CFPB and FTC Take Aim at Bevy of Data Practices

Cadwalader, Wickersham & Taft LLP

Cadwalader, Wickersham & Taft LLP

In the heat of summer, the nation’s top consumer protection agencies have issued startling and transformative statements and rules regarding data practice. 

  • First up, the Consumer Financial Protection Bureau issued a so-called “interpretive rule” (which means that no one was provided advance notice of the rule nor had the ability to challenge rule provisions) that concluded that digital marketing companies, particularly those that have major search engines on which companies can buy advertising, are “covered persons” for purposes of the Consumer Financial Protection Act (“CFPA”). This rule means that such companies can, and presumably will, be held liable for violations of consumer financial services laws for advertisements that do not carry the proper disclosures or for marketing tactics that are deemed to be unfair, deceptive or abusive by the CFPB. Director Chopra noted in an accompanying speech that the “growing interest from Big Tech companies to find new ways to harvest and monetize our personal financial data” were behind the reason for the rule, referencing in particular a lawsuit HUD brought against Facebook alleging violations of the Fair Housing Act, because Facebook’s systems help advertisers limit the audience for ads and target specific groups of people, to the exclusion of protected classes. 
  • Next, the CFPB issued a circular that reminded the consumer financial services industry about its obligations to protect data and ensure security for sensitive consumer information. The circular is written in a question-and-answer format and includes the CFPB’s conclusion that failures to reasonably protect consumer information can and should constitute an unfair, deceptive or abusive act or practice under the CFPA. Largely referencing precedent from the Federal Trade Commission (“FTC”), the CFPB identified at least the following as basic elements for data protection (none of which are new): multi-factor authentication for customers to access their data; adequate password management internally (i.e., requiring employees to change their passwords regularly and to use strong passwords); and timely software updates to any programs that have access to or that process customer data. 
  • Finally, on August 11, the FTC issued an advance notice of proposed rulemaking (“ANPR”) regarding whether “new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive” are needed. The initial comment period for industry to address 95 separate areas of inquiry is sixty (60) days, and the FTC will hold a public forum on September 8 to discuss the ANPR.       

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cadwalader, Wickersham & Taft LLP | Attorney Advertising

Written by:

Cadwalader, Wickersham & Taft LLP

Cadwalader, Wickersham & Taft LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.