On November 16, the FCC and the FTC executed a Memorandum of Understanding (MOU) on continued cooperative efforts to protect consumers from unfair and deceptive acts and practices involving telecommunications services. In an effort to formalize existing cooperation among the agencies, the MOU outlines the ways in which the two agencies will continue to work together, including: (i) coordinating agency initiatives where one agency’s action will significantly impact the other agency’s authority or programs; (ii) sharing investigative techniques and tools, intelligence, technical and legal expertise, as necessary, in addition to best practices in response to reasonable requests for such assistance; and (iii) collaborating on consumer and industry outreach and education efforts, as appropriate. Moreover, the MOU identifies the scope of each agency’s enforcement authority with respect to common carriers, and confirms that the 2003 MOU regarding Telemarketing Enforcement between the two agencies remains effective, stating that the most recent MOU should not “be construed as altering, amending, or invalidating that  MOU.”
On November 18, the FTC announced that it approved, by a 3-1 vote, final amendments to the Telemarketing Sales Rule (TSR) that ban telemarketers from using certain payment methods that are commonly used by scammers. Per the amendments, telemarketers are prohibited from (i) using specific types of checks and “payment orders” that are remotely created by the telemarketer or seller and which permit direct access to consumers’ bank accounts; (ii) receiving payments through traditional “cash-to-cash” money transfers, which allow scammers to easily obtain consumer funds anonymously and without the ability to reverse the transaction; and (iii) accepting as payment “cash reload” mechanisms. The FTC concluded that the aforementioned payment methods constituted abusive practices because they caused or were likely to cause “substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition.” Finally, according to the FTC, “the amendments address changes in the financial marketplace to ensure consumers remain protected by the TSR’s antifraud provisions, but are narrowly tailored to allow for innovations with respect to other payment methods that are used by legitimate companies.”
FTC Signs Memorandum of Agreement to Prevent Fraudulent and Deceptive Practices Against Servicemembers
On November 12, the FTC announced that it signed a Memorandum of Agreement with the Veterans Administration (VA) to provide mutual assistance in preventing fraudulent and deceptive acts by “institutions of higher learning and other establishments that offer training” targeting U.S. servicemembers, veterans, and dependents using military education benefits. In its press release, the FTC warned servicemembers of for-profit schools that may make unrealistic promises and pressure them to enroll in unnecessary courses or take out loans they may not be able to pay off.
On November 12, the FTC announced the topics for its November 18 Debt Collection Dialogue in Atlanta, which will have two panels. The first panel, “State Regulation and Enforcement of Debt Collection,” will include representatives from state law enforcement agencies and industry. The second panel, “Federal Regulation and Enforcement of Debt Collection,” will feature representatives from the FTC, the CFPB, and the OCC. Panelists will discuss enforcement actions, consumer complaints, compliance issues, and industry best practices.
FTC Partners with Federal, State, and Local Law Enforcement Agencies to Announce Nationwide “Crackdown” on Abusive Debt Collection
On November 4, the FTC announced the first coordinated federal, state, and local initiative to combat alleged abusive and deceptive debt collection practices, Operation Collection Protection. This announcement included authorities listing 30 new actions, including five enforcement actions by the FTC. These actions targeted the following practices: (i) extracting payments from consumers by using intimidation and inaccurate representations; (ii) impersonating servers or attorneys and threatening arrest or litigation; and (iii) collecting on debts that never existed or had already been paid. These cases bring the total number of actions taken under the Operation Collection Protection initiative this year to 115 and the total number of participating law enforcement partners to 70.
On November 3, the FTC announced the agenda for its Cross-Device Tracking workshop, which is scheduled to take place on November 16 in Washington, D.C. FTC Chairwoman Edith Ramirez will deliver opening remarks, with FTC Office of Technology, Research and Investigation Policy Director Justin Brookman introducing two panel discussions. The first panel will examine the technology used for cross-device tracking, including how it has evolved, privacy concerns, and how the technology benefits consumers and businesses alike. The second panel will focus on the policy implications of cross-device tracking, such as: (i) the type of data being collected about consumers; (ii) consumer awareness of this type of tracking; (iii) notice to consumers of cross-device tracking and consumers’ ability to give consent; and (iv) industry self-regulation efforts.
On October 30, the FTC hosted a workshop on online lead generation titled “Follow the Lead.” The workshop focused on lead generation in the mortgage and education lending space and consisted of a number of discussion panels composed of industry representatives, consumer advocates, and FTC regulators.
The first panel was primarily an overview of how web-based advertising is executed and how leads are generated using a variety of methods. Also discussed were the data analytics used to validate and assign value to the data collected. It was also noted that large media companies, such as Google and Facebook, have enacted policies restricting advertisements by participants in certain industries.
The second and third panels focused on online lead generation policies and practices in consumer and education lending, respectively. Industry participants and consumer advocates discussed varying policy viewpoints with respect to the practice of buying and selling data of consumers viewing a particular type of website to participants in a different industry. For instance, lead generators gathering data from consumers searching for jobs and then selling that data to providers of educational services. The panelists generally agreed that this practice was not inherently abusive, but could be harmful when implemented with intent to mislead. All generally agreed that guidance from the FTC and other government agencies would be useful to the extent that standards of conduct and transparency could be more clearly proscribed. Read more…
On October 25, the FTC and seven members of the Global Privacy Enforcement Network (GPEN) launched GPEN Alert, a new information-sharing system designed to enhance coordinated efforts to protect consumer privacy. The FTC and seven data protection authorities from Australia, Canada, Ireland, the Netherlands, New Zealand, Norway, and the United Kingdom signed an MOU to participate in GPEN Alert. GPEN Alert is based on the FTC’s Consumer Sentinel Network and will allow participating agencies to confidentially share information about privacy investigations and enforcement actions.
On October 19, the FTC announced the agenda for its upcoming workshop entitled, “Follow the Lead: An FTC Workshop About Online Lead Generation.” As consumers search the internet for goods and services, they are often times asked to provide sensitive personal and financial information that a lead generator may then subsequently transfer to third-party marketing companies. The workshop will examine consumer protection issues raised as a result of the practices of the lead generation industry, and is scheduled to host the following panels in Washington, DC on October 30: (i) Introduction to Lead Generation Marketplace and Mechanics; (ii) Case Study on Lead Generation in Lending; (iii) Case Study on Lead Generation in Education; (iv) Overview of Consumer Protection Concerns and the Legal Landscape; and (v) Looking Ahead – Protecting and Educating Consumers.
On October 20, the FTC announced that, following a public comment period, it approved final consent orders against two Las Vegas auto dealers for allegedly engaging in deceptive advertising practices. In June, the FTC filed two administrative complaints against the auto dealers for (i) misrepresenting the purchase price or leasing offers of vehicles; and (ii) failing to disclose key information in its advertisements, including if a down payment was required at the time of purchase. The final consent orders were unanimously approved in a 5-0 vote by the Commission and prohibit the dealers from (i) engaging in further action that results in violations of the Consumer Leasing Act and the Truth in Lending Act; (ii) misrepresenting the cost of financing or leasing a vehicle; and (iii) stating the down payment amount or percentage without also disclosing repayment terms and the annual percentage rate.
On October 21, the FTC announced a $2.95 million settlement with a telecommunications company for alleged violations of the FCRA. According to the FTC, the company violated the FCRA’s Risk-Based Pricing Rule by failing to provide consumers with a fully compliant risk-based pricing notice when they were placed into a cell phone and data service program with an additional monthly fee because of information from their consumer reports and their credit scores. Specifically, the FTC’s complaint alleges that the company (i) failed to provide consumers in the program with required disclosures in their risk-based pricing notices, such as the key factors that adversely affected their credit scores and language encouraging consumers to verify the accuracy of their consumer reports; and (ii) provided consumers with the disclosures only after they have become contractually obligated. In addition to the $2.95 million civil money penalty, the proposed consent order would require the company to (i) abide by the requirements of the Risk-Based Pricing Rule in the future; (ii) provide consumers with the proper disclosures within five days of signing up for the company’s services, or by a certain date that would allow them to avoid recurring charges; and (iii) send the consumers who originally received incomplete disclosures new, corrected risk-based pricing notices. The proposed order is subject to court approval in the District Court for the District of Kansas.
On October 14, the FTC announced the agenda for its Start with Security conference, scheduled to take place on November 5 in Austin, TX. The conference is intended to provide companies, particularly start-ups and developers, with tips for implementing effective data security. The event will host the following four panels: (i) Starting up Security – Building a Security Culture; (ii) Scaling Security – Adapting Security Testing for DevOps and Hyper-growth; (iii) Third-party AppSec – Dealing with Bugs, Bug Reports, and Third-party Code; and (iv) Beyond Bugs – Embracing Security Features.
On October 13, the FTC, as part of the International Consumer Protection and Enforcement Network (ICPEN), announced an updated version of ICPEN’s econsumer.gov, a website containing cross border consumer complaints and designed to assist law enforcement authorities investigate and take action against international scams. Originally launched in 2001, the website’s update includes (i) additional language availability; (ii) an improved complaint form, providing consumers with complaint trend data and guidance on how to resolve complaints; and (iii) an interface that is reader-friendly on tablets and smart phones. The FTC enters complaints received via the website into its complaint database, Consumer Sentinel, which is available to enforcers and regulators participating in ICPEN.
Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework
On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred. Read more…
On September 9, FTC Chairwoman Edith Ramirez delivered remarks at the Start For Security workshop, an FTC initiative intended to provide start-ups and developers with the resources and information necessary to integrate effective data security strategies into their products. In her remarks, Ramirez advised companies to establish a “culture of security” by: (i) embedding privacy and security into the development process of apps and other products; (ii) testing the product to ensure that security defaults work properly and controls are secure; and (iii) establishing a “bug bounty” program or a contact point for when flaws, bugs, and vulnerabilities in software are discovered.