigative demands (CIDs) the Bureau issued to the lenders. In September 2013, the CFPB denied the lenders’ joint petition to set aside the CIDs, rejecting the lenders’ primary argument that the CFPB lacks authority over businesses chartered under the sovereign authority of federally recognized Indian Tribes. The lenders subsequently refused to respond to the CIDs, which the CFPB now asks the court to enforce. The CFPB argues that the lenders fall within the CFPB’s investigative authority under the terms of the Consumer Financial Protection Act, which the CFPB argues is a law of general applicability, including with regard to Indian Tribes and their property interests. The lenders continue to assert that they are sovereign entities operating beyond the CFPB’s reach.
On April 17, the FTC announced it is seeking additional public comments on issues explored during a 2013 forum on mobile security. The announcement includes a series of specific questions within the following categories: (i) secure platform design; (ii) secure distribution channels; (iii) secure development practices; and (iv) security lifecycle and updates. The announcement indicates that the FTC is planning a report based on the forum and this subsequent information request. Comments are due by May 30, 2014.
On April 7, the U.S. District Court for the District of New Jersey denied a hotel company’s motion to dismiss the FTC’s claims that the company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to maintain reasonable and appropriate data security for customers’ personal information. FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The company moved to dismiss the FTC’s suit, arguing that the FTC (i) lacks statutory authority to enforce data security standards outside of its explicit data security authority under statutes such as the Gramm-Leach-Bliley Act (GLBA) and FCRA; (ii) violated fair notice principles by failing to first promulgate applicable regulations; and (iii) failed to sufficiently plead certain elements of the unfairness and deception claims. The court rejected each of these arguments. First, the court held that the FTC does not need specific authority under Section 5 to enforce data security standards. The court reasoned that the data-security legislation the followed the FTC Act, such as GLBA and FCRA, provide the FTC additional data security tools that complement, rather than preclude, the FTC’s general authority under Section 5. Second, the court held that, to bring a Section 5 data security claim, the FTC is not required to provide notice of reasonable standards by issuing a new regulation because regulations are not the only means of providing sufficient fair notice. According to the court, industry standards, past FTC enforcement actions, and FTC business guidance provided sufficient notice of what constitutes reasonable security measures. Third, the court held that the FTC properly pled its unfairness and deception claims under the FTC Act.
On March 19, the FTC reported that the U.S. District Court for the District of Nevada held that the FTC Act “grants the FTC authority to regulate arms of Indian tribes, their employees, and their contractors,” including tribe-affiliated businesses sued by the FTC over allegedly unfair and deceptive practices in the origination and collection of payday loans. FTC v. AMG Servs., Inc., No. 12-536, 2014 WL 910302 (D. Nev. Mar. 7, 2014). The court’s order affirmed a report and recommendation issued last July by a magistrate judge in which the magistrate concluded that under controlling Ninth Circuit precedent, the FTC has authority to regulate “Indian Tribes, Arms of Indian Tribes, employees of Arms of Indian Tribes and contractors of Arms of Indian Tribes with regard to” the payday lending activities at issue in the case. The district court rejected the defendant’s objections that the magistrate erred in (i) assigning the defendants the burden of establishing whether they fall within the FTC’s jurisdiction; (ii) determining that the FTC Act is a statute of general applicability; and (iii) failing to apply Indian law canons and Supreme Court opinions the defendants argued are controlling in determining whether a federal statute of general applicability applies to Indian tribes and arms of Indian tribes.
On March 20, the CFPB released its third annual report summarizing its activities in 2013 to implement and enforce the FDCPA. The report describes the CFPB’s and the FTC’s shared FDCPA enforcement authority, incorporates the FTC’s annual FDCPA update, and reiterates the intention of both the FTC and the CFPB to exercise their authority to take action—both independently and in concert—against those in violation of the FDCPA.
The report highlights the debt collection-related complaints the Bureau has received—over 30,000 since the CFPB began accepting and compiling consumer complaints in July 2013, making the third-party debt collection market the largest source of consumer complaints submitted to the CFPB. The report states that the majority of the complaints the CFPB has received involve attempts to collect debts not owed and allegedly illegal communication tactics. The report also identifies several changes within the debt collection industry over the past year that will remain points of emphasis for the CFPB, including the expansion of the debt buying market, the growth of medical debt and student loan debt in collection, and the use of expanded technologies to communicate with debtors.
On March 6, the FTC released a memorandum of understanding (MOU) it signed with the UK’s Information Commissioner’s Office (ICO), which is designed to strengthen the agencies’ privacy enforcement partnership. The FTC stated that over the last several years it has worked with the ICO on numerous investigations and international initiatives to increase global privacy cooperation. The MOU establishes a formal framework for the agencies to provide mutual assistance and exchange of information for the purpose of investigating, enforcing, and/or securing compliance with certain privacy violations. The FTC also announced a joint project with the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) economies to map together the requirements for APEC Cross Border Privacy Rules and EU Binding Corporate Rules, which is designed to provide a practical reference tool for companies that seek “double certification” under the APEC and EU systems, and shows the substantial overlap between the two.
On March 5, the FTC released a summary of its 2013 debt collection activities, which it submitted to the CFPB on February 21, 2014. The report highlights that one of the FTC’s highest priorities is to continue targeting debt collectors that engage in deceptive, unfair, or abusive conduct. In particular, the FTC is actively pursuing debt collectors that secure payments from consumers by falsely threatening litigation or otherwise falsely implying that they are involved in law enforcement. In 2013, the FTC filed or resolved seven actions alleging deceptive, unfair, or abusive debt collection conduct. The FTC also took action against the continuing rise of so-called “phantom debt collectors.” The report also summarizes the FTC’s amicus program, and education, public outreach, research, and policy activities, including its Life of a Debt Roundtable Event, which examined data integrity in debt collection and the flow of consumer data throughout the debt collection process.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.