Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.

To subscribe to this newsletter, click here.

Regulatory Announcements

FTC Proposes Revisions to Its COPPA Rule. On December 20, the FTC issued a Notice of Proposed Rulemaking (NPRM) proposing changes to its Children’s Online Privacy Protection Rule (COPPA Rule). The COPPA Rule “imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.” If adopted, the NPRM’s proposals would place new restrictions on covered operators’ use and disclosure of the personal information of children, and further limit the ability of covered operators to condition access to services on sharing data with third parties including for advertising purposes. Specifically, the NPRM’s proposals would, among other things, require separate parental consent for sharing children’s data in addition to obtaining consent for collection; allow text messages as a means to obtain parental consent; expand the definition of “personal information” to include biometric information; require covered operators to develop written information security programs as well as retention policies, and follow data minimization practices; and codify schools’ ability to authorize collection of children’s data for limited educational purposes. Comments on the NPRM are due 60 days after publication in the Federal Register.

CFPB Publishes Issue Spotlight on Federal Student Loan Return to Repayment. On January 5, the CFPB published an Issue Spotlight on the CFPB’s oversight of the early months of the resumption of federal student loan repayments following the payment pause due to the COVID-19 pandemic. In the Issue Spotlight, the CFPB concluded that “the return to repayment of federally owned student loans presents significant consumer risks and initiated its supervisory response due to the number of impacted consumers (over 28 million), consumer complaints and other field market intelligence, and the history of compliance issues by student loan servicers.” Moreover, the Issue Spotlight observed that borrowers are facing “extended” call waiting times when trying to reach their federal student loan servicers by phone, “significant processing delays” for income-driven repayment applications, and “inaccurate” billing and disclosure statements. The Issue Spotlight notes that the CFPB’s oversight of the return to repayment for federal student loans is ongoing, and that the agency will “continue examining student loan servicers, monitoring of consumer complaints received about student loan servicers, and collaborating with federal and state partners, and enforcing the law where necessary.”

CFPB Issues Report on Overdraft and Nonsufficient Fund Fees. On December 19, the CFPB issued a report concluding that many consumers are still receiving “unexpected” overdraft and nonsufficient fund fees, despite changes that banks and credit unions have implemented to eliminate such fees. Some of the key findings from the report include: (1) households that frequently incur overdraft and nonsufficient fund fees are more likely to struggle to meet financial obligations; (2) a majority of consumers do not expect overdraft fees, with consumers who do not frequently incur overdraft fees being more surprised by such fees; (3) most households incurring overdraft fees had available credit on a credit card; (4) among households charged a nonsufficient fund fee in the past year, 85% of those households were also charged an overdraft fee; and (5) households making less than $65,000 a year were three times more likely to incur an overdraft or nonsufficient fund fee than households making over $175,000 a year.

CFPB Releases Report on Fees Charged by College-Sponsored Financial Products. On December 19, the CFPB released a report that it submitted to Congress under the Credit Card Accountability and Responsibility and Disclosure Act, which finds that some college-sponsored financial products have higher fees and worse terms and conditions, as compared to typical products available on the market. The report also identified a number of perceived “risks” posed to students by these financial products, including that: (1) colleges’ financial products may charge students overdraft and nonsufficient funds fees that most large banks have moved away from recently; (2) the average fee paid by students for college financial products varies by the student’s college, with students at Historically Black Colleges and Universities, for-profit colleges, and Hispanic-servicing institutions all paying higher-than-average fees; and (3) some financial institutions impose additional fees when a student graduates or reaches a certain age.

FTC Releases Staff Report Recapping AI and Creative Fields Panel Discussion. On December 18, the FTC released a staff report titled Generative Artificial Intelligence and the Creative Economy Staff Report: Perspectives and Takeaways. The staff report detailed key takeaways from the Creative Economy and Generative AI virtual roundtable, which the FTC held on October 4, 2023. According to the staff report, four consistent themes emerged during the generative artificial intelligence (AI) virtual roundtable: (1) “[c]oncerns about how [creators] work was being collected and used to train generative AI models;” (2) “[t]he impact that generative AI outputs are already having on their industry and livelihoods;” (3) “[i]ssues associated with solutions being proposed by AI companies to address creators’ concerns; and” (4) “[a]lternative approaches that creators are pursuing to protect themselves and their industry, including by enshrining their right to choose whether they want to use AI in their work through union contracts.” The staff report also noted how working creative professionals expressed several concerns about generative AI during the virtual roundtable, including concerns about the collection of past work without consent; nondisclosure of the use of past work; competing for work with AI; mimicry of unique styles, brands, voices and likenesses; and the creation of fake endorsements through generative AI.

Recent Enforcement Actions

FTC Settles with Lead Generator Company and President for Alleged Violations of the Telemarketing Sales Rule. On January 2, the FTC filed a complaint and proposed stipulated order in the U.S. District Court for the Central District of California against Response Tree LLC, and its president, Derek Doherty, for alleged violations of the FTC Act and the Telemarketing Sales Rule (TSR). Specifically, the FTC alleges that the defendants misrepresented the terms for consenting to telemarketing calls on its websites and sold consumer personal information and consent to third parties, in violation of the FTC Act. The complaint further alleges that the defendants violated the TSR by providing substantial assistance or support to parties making illegal robocalls. The defendants agreed to cease any operations in connection with telemarketing robocalls in addition to a $7 million judgment, which is suspended based on an inability to pay.

FTC and DOJ Settle with VoIP Service Provider for Allegedly Facilitating Robocalls. On December 28, the U.S. Department of Justice (DOJ) and FTC filed a proposed stipulated order against XCast Labs, a national Voice over Internet Protocol (VoIP) service provider, in the U.S. District Court for the Central District of California, for alleged violations of the FTC Act and the TSR. The DOJ and FTC filed a complaint against XCast in May 2023 alleging that XCast failed to stop the transmission of illegal robocalls to consumers when bad actors used its services to call consumer numbers listed on the National Do Not Call Registry, or facilitated other illegal telemarketing calls. In addition to a $10 million civil penalty, XCast has agreed to screen its partnering firms to confirm that they are complying with telemarketing-related laws and to stop transmitting telemarketing robocalls that violate the TSR.

FTC Sues University for Allegedly Deceptive Marketing and Telemarketing Practices. On December 27, the FTC filed a complaint in the U.S. District Court for the District of Arizona against Grand Canyon Education Inc., Grand Canyon University, and the CEO and president, Brian Mueller, for allegedly violating the FTC Act and the TSR. Specifically, the complaint alleges that the defendants misrepresented the costs of its doctoral program to prospective students and engaged in deceptive telemarketing practices. The complaint also alleges that defendants incorrectly marketed the university as a nonprofit despite the profit and investment structure of the university’s sister company, Grand Canyon Education. The FTC is seeking monetary and injunctive relief.

FTC Settles with Pharmacy for Alleged Misuse of Facial Recognition Technology. On December 19, the Federal Trade Commission (FTC) filed a complaint and proposed stipulated order in the U.S. District Court for the Eastern District of Pennsylvania against Rite Aid, for alleged violations of the FTC Act. The FTC specifically alleges that Rite Aid violated the FTC Act when it failed to implement sufficient safeguards in deploying AI-powered facial recognition technology to identify potential shoplifters. The settlement incudes a five-year ban on its use of facial recognition technology for “security or surveillance purposes” in retail settings. Additionally, Rite Aid has agreed to delete all biometric information possessed by the company and its third-party vendors, develop and implement a detailed automated biometric security or surveillance program, provide written notice to all consumers prior to use of automated biometric security or surveillance and address all consumer complaints related to such surveillance, implement data retention limits for biometric data, expand the information security program required by a 2010 settlement order, and require third-party security assessments.

FTC and Connecticut AG Sue Auto Dealer for Allegedly Charging Unnecessary Fees. On January 4, the FTC and the Connecticut Attorney General filed a complaint in the U.S. District Court for the District of Connecticut against Manchester City Nissan, along with its owner and a number of key employees, for alleged violations of the FTC Act and Connecticut Unfair Trade Practices Act. The complaint specifically alleges that the defendants misled consumers by failing to disclose certain fees associated with certified pre-owned cars, and included certain add-on products without consumer consent. The complaint seeks monetary and injunctive relief.

CFPB and DOJ Sue Land Developer and Lender for Allegedly Misrepresenting Land Loan and Purchase Terms. On December 20, the CFPB and DOJ filed a complaint in the U.S. District Court for the Southern District of Texas against three Colony Ridge affiliate companies, as well as Loan Originator Services, a nonbank mortgage company, for alleged violations of the Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHA), Consumer Financial Protection Act (CFPA), and Interstate Land Sales Full Disclosure Act (ILSA). The CFPB and DOJ allege that the defendants violated ECOA, the FHA, ILSA, and CFPA by, among other things, failing to disclose problems with homes and plots of land that the defendants sold to predominantly Hispanic families. For example, the defendants are alleged to have failed to disclose that the land frequently flooded and misrepresented that the lots had services including water, sewer, and electrical infrastructure. Additionally, the complaint alleges that the defendants offered loans with interest rates that were “significantly higher” than typical prevailing rates, and that the defendants did not include all of the required property documentation in Spanish, in violation of ILSA.

CFPB Settles with National Bank for Allegedly Freezing Consumer Accounts. On December 19, the CFPB filed a consent order against U.S. Bank for allegedly violating the Consumer Financial Protection Act (CFPA) and the Electronic Fund Transfer Act (EFTA). Specifically, the CFPB alleges that the defendant froze the accounts of consumers who needed to access unemployment benefits during the COVID-19 pandemic without providing accurate instructions for unfreezing the account, in violation of the CFPA, and failed to provide timely credits for consumers who reported unauthorized transfers, in violation of the EFTA. U.S. Bank agreed to pay a $15 million fine and refund $5.7 million to affected consumers in addition to instituting new policies to allow consumers better access to unemployment funds and issue credits to consumers without requiring written consent.

Upcoming Comment Deadlines and Events

CFPB Proposes to Define and Supervise Larger Participants in Market for General-Use Digital Consumer Payment Apps. Comments are due January 8 on the CFPB’s Notice of Proposed Rulemaking (NPRM) proposing to define larger participants in the market for “general-use digital consumer payment applications.” The CFPA authorizes the CFPB to define larger participants in markets for consumer financial products or services, and to supervise larger nonbank-covered entities subject to the law to assess compliance with federal consumer financial laws, obtain information about such entities’ activities and compliance systems and procedures, and detect and assess risks to consumers and consumer financial markets.

The NPRM defines the general-use digital consumer payment app market to include “providers of funds transfer and wallet functionalities through digital applications for consumers’ general use in making payments to other persons for personal, family, or household purposes.” The NPRM notes that this definition includes “‘digital wallets,’ ‘payment apps,’ ‘funds transfer apps,’ ‘person-to-person payment apps,’ ‘P2P apps,’ and the like.” Additionally, the NPRM proposes a test to determine whether a nonbank entity is a larger participant in the general-use digital consumer payment app market – (1) the entity must provide general-use digital consumer payment apps with an annual volume of at least 5 million consumer payment transactions; and (2) the entity must not be a small business concern based on the U.S. Small Business Administration’s applicable size standard. If adopted, the proposals in the NPRM would permit entities to dispute whether they qualify as a larger participant in the general-use digital payment app market.

FTC Seeks Voice Cloning Challenge Submissions. Submissions for the FTC’s Voice Cloning Challenge may be submitted to the agency between January 2 and January 14, 2024. The Voice Cloning Challenge is designed to encourage the development of multidisciplinary solutions to protect the public from fraud perpetrated through cloned voices. Each submission must address at least one of three intervention points: (1) prevention or authentication; (2) real-time detection or monitoring; or (3) post-use evaluation. The Announcement specifies that the FTC and a panel of external judges will consider the submissions, and the FTC has set up a website explaining further details of the Challenge.

FTC to Host Virtual Tech Summit Focused on AI. The FTC announced that it will host the virtual FTC Tech Summit focused on AI on January 25, 2024 from 12 PM to 4:30 PM EST. According to the FTC, the event will “bring together a diverse group of stakeholders to discuss key developments in the rapidly evolving field of [AI], looking across the layers of technology related to AI.” Participants will include representatives from academia, industry, civil society organizations, and government who will “discuss the state of technology, emerging market trends, and real-world impacts of AI.” FTC Chair Lina Khan, along with Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, will provide remarks at the event. The tentative agenda is available here.

FTC Requests Comment on Petition for Rulemaking on Consumer Device Repair Filed by PIRG and iFixit. Comments are due February 2, 2024 on a Petition for Rulemaking (Petition) filed by the U.S. Public Interest Research Group Education Fund (PIRG) and iFixit. The Petition requests that the FTC “promulgate rules governing consumers’ right to repair products and devices.” The Petition suggests possible rules including those that would: require manufacturers to include labels on products that score their repairability at the point of sale; bar manufacturers from requiring that independent repair shops buy parts from preapproved exclusive vendors and prohibit them from “using exclusive contracts with their component suppliers;” and require manufacturers to “support repair and provide documentation for a period after purchase.”

FTC Seeks Comment on ‘Junk Fees’ and Proposes Fee Disclosure Requirements. Comments are due February 7, 2024 (extended from January 8, 2024) on the FTC’s Trade Regulation Rule on Unfair or Deceptive Fees NPRM. The NPRM broadly addresses two practices: (1) fee disclosures after a consumer sees an initial base price; and (2) “practices that misrepresent the nature and purpose of fees or charges.” The proposed rule would define both as unfair and deceptive practices, which would enable the FTC to seek civil penalties for violations. Among other things, the NPRM proposes to require businesses to disclose a “Total Price” in any offer, display, or advertisement that contains an amount a consumer must pay and do so more prominently than other pricing information. It also proposes a preemptive disclosure requirement which would require businesses to disclose, clearly and conspicuously and before the consumer consents to pay, the nature and purpose of any amount the consumer may pay that is excluded from the “Total Price,” including shipping charges, government charges, optional fees, voluntary gratuities, and invitations to tip.

FTC Seeks Research Presentations for PrivacyCon 2024. The FTC will hold PrivacyCon 2024 on March 6, 2024. The event will be particularly focused on automated systems and AI, health-related “surveillance,” children’s and teens’ privacy, deepfakes and voice clones, worker “surveillance,” and advertising practices. The agenda for PrivacyCon 2024 will be posted here prior to the event. Members of the public wishing to attend the event may visit the FTC’s website at www.ftc.gov to access the live webcast.

More Analysis from Wiley

Heading into 2024, Federal AI Activity Ramps Up After AI Executive Order

AI Around the Globe: What to Know in 2024

Cybersecurity in 2024: Ten Top Issues to Consider

New AI Executive Order Outlines Sweeping Approach to AI

California Previews Draft Regulations for Automated Decision-Making Technology, Promising More to Come in 2024

Annual Updates to Privacy Policies Reminder and Looking Ahead to 2024

Congress Ramps Up Its Focus on Artificial Intelligence

FCC and FTC Launch Inquiries on AI and Voice Cloning

FCC Expands Privacy and Data Protection Work with States to Increase Investigations

State Regulation of AI Use Should Give Political Campaigns Pause

OMB Proposes Far-Reaching AI Risk Management Guidance Following AI Executive Order

New Executive Order Signals Companies Should Reassess AI Security

AI Use is Promising Yet Risky for Government Subpoenas and CIDs

DOJ Must Help in Fighting Illegal Robocalls, Lawyers Say

CFPB Poised to Significantly Expand the Reach of the Fair Credit Reporting Act

FTC and HHS Caution Hospitals and Telehealth Providers on Tracking Tech

Podcast: The “Wild West” of AI Use in Campaigns

Cracks in the State Privacy Law Foundation: State Privacy Law Challenges See Success in District and State Court

SEC Cyber Reporting Mandates: How to Request a National Security or Public Safety Delay

Coming Soon: New Cyber Labeling Program for IoT Devices

Podcast: What could AI regulation in the U.S. look like?

FTC Issues Policy Statement on Biometric Information, Signaling a New Enforcement Priority

Podcast: AI Risk Management: A Discussion with NIST’s Elham Tabassi on the NIST AI Risk Management Framework

Generative AI Policies: Five Key Considerations for Companies to Weigh Before Using Generative AI Tools

U.S. State Privacy Law Guide

Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.

[View source.]