Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
To subscribe to this newsletter, click here.
Regulatory Announcements
FTC Finalizes CARS Rule Regulating the Sale, Financing, and Leasing of Motor Vehicles. On December 12, the FTC announced that it finalized the Combating Auto Retail Scams (CARS) Rule, which, among other things: “(i) prohibits motor vehicle dealers from making certain misrepresentations in the course of selling, leasing, or arranging financing for motor vehicles, (ii) requires accurate pricing disclosures in dealers’ advertising and sales communications, (iii) requires dealers to obtain consumers’ express, informed consent for charges, (iv) prohibits the sale of any add-on product or service that confers no benefit to the consumer, and (v) requires dealers to keep records of certain advertisements and customer transactions.” The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 authorizes the FTC to promulgate certain rules related to automotive dealers. The finalization of the CARS Rule comes after the FTC issued a Notice of Proposed Rulemaking (NPRM) in June 2022 seeking comment on the proposed trade regulation rule. The CARS Rule is scheduled to take effect on July 30, 2024.
FTC to Hold Informal Hearing on the Ongoing Negative Option Rulemaking. On December 4, the FTC announced that it will hold a virtual informal hearing on January 16, 2024 on its proposed amendments to the agency’s Negative Option Rule. Negative option marketing refers to commercial transactions where sellers interpret a customer’s inaction to either reject or cancel an agreement as an acceptance of a product or service. In March 2023, the FTC released an NPRM that proposes to expand the Negative Option Rule to all forms of negative option marketing, including continuity plans, automatic renewals, and free trials in all media (e.g., telephone, Internet, traditional print media, and in-person transactions). The NPRM also would, among other things, make a number of changes to the existing Negative Option Rule, including requiring negative option plan sellers to provide a one-click opt-out mechanism for current subscription customers and adding opt-in requirements for negative option plan sellers seeking to make new offers to customers.
The virtual informal hearing will include six organizational speakers, with oral statements limited to 10 minutes each, and the six organizations are permitted to submit written documents to advance until Friday, December 22.
Recent Enforcement Actions
FTC Settles with Company for Alleged False Claims About Manufacturing and Ownership. On December 6, the FTC issued an administrative complaint and proposed order against ExotoUSA, LLC (d/b/a Old Southern Brass) and owner Austin Oliver for engaging in allegedly deceptive marketing in violation of the FTC Act. The complaint asserts that the company made purportedly false and unqualified claims that its products are manufactured in the United States and the company itself is a veteran-operated business that donates a percentage of sales to military service charities. The proposed order includes a total monetary judgment of $4,572,137.66, but the defendants agreed to a $150,000 payment due to an inability to pay the full amount. The defendants also agreed to comply with other injunctive relief, as specified in the proposed order.
CFPB Settles with Bank for Alleged Failure to Provide Proper Disclosures. On December 7, the CFPB filed a consent order and stipulation against Atlantic Union Bank for alleged violations of the Electronic Fund Transfer Act (EFTA) and the Consumer Financial Protection Act (CFPA). The CFPB alleges that the bank violated the CFPA and EFTA by enrolling consumers in overdraft coverage programs and charging consumers overdraft fees without first providing the consumers with adequate disclosures describing the terms of the programs. The bank has agreed to refund $5 million in consumer redress for overdraft fees charged and to pay a $1.2 million fine.
FTC Settles with Multiple Companies and Individuals for Alleged Deceptive Earnings Claims. On December 11, the FTC filed two stipulated orders in the U.S. District Court for the Middle District of Tennessee against Christopher Evans and defendants Traffic and Funnels, LLC, WE Capital, LLC (d/b/a the Sales Mentor), Evans and Welch, Inc., Evans and Welch Holdings, LLC, Taylor Welch, Payton Welch and Ashton Shanks (collectively, Defendants) for alleged violations of the FTC Act and Telemarketing Sales Rule (TSR). The FTC alleges in its complaint that Defendants violated the FTC Act and the TSR by making unsubstantiated promises of income potential and other false claims about their telemarketing training program. The complaint also alleges the Defendants engaged in these illegal practices after one of the defendants – the Sales Mentor – received the agency’s Notice of Penalty Offenses Concerning Deceptive or Unfair Conduct Around Endorsements and Testimonials in October 2021, which warned that misleading use of endorsements or testimonials could lead to large financial penalties. The complaint further notes that the Sales Mentor also received the FTC’s Notice of Penalty Offenses Concerning Money-Making Opportunities in October 2021, which warned that the use of false, misleading, or deceptive representations in marketing money-making opportunities could also lead to large financial penalties. The FTC alleges that these warnings provided actual notice of certain unlawful conduct, permitting the agency to bring an enforcement action against the company for engaging in such acts or practices under 15 U.S.C. § 45(m)(1)(B). Defendants agreed to pay $1 million to the FTC, in addition to injunctive relief.
CFPB Settles with Medical Debt Collector for Alleged Attempts to Collect Unverified Debts. On December 15, the CFPB filed a consent order and stipulation against Commonwealth Financial Systems, Inc. (Commonwealth) for alleged violations of the Fair Credit Reporting Act (FRCA), the Fair Debt Collection Practices Act (FDCPA), and the Consumer Financial Protection Act of 2010 (CFPA). The CFPB alleges that the company violated the FCRA by failing to establish procedures sufficient to reasonably investigate debts disputed by consumers or accurately inform consumer reporting agencies (CRAs) of certain disputes. The CFPB further alleges that the company violated the FDCPA by continuing debt collection activities on unverified medical debts associated with disputed accounts. The consent order requires Commonwealth to pay a $95,000 fine, permanently shut down its debt collection and consumer reporting operations, and request CRAs to whom it furnished information to take corrective action.
Upcoming Comment Deadlines and Events
CFPB Releases NPRM to Implement Rules Under Section 1033 of the CFPA. Comments are due December 29 on the CFPB’s Notice of Proposed Rulemaking (NPRM) to implement rules under Section 1033 of the Consumer Financial Protection Act (CFPA). Section 1033 of the CFPA requires consumer financial services providers to make information in the possession of the provider available to consumers when the information concerns the financial product or service that the consumer obtained from the provider. If adopted, the rules proposed in the NPRM would require both depository and non-depository financial institutions to make available to both consumers and authorized third parties certain data related to consumers’ financial transactions and financial accounts; establish privacy obligations for third parties accessing consumers’ data; provide standards for third-party data access; and promote industry standards for such access. The NPRM proposes to use the definitions for “financial institution” under Regulation E and “card issuer” under Regulation Z. This would effectively open both banks and nonbanks that offer a variety of services – from deposit accounts to digital wallets – to Section 1033’s consumer data sharing requirements.
FTC Seeks Comment on ‘Junk Fees’ and Proposes Fee Disclosure Requirements. Comments are due January 8, 2024 on the FTC’s Trade Regulation Rule on Unfair or Deceptive Fees NPRM. The NPRM broadly addresses two practices: (1) fee disclosures after a consumer sees an initial base price; and (2) “practices that misrepresent the nature and purpose of fees or charges.” The proposed rule would define both as unfair and deceptive practices, which would enable the FTC to seek civil penalties for violations. Among other things, the NPRM proposes to require businesses to disclose a “Total Price” in any offer, display, or advertisement that contains an amount a consumer must pay and do so more prominently than other pricing information. It also proposes a preemptive disclosure requirement which would require businesses to disclose, clearly and conspicuously and before the consumer consents to pay, the nature and purpose of any amount the consumer may pay that is excluded from the “Total Price,” including shipping charges, government charges, optional fees, voluntary gratuities, and invitations to tip.
CFPB Proposes to Define and Supervise Larger Participants in Market for General-Use Digital Consumer Payment Apps. Comments are due January 8, 2024 on the CFPB’s Notice of Proposed Rulemaking (NPRM) proposing to define larger participants in the market for “general-use digital consumer payment applications.” The CFPA authorizes the CFPB to define larger participants in markets for consumer financial products or services, and to supervise larger nonbank-covered entities subject to the law to assess compliance with federal consumer financial laws, obtain information about such entities’ activities and compliance systems and procedures, and detect and assess risks to consumers and consumer financial markets.
The NPRM defines the general-use digital consumer payment app market to include “providers of funds transfer and wallet functionalities through digital applications for consumers’ general use in making payments to other persons for personal, family, or household purposes.” The NPRM notes that this definition includes “‘digital wallets,’ ‘payment apps,’ ‘funds transfer apps,’ ‘person-to-person payment apps,’ ‘P2P apps,’ and the like.” Additionally, the NPRM proposes a test to determine whether a nonbank entity is a larger participant in the general-use digital consumer payment app market – (1) the entity must provide general-use digital consumer payment apps with an annual volume of at least 5 million consumer payment transactions; and (2) the entity must not be a small business concern based on the U.S. Small Business Administration’s applicable size standard. If adopted, the proposals in the NPRM would permit entities to dispute whether they qualify as a larger participant in the general-use digital payment app market.
FTC Seeks Voice Cloning Challenge Submissions. Submissions for the FTC’s Voice Cloning Challenge may be submitted to the agency between January 2, 2024 and January 14, 2024. The Voice Cloning Challenge is designed to encourage the development of multidisciplinary solutions to protect the public from fraud perpetrated through cloned voices. Each submission must address at least one of three intervention points: (1) prevention or authentication; (2) real-time detection or monitoring; or (3) post-use evaluation. The Announcement specifies that the FTC and a panel of external judges will consider the submissions, and the FTC has set up a website explaining further details of the Challenge.
FTC Seeks Research Presentations for PrivacyCon 2024. The FTC will hold PrivacyCon 2024 on March 6, 2024. The event will be particularly focused on automated systems and AI, health-related “surveillance,” children’s and teens’ privacy, deepfakes and voice clones, worker “surveillance,” and advertising practices. The agenda for PrivacyCon 2024 will be posted here prior to the event. Members of the public wishing to attend the event may visit the FTC’s website at www.ftc.gov to access the live webcast.
FTC Amends Safeguards Rule to Include Breach Reporting Requirement for Non-Bank Financial Institutions. The FTC’s amendments to its Gramm-Leach-Bliley Act (GLBA) Safeguards Rule will take effect on May 13, 2024. The amendments will require covered “financial institutions” to notify the FTC of certain data breaches involving the information of at least 500 consumers within 30 days of the discovery of the event. The Safeguards Rule applies to certain covered non-bank financial institutions, which include, for example, mortgage brokers, motor vehicle dealers, and many financial technology companies. The Safeguards Rule currently requires these entities to develop, implement, and maintain a comprehensive information security program to safeguard customer information. While the amendments do not require covered companies to issue separate breach notifications to consumers, the FTC has stated that it intends to publish notification reports in a publicly available database.
More Analysis from Wiley
New AI Executive Order Outlines Sweeping Approach to AI
California Previews Draft Regulations for Automated Decision-Making Technology, Promising More to Come in 2024
Annual Updates to Privacy Policies Reminder and Looking Ahead to 2024
Congress Ramps Up Its Focus on Artificial Intelligence
FCC and FTC Launch Inquiries on AI and Voice Cloning
FCC Expands Privacy and Data Protection Work with States to Increase Investigations
State Regulation of AI Use Should Give Political Campaigns Pause
OMB Proposes Far-Reaching AI Risk Management Guidance Following AI Executive Order
New Executive Order Signals Companies Should Reassess AI Security
AI Use is Promising Yet Risky for Government Subpoenas and CIDs
DOJ Must Help in Fighting Illegal Robocalls, Lawyers Say
CFPB Poised to Significantly Expand the Reach of the Fair Credit Reporting Act
FTC and HHS Caution Hospitals and Telehealth Providers on Tracking Tech
Podcast: The “Wild West” of AI Use in Campaigns
Cracks in the State Privacy Law Foundation: State Privacy Law Challenges See Success in District and State Courts
SEC Cyber Reporting Mandates: How to Request a National Security or Public Safety Delay
Podcast: How to Fix the Cyber Incident Reporting Mess – DHS Weighs In
Biden Administration Looks at Harmonizing Cyber Regulations Amidst Flurry of New Activity
Coming Soon: New Cyber Labeling Program for IoT Devices
Podcast: What could AI regulation in the U.S. look like?
FTC Issues Policy Statement on Biometric Information, Signaling a New Enforcement Priority
Podcast: AI Risk Management: A Discussion with NIST’s Elham Tabassi on the NIST AI Risk Management Framework
Generative AI Policies: Five Key Considerations for Companies to Weigh Before Using Generative AI Tools
U.S. State Privacy Law Guide
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.
[View source.]
