Articles in ths issue

• FTC Settles with Experian for Alleged Customer Spamming
• UK ICO Publishes Draft Guidance for Organizations Using Biometric Recognition Systems
• CFPB Takes Aim at Allegedly Harmful Data Broker Practices
• UK to Host First Global AI Safety Summit at Bletchley Park

FTC Settles with Experian for Alleged Customer Spamming

On August 14, 2023, the Federal Trade Commission (“FTC”) announced a proposed settlement involving Experian Consumer Services (“Experian”). A federal court entered an Order approving the settlement on August 21, 2023. The government’s complaint alleged that Experian violated the FTC Act and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”) by impermissibly sending consumers marketing emails without providing an appropriate opt-out mechanism.

According to the complaint, when consumers created an Experian account in connection with placing or removing security freezes on their credit reports, they could opt to sign up for a “Free Membership.” The complaint alleges that Experian sent “Free Membership” users commercial (i.e., marketing) emails “masquerading as messages that provide account updates.” Rather than being limited to transactional content necessary to the user’s account, the emails focused on up-selling Experian’s services including automobile insurance, Experian Boost (a product designed to “boost your FICO score”), and dark web scans. In addition, the government alleged that Experian violated the CAN-SPAM Act by not giving these recipients the ability to opt-out of the marketing emails, as the CAN-SPAM Act requires.

The Court’s Order includes requirements that Experian refrain from violating the CAN-SPAM Act and require Experian to pay a $650,000 monetary judgment as a civil penalty. The Order would also require Experian to submit to ongoing FTC compliance reporting, monitoring and recordkeeping requirements for 10 years.

Takeaway: After years of relatively light enforcement of the CAN-SPAM Act, this is the FTC’s second CAN-SPAM Act case this year. It underscores the FTC’s willingness to bring cases that include monetary penalties as each email sent in violation of the CAN-SPAM Act is subject to penalties of up to $50,120. Companies will want to make sure they are appropriately distinguishing transactional messages from those that would be considered marketing communications, and that they are providing consumers opt-out mechanisms (and complying with the other CAN-SPAM Act requirements) as appropriate.

UK ICO Publishes Draft Guidance for Organizations Using Biometric Recognition Systems

The UK Information Commissioner’s Office (“ICO”) has published draft guidance for organizations that use or are considering using biometric recognition systems, and for vendors of those systems (the “Guidance”). The Guidance confirms that biometric data is personal data that relates to someone’s behavior, appearance or observable characteristics that has been subject to specific technical processing and can uniquely identify them. For example, in the case of a voice recognition security system which recognizes and grants access to a specific person by analyzing an audio recording of an individual talking to detect tone, pitch, accents and inflections, the voice data analyzed is biometric data.

The Guidance also provides that any use of a biometric recognition system involves the use of special category biometric data (as the purpose of biometric recognition is to uniquely identify someone), triggering additional special category data protections under the UK GDPR.

The second phase of the Guidance will include a call for evidence in early 2024.

Takeaway: There are five key takeaways for organizations to consider, briefly summarized below:

1. Adopt a “data protection by design” approach and review data protection and privacy issues upfront and throughout the lifecycle of the system.
2. Conduct a Data Protection Impact Assessment to consider the likelihood and potential impact of specific risks, and resulting harm, in the system that might occur.
3. Get explicit consent from the relevant data subjects to the use of a biometric recognition system, but take care to ensure this consent is freely given, especially in this employer/employee context.
4. Introduce safeguards, such as the ability for a human to review any decision, as automated decision-making carries heightened risk from a data protection perspective.
5. Consider the risks of a biometric recognition system, including risks of accuracy, discrimination and security and, where possible, put measures in place to mitigate these risks.

CFPB Takes Aim at Allegedly Harmful Data Broker Practices

At a White House roundtable on data broker practices held on August 15, 2023, Rohit Chopra, the Director of the Consumer Financial Protection Bureau (the “CFPB”), previewed that the CFPB will be developing rules to modify the scope of the Fair Credit Reporting Act (“FCRA”), bringing certain data brokers within scope of the FCRA.

The initiative’s focus will be on the challenges associated with increased use of artificial intelligence and other technologies that can influence decision-making affecting consumers’ interests. The Director noted that the CFPB is “pleased to be part of an all-of-government effort to tackle the risks associated with AI,” and that although “there are many efforts to expand personal data protections at the federal and state level, particularly when it comes to AI, we also have to make sure we’re using our existing laws on the books.”

Chopra noted that the CFPB had conducted an inquiry into data brokers in the digital surveillance industry, and that, following the inquiry his agency is considering new rules to modernize the FCRA. First, Director Chopra states that the CFPB rules under consideration would treat a data broker that sells certain types of consumer data (including consumer payment history, income, and criminal records) as a “consumer reporting agency.” Such a designation would require data brokers to ensure the accuracy of their data and resolve disputes regarding inaccurate information. Director Chopra further noted that rules under consideration also would clarify that “credit header data” (which can include key identifiers like consumers’ names, dates of birth, and social security numbers) is also a consumer report. He remarked that the “current data broker market runs on” information taken from traditional credit reports and explained that clarification would reduce the ability of credit reporting companies to disclose consumers’ sensitive contact information. Director Chopra noted that the CFPB’s initiative would “complement” the FTC’s initiatives on privacy and security in this space and “ensure that modern-day digital data brokers are not misusing or abusing […] sensitive data.”

The CFPB will publish an outline of proposals and alternatives under consideration in September 2023, and plans to propose the rule for public comment in 2024.

Takeaway: The CFPB’s proposals are a further demonstration of the current administration’s interest in understanding and, if necessary, further regulating the business of data brokers. The CFPB’s future proposals that Director Chopra discussed would significantly expand the scope of the FCRA. Data brokers affected by these proposals will want to follow these developments with interest.

UK to Host First Global AI Safety Summit at Bletchley Park

When an Artificial Intelligence (“AI”) Safety Summit (the “Summit”) was first announced by British Prime Minister Rishi Sunak earlier this summer, the event stirred global interest. It has now been confirmed that the Summit will take place on November 1 and 2, 2023 at Bletchley Park, the home of WWII Enigma codebreaking. Details of the guestlist are yet to be announced but two leading experts have been appointed to lead the preparations and rally leading AI nations, companies and experts. The UK government has stated that the Summit will consider the risks of AI and how those risks can be mitigated.

It remains to be seen whether China will be on the invite list, with the UK reportedly keen to issue an invite given China’s status as a leading AI power, but differing views from others.

Takeaway: It is expected that this initiative will help to provide a stage for countries and industry representatives, among others, to discuss and potentially agree to a framework for the safe management of the opportunities offered by AI and the risks associated with it.