On March 5, the FTC released a summary of its 2013 debt collection activities, which it submitted to the CFPB on February 21, 2014. The report highlights that one of the FTC’s highest priorities is to continue targeting debt collectors that engage in deceptive, unfair, or abusive conduct. In particular, the FTC is actively pursuing debt collectors that secure payments from consumers by falsely threatening litigation or otherwise falsely implying that they are involved in law enforcement. In 2013, the FTC filed or resolved seven actions alleging deceptive, unfair, or abusive debt collection conduct. The FTC also took action against the continuing rise of so-called “phantom debt collectors.” The report also summarizes the FTC’s amicus program, and education, public outreach, research, and policy activities, including its Life of a Debt Roundtable Event, which examined data integrity in debt collection and the flow of consumer data throughout the debt collection process.
On March 6, the FTC released a memorandum of understanding (MOU) it signed with the UK’s Information Commissioner’s Office (ICO), which is designed to strengthen the agencies’ privacy enforcement partnership. The FTC stated that over the last several years it has worked with the ICO on numerous investigations and international initiatives to increase global privacy cooperation. The MOU establishes a formal framework for the agencies to provide mutual assistance and exchange of information for the purpose of investigating, enforcing, and/or securing compliance with certain privacy violations. The FTC also announced a joint project with the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) economies to map together the requirements for APEC Cross Border Privacy Rules and EU Binding Corporate Rules, which is designed to provide a practical reference tool for companies that seek “double certification” under the APEC and EU systems, and shows the substantial overlap between the two.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
On January 21, the FTC announced agreements with 12 companies to resolve allegations that the companies falsely claimed compliance with an international privacy framework. The FTC complaints explain that the U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside of the EU that is consistent with the requirements of the European Union Directive on Data Protection. The Directive sets forth EU requirements for privacy and the protection of personal data and requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. To participate in the Framework, a U.S. company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard. The FTC claimed that the companies indicated compliance with the Safe Harbor principles, for example through privacy policies or certification marks, when the companies had allowed their self-certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. The companies did not admit the allegations, and the FTC acknowledged that the allegations do not necessarily mean that the companies committed any substantive violations of the privacy principles of the Safe Harbor framework. The proposed settlement agreements would prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
On January 15, the FTC announced that a major mobile technology company agreed to resolve allegations that it violated Section 5 of the FTC Act by failing to inform account holders that entering their password on their mobile device would open a 15-minute window in which children could incur unlimited charges within certain mobile applications with no further action from the account holder (in-app purchases). The settlement is open to public comment through February 14, 2014. Once finalized, the proposed settlement will require the company to refund at least $32.5 million to consumers who allegedly were billed for accidental or unauthorized in-app purchases by minors. The company will manage the remuneration process, including by providing notice to consumers and providing refunds promptly upon consumer request. Any funds remaining after 12 months of the final agreement must be remitted to the FTC. The company also must alter its billing practices to ensure it obtains express, informed consent before charging accountholders for in-app purchases.
On December 18, a group of House Democrats sent a letter urging the FTC to focus on the online marketing of products and services by consumer reporting agencies (CRAs). The lawmakers assert that CRAs “often require consumers to jump through hurdles, presumably in an effort to generate additional revenue.” The lawmakers suggest that certain CRAs’ websites mislead and confuse consumers, particularly with regard to the marketing of “free” consumer products and services that are conditioned upon consumers signing up for “costly add-on services such as ongoing credit monitoring.” The letter identifies the following specific practices for FTC scrutiny: (i) marketing “free” products or services that automatically convert to a monthly subscription if the consumer does not cancel within a trial period; (ii) “prominent” advertising of discount packages without disclosing that the initial small dollar enrollment fee converts into a subscription service; and (iii) requiring consumers to set up accounts before being granted access to their credit score or reports, while “barrag[ing]” consumers with add-on product offerings during the account registration process.
On December 2, the FTC announced a series of seminars to be held in 2014 dedicated to the privacy implications of: (i) mobile device tracking—tracking consumers in retail and other businesses using signals from their mobile devices; (ii) alternative scoring products—using predictive scoring to determine consumers’ access to products and offers; and (iii) consumer-generated and controlled health data—information provided by consumers to non-HIPAA covered websites, health applications, and devices. The first two topics will be examined in forums held in Washington, DC on February 19, 2014 and March 19, 2014, respectively. Details for the third event have not been finalized.
On October 30, a bipartisan group of 22 Senators sent a letter to the CFPB raising concerns about CFPB guidance affecting the indirect auto financing market and auto dealers’ ability to negotiate retail margins with consumers. The guidance at issue, contained within CFPB Bulletin 2013-02, advised bank and nonbank indirect auto financial institutions about compliance with federal fair lending requirements in connection with the practice by which auto dealers “mark up” the financial institution’s risk-based buy rate and receive compensation based on the increased interest revenues.
In August, the CFPB responded to a similar inquiry from House members. The Senate letter asserts that the CFPB still has not explained a basis for alleging that discrimination under a “disparate impact” theory of liability exists in the indirect auto financing market. Nor, the letter continues, has the CFPB released the statistical methodology it uses to evaluate disparate impact in an indirect auto lender’s portfolio. Read more…
On October 4, the CFPB and the FTC filed an amicus brief in a Fair Credit Reporting Act (FCRA) case pending in the Ninth Circuit. The brief argues that the seven-year period during which a criminal arrest can be reported starts on the date of the arrest and, contrary to the district court’s decision, is not extended by a subsequent dismissal of the charges. The brief notes that FCRA previously provided that the seven-year reporting period ran “from the date of disposition [i.e., dismissal], release, or parole,” but that Congress repealed that specific provision in 1998, replacing it with the general FCRA rule that the reporting period begins when the adverse event occurs. The brief notes that Congress prescribed a different rule from some categories of information—for example, the seven-year period for reporting that a delinquent account was placed with a collection agency begins 180 days after the commencement of the delinquency that immediately preceded the collection activity.
The brief relies heavily on the FTC’s summary of staff interpretations that it issued as part of its staff report, 40 Years of Experience with the Fair Credit Reporting Act (2011), just before the Dodd-Frank Act transferred primary enforcement authority for FCRA from the FTC and gave the CFPB general rulemaking powers under FCRA. The FTC and CFPB argue that the district court erroneously relied on the FTC’s 1990 Commentary on FCRA, which did not reflect the 1998 amendments. The extensive reliance on the 40 Years Report in the brief is significant because it reflects an endorsement of the authoritativeness of that report by the CFPB, at least as to the particular issue raised in this case.
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.
On September 26, the FTC announced that it had filed an amicus brief in the U.S. Court of Appeals for the Seventh Circuit in a class action suit against a Native American payday lender. In that case, the putative class is challenging a payday lender’s practice of requiring borrowers to submit to arbitration at a Native American reservation in South Dakota. The FTC notes that it is pursuing its own action against the same lender, challenging its jurisdiction over borrowers who do not belong to the tribe and who do not reside on the reservation or in South Dakota. In its Seventh Circuit filing, the FTC argues that Native American tribes and tribal courts have legal authority over their own members and not over non-members, unless non-members conduct activities inside the reservation or enter into a commercial relationship with the tribe or a member of the tribe. The FTC claims that borrowers who take out payday loans from these companies via the Internet do not conduct business on the reservation and should not be subject to arbitration there.
On September 25, the FTC announced the settlement of its first case against a debt collector for using text messaging to attempt to collect debts in an allegedly unlawful manner. The complaint, filed on August 23, alleged that an individual and the two debt collection companies he controlled violated the FDCPA and FTC Act when the companies failed to disclose in English- and Spanish-language text messages and phone calls that the companies were debt collectors and that they falsely portrayed themselves as law firms. The FTC also alleged that the defendants illegally revealed debts to the consumers’ family members, friends, and co-workers. To resolve the FTC’s claims, the companies agreed to pay a $1 million civil penalty, agreed not to send text messages omitting the disclosures required by law and agreed to obtain a consumer’s express consent before contacting them by text message. The defendants are also barred from falsely claiming to be law firms and from falsely threatening to sue or take any action – such as seizure of property or garnishment – that they do not actually intend to take.
On September 4, the FTC’s Bureau of Competition issued an advisory opinion responding to a national money transmitters’ trade association inquiry about its planned information exchange regarding terminated U.S. money transmitter agents. According to the opinion, (i) the database will contain information regarding former U.S. sending and receiving agents whose contractual relationships were terminated due to failure to comply with federal and/or state law, or money transmitter contract terms or policies, (ii) exchange membership will be open to all licensed non-bank money transmitters, and (iii) participation in the information exchange will be voluntary, and each member of the information exchange will retain the right to decide unilaterally whether to appoint an agent that has been terminated by another exchange member. The FTC staff determined that the program (i) appears unlikely to harm competition, (ii) will contain several safeguards to lessen the risk of harm to competition and consumers, such as the appointment of a third-party vendor to maintain and secure the information exchange database, and (iii) is likely to improve the money transmitters’ ability to comply with federal and state laws designed to prevent money laundering, terrorist financing, and other criminal behavior, and enhance consumer welfare by preventing the appointment of fraudulent or criminal money transmitter agents.
On September 4, the FTC announced its first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – what the FTC refers to as the “Internet of Things.” The company, which markets video cameras designed to allow consumers to monitor their homes remotely, agreed to settle the FTC’s allegation that its security practices exposed the private lives of hundreds of consumers to public viewing on the Internet. The FTC claimed that the company marketed its products as “secure” when, according to the FTC, they had faulty software that potentially allowed for online viewing and listening. The company resolved the complaint without paying a penalty, but agreed to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The agreement also requires the company to obtain third-party assessments of its security programs every two years for the next 20 years, and prohibits the company from (i) misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit and (ii) misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit. The FTC is planning an “Internet of Things” workshop for later this year.