Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
To subscribe to this newsletter, click here.
Regulatory Announcements
FTC Holds July 2023 Open Commission Meeting; Releases Statement Withdrawing Prior PBM Advocacy. On July 20, the FTC held its monthly virtual Open Commission Meeting. During the meeting, the FTC unanimously voted to issue a Statement Withdrawing Prior Pharmacy Benefit Manager (PBM) Advocacy (Withdrawal Statement). The Withdrawal Statement is intended to respond to PBMs’ reliance on FTC advocacy materials published between 2004-2014 that opposed mandatory PBM transparency and disclosure requirements. The Withdrawal Statement explains that the FTC “is currently engaged in a major study of the PBM industry, undertaken in large part due to the Commission’s recognition that substantial changes have taken place over the last two decades.” The statement also cautions that until the current PBM study is completed, “reliance on the Commission’s conclusions in certain prior statements and reports may be misplaced.”
The FTC also heard a presentation from the FTC’s Division of Consumer & Business Education regarding the FTC’s military consumer outreach and network of partnerships with military organizations and other government agencies. The presentation stated that in 2022, military consumers reported that imposter scams were the most common type of scam that they encountered.
CFPB Issues Report on Consumer Risks from Mandatory Employer-Driven Debt. On July 20, the CFPB published a report detailing the risks that employer-driven debt can pose to consumers. The issuance of the report follows a June 2022 CFPB Request for Information (RFI) seeking input regarding debt obligations incurred by consumers in the context of an employee or independent contractor arrangement. The RFI suggests that such debt obligations may take two forms: (1) training repayment agreements, which require workers to pay employers or third-party providers for previously undertaken training if they terminate their employment within a certain time period; and (2) debt owed to an employer or third party for the purchase of equipment and supplies essential to their work or required by their employer.
The report notes that the responses to the CFPB’s RFI highlighted several consumer “risks,” such as “employees may be rushed into signing agreements that hide the details of the debt workers are agreeing to;” “debts are often imposed as a mandatory pre-condition for employment, suggesting employers may impede workers’ ability to consider and negotiate the terms and conditions of employer-driven debt before accepting the job;” and “[w]orkers may experience negative impacts on their overall household financial stability as they face lower earnings, damaged credit scores, and additional debts incurred to meet repayment-related obligations.”
FTC and HHS Send Joint Letter to Hospital Systems and Telehealth Providers Regarding Privacy and Security Risks from Online Tracking Technologies. On July 20, the FTC and the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights sent a joint letter to approximately 130 hospital systems and telehealth providers regarding privacy and security concerns associated with online analytics technologies. According to the joint letter, the technologies “gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users.” The joint letter also asserts that even if one of the letter recipients is not covered by HIPAA, the recipients “have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule.” The joint letter further notes that “[t]his is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through use of a tracking technology for any marketing purposes.”
FTC Seeks Comment on COPPA Parental Consent Mechanism That Uses Machine Learning Technology. On July 19, the FTC announced that it is seeking comment on an Application from the Entertainment Software Rating Board, Yoti Ltd. and Yoti (USA) Inc., and SuperAwesome Ltd. (the Applicants) to use “Privacy-Protective Facial Age Estimation” technology to obtain parental consent under the Children’s Online Privacy Protection Act (COPPA) Rule. The COPPA Rule requires website operators to obtain “verifiable parental consent” before collecting, using, or disclosing personal information from children under the age of 13. The COPPA Rule also permits parties to file written requests for FTC “approval of parental consent methods” not listed in the COPPA Rule.
According to the Applicants, the “Privacy-Protective Facial Age Estimation” technology “uses computer vision and machine learning technology to estimate a person's age based on analysis of patterns in an image of their face. The system takes a facial image, converts it into numbers, and compares those numbers to patterns in its training dataset that are associated with known ages.” Among other things, the request for comment asks whether the technology: (a) is covered by existing methods; (b) meets the requirements under the COPPA Rule; or (c) poses a privacy risk to consumers’ personal information, including their biometric information. Comments on the FTC’s request for comment are due August 21.
FTC and DOJ Seek Comment on Draft Merger Guidelines. On July 19, the FTC and the U.S. Department of Justice (DOJ) (collectively, the Agencies) released a draft update of the merger guidelines (Draft Guidelines). If finalized, the Draft Guidelines will inform the Agencies’ review of mergers and acquisitions to determine compliance with the federal antitrust laws, including the Sherman Act, the Clayton Act, and the FTC Act. The Draft Guidelines are broken down as follows: (1) frameworks for assessing the risk that a merger’s effect may be substantially to lessen competition or to tend to create a monopoly; (2) issues that often arise when the Agencies apply those frameworks in several common settings; and (3) a framework for considering mergers and acquisitions that raise competitive concerns not addressed by the other Guidelines. Comments on the Draft Guidelines are due September 18, 2023.
CFPB Director Rohit Chopra Issues Joint Statement with European Justice and Consumer Protection Commissioner Didier Reynders. On July 17, CFPB Director Rohit Chopra and European Justice and Consumer Protection Commissioner Didier Reynders issued a joint statement announcing the beginning of “an informal dialogue between the European Commission and the US CFPB on a range of critical financial consumer protection issues.” The joint statement asserts that “[t]he digitalisation of the financial services sector has significant implications for businesses and households, from pricing and customer service to competition and privacy. Financial institutions have expanded their deployment of automated decision making, including the use of artificial intelligence (AI).” According to the joint statement, the informal dialogue will cover the following issues: (1) AI decisionmaking and processing of data in financial services; (2) new forms of credit, such as Buy Now, Pay Later products; (3) strategies to prevent over-indebtedness and to help over-indebted consumers to repay their debt in a sustainable manner; (4) digital transformation that ensures choice and access to financial services for all consumers; and (5) “[i]mplications for competition, privacy, security and financial stability of Big Tech companies offering financial services, including payment services.” According to the joint statement, the agencies will meet “at least once a year” to discuss these issues.
FTC Chair Lina Khan Testifies Before U.S. House Judiciary Committee. On July 13, FTC Chair Lina Khan testified before the U.S. House Judiciary Committee regarding the FTC’s antitrust and consumer protection activities. In discussing the agency’s consumer protection mission, Chair Khan highlighted a number of issues on which the FTC is working, including privacy and data security, fraud (including fraud related to opioid recovery treatments), protection of military consumers, so-called “junk” fees, artificial intelligence matters, consumer device repair, expanding consumer business and education, franchisor-franchisee enforcement and policy initiatives, and small business credit reporting. Chair Khan also discussed the FTC’s budget constraints, and issues regarding the agency’s statutory authority to obtain equitable monetary relief in federal court under Section 13(b) of the FTC Act in the wake of the AMG Capital Management v. FTC Supreme Court decision in 2021.
FTC Issues Blog Post Warning Consumers About Scams Impersonating FTC Staff. On July 5, the FTC issued a blog post about scammers impersonating FTC staff. The blog post explains a number of key misrepresentations that scammers tell when they are pretending to work for the FTC, such as that the consumer won a prize, but must pay to collect it, or that there is a virus on the consumer’s computer or an issue with a consumer’s account.
Recent Enforcement Actions
CFPB and Ten Attorneys General Sue Online Software Training Program for Allegedly Misrepresenting Student Loan Policies. On July 11, the CFPB, California Department of Financial Protection and Innovation and the attorneys general of Washington, Oregon, Delaware, Minnesota, Illinois, Wisconsin, Massachusetts, North Carolina, South Carolina, and Virginia filed a complaint against Prehired in the U.S. Bankruptcy Court for the District of Delaware. The CFPB and state agencies allege that Prehired misled consumers by failing to disclose that income-share loans needed to be repaid regardless of the consumer’s success in securing a job after the program, and misrepresenting the amount of debt consumers owed. The CFPB and state agencies are requesting injunctive relief, restitution for consumers, civil money penalties, and disgorgement of money collected.
CFPB Settles with National Bank for Allegedly Charging Unnecessary Fees and Withholding Rewards. On July 13, the CFPB filed a consent order and stipulation against Bank of America for allegedly violating the Consumer Financial Protection Act. The CFPB asserts that the company charged consumers multiple times for the same transaction fees, failed to honor promotional credit card bonuses, and enrolled consumers in credit card accounts without their knowledge. The company agreed to injunctive relief and to pay a total of $170 million in monetary penalties and consumer redress.
FTC Settles with Cryptocurrency Platform for Allegedly Deceptive Financial Practices. On July 13, the FTC filed a complaint in the U.S. District Court for the Southern District of New York against now-bankrupt cryptocurrency platform, Celsius Network, and its founders, Alexander Mashinsky, Shlomi Daniel Leon, Hanoch “Nuke” Goldstein, and a stipulated order against the company. The complaint alleges that the defendants’ failure to protect consumer funds and alleged misrepresentations violated the FTC Act and the Gramm-Leach-Bliley Act (GLBA). As we have outlined in further detail, the FTC’s complaint alleges that the defendants failed to maintain liquid assets or minimum reserves, insure consumer deposits, engage in collateralized lending, or allow withdrawals at any time, despite representations to the contrary, and then used these alleged misrepresentations to obtain consumer’s bank account information and cryptocurrency wallet addresses. While the litigation against the three co-founders is ongoing, Celsius has agreed to a $4.72 billion monetary penalty in addition to injunctive relief. Due to Celsius’ simultaneous bankruptcy action, the monetary payment is suspended.
FTC Finalizes Settlement with Online Counseling Service for Alleged Data Privacy Violations. On July 14, the FTC voted 3-0 to finalize the order against BetterHelp after a 30-day notice and comment period. The FTC originally filed its complaint against the company in March 2023 for allegedly disclosing consumer health data to third parties, while representing that such data would be kept private. The finalized order requires BetterHelp to pay $7.8 million in restitution and to implement additional privacy policies, including instructing third parties to delete all consumer data from BetterHelp.
FTC Settles with Supplement Company for Allegedly Deceptive Advertising and Fake Endorsements. On July 18, the FTC filed a complaint and stipulated order in the U.S. District Court for the Central District of California against Rejuvica and its owners, Kyle Armstrong and Kyle Dilger, for alleged violations of the FTC Act and Opioid Addiction Recovery Fraud Prevention Act (OARFPA). The FTC alleges that the defendants misled consumers by making unsubstantiated claims that their product, Sobrenix, reduced alcohol cravings, and then further deceived consumers by creating fake independent review websites and hiring experts to go on local television stations to tout the success of the product. The Defendants have agreed to pay a $3.2 million monetary judgment in addition to injunctive relief.
FTC Files Complaints Against Five Companies Under the “Operation Stop Scam Calls” Federal and State Initiative. On July 18, the FTC announced a nationwide enforcement effort to combat illegal telemarketing calls in conjunction with the attorneys general of all 50 states and the District of Columbia, the U.S. Department of Justice, the Federal Communications Commission (FCC), and other agencies. The initiative, titled “Operation Stop Scam Calls,” involves more than 180 state enforcement actions targeting operations transmitting or routing billions of robocalls. As part of the initiative, the FTC announced five new complaints against Fluent, LLC, Viceroy Media Solutions, LLC, Yodel Technologies, LLC, Solar Xchange LLC, and Hello Hello Miami, LLC. The complaints allege that the companies violated a number of laws and FTC rules, including the FTC Act, the Telemarketing Sales Rule, and CAN-SPAM Act.
CFPB Sues with Lease-to-Own Finance Company for Allegedly Misleading Marketing and Misrepresenting Payment Obligations. On July 19, the CFPB filed a complaint in the United States District Court of Utah against Snap Finance for allegedly violating the Consumer Financial Protection Act, the Electronic Fund Transfer Act, and the Fair Credit Reporting Act. The CFPB alleges that Snap Finance misrepresented the terms and fees of its rental purchase agreements, failed to allow consumers to exit the agreements by surrendering the property they rented, and engaging in unlawful debt collection practices. The CFPB is requesting a permanent injunction in addition to both monetary relief and civil money penalties.
Upcoming Comment Deadlines and Events
FTC Seeking Comment on Revisions to Health Breach Notification Rule. Comments are due August 8 on the FTC’s Notice of Proposed Rulemaking to Amend the Health Breach Notification Rule (HBNR NPRM). Among other proposals, the HBNR NPRM proposes to update the HBNR in regard to the rule’s coverage of mental health apps and other technologies that collect location and browsing history data. The HBNR NPRM also proposes, among other things, that the definition of “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure, and therefore does not limit reportable incidents to “cybersecurity intrusions or nefarious behavior.”
FTC Seeks Comment on Amendments to Premerger Notification Rules and Premerger Notification and Report Form and Instructions. Comments are due August 28 on the FTC’s NPRM proposing to amend the premerger notification rules that implement the Hart-Scott-Rodino Antitrust Improvements Act, and the Premerger Notification and Report Form and Instructions. If adopted, the FTC’s NPRM proposals would substantially expand the amount of information that covered entities must submit to the agency about potential transactions.
FTC to Host Workshop on Proposed Changes to the Funeral Rule. On September 7, the FTC will host a public workshop on the changes to its Funeral Rule proposed in its Advance Notice of Proposed Rulemaking. The workshop will cover a number of topics including, among other things, online or electronic disclosures of price information, the general price list required by the Funeral Rule, and whether funeral providers should be required to give out general price lists in languages other than English. The public can submit comments on the topics to be covered in the workshop until October 10. Instructions for filing comments will be published in the Federal Register.
CFPB, HHS, and Treasury Seek Comment on Medical Payment Products. Comments are due September 11 on the RFI issued by the CFPB, HHS, and U.S. Department of Treasury seeking information about the prevalence of medical credit cards and installment loans that are offered to patients as a way to pay for medical care. The agencies specifically request information about the specialty medical payment market and associated data on interest fees and costs for medical credit products, patient experiences with medical credit cards and installment loans, issues with patient billing and collections, and any incentives that health care providers have to offer medical credit cards and installment loans.
More Analysis from Wiley
Wiley Wins Four Law360 ‘Practice Group of the Year’ Awards for 2022
Podcast: The FTC Safeguards Rule: A Deep Dive into the Revisions Effective June 9, 2023
Webinar: How to Keep Up with the Influx of New State Privacy Laws and Regulations
Podcast: What could AI regulation in the US look like?
The FTC Is Targeting Crypto Too - With a Significant New Enforcement Action
California privacy law changes draw in more businesses
Coming Soon: New Cyber Labeling Program for IoT Devices
U.S. Fulfills Its Commitments to Implement the EU-U.S. Data Privacy Framework
Companies May Begin Submitting EU-U.S. Data Privacy Framework Certifications
European Commission Adopts EU-U.S. Data Privacy Framework Adequacy Decision
California AG Initiates CCPA Investigations, Despite Setback in Court
A New White House Project on Responsible AI Sends a Message to the Private Sector, Including Contractors
Podcast: AI: The Next Big Thing in Government Contracting
FCC Launches Privacy and Data Protection Task Force
Initial Takeaways on the FCC’s New Privacy and Data Protection Task Force
FTC Issues Policy Statement on Biometric Information, Signaling a New Enforcement Priority
FTC Joins the Cloud Security Discussion
5 Takeaways From Recent CFPB, FTC Equal Credit Push
Podcast: AI Risk Management: A Discussion with NIST’s Elham Tabassi on the NIST AI Risk Management Framework
Generative AI Policies: Five Key Considerations for Companies to Weigh Before Using Generative AI Tools
Federal Legislators Are Taking AI Implementation and Oversight Seriously
NIST Announces Generative AI Working Group
Webinar: Staying Ahead of State Privacy Laws: Tips and Best Practices for Building Compliant Strategies for Five Key States
Podcast: State Privacy Laws and Federal Government Contractors
Duane Pozza Named a Cryptocurrency and Fintech ‘Trailblazer’ by The National Law Journal
U.S. State Privacy Law Guide
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.
[View source.]
