Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and ground-breaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
Check out Wiley’s Biden Administration Resource Center for insights on the shifting legal and policy landscape under the 46th President.
President Biden Renominates Alvaro Bedoya to FTC. On January 4, President Joe Biden renominated Alvaro Bedoya as FTC Commissioner. President Biden had originally nominated Bedoya on September 13 to fill the FTC Commissioner seat vacated by Former Commissioner Rohit Chopra upon his confirmation to Director of the CFPB on September 30. Bedoya, who is the founding director of the Center on Privacy & Technology at Georgetown Law, previously served as the first Chief Counsel to the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law. A December 1, 2021 vote to send his nomination from the Committee to the entire Senate faced opposition from all Senate Republicans on the Committee.
FTC Warns Companies About Log4j Security Vulnerability. On January 4, the FTC published a blog post warning companies about Log4j, which the agency describes as “a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services.” Specifically, the FTC noted that “a serious vulnerability in the popular Java logging package, Log4j (CVE-2021-44228) was disclosed, posing a severe risk to millions of consumer products to enterprise software and web applications.” The agency notes that when vulnerabilities are discovered and exploited, companies have a duty to take steps to mitigate known software vulnerabilities pursuant to both the FTC Act and the Gramm-Leach-Bliley Act (GLBA). The FTC warns that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” You can check whether your systems potentially use Log4j software by consulting guidance here.
CFPB Report Details Consumer Complaint Response Issues with Big Three Credit Bureaus. On January 5, the CFPB released new analysis detailing how changes in complaint responses provided by the nationwide consumer reporting agencies – Equifax, Experian, and TransUnion – purportedly resulted in fewer responses and less relief for consumers. Specifically, in 2021, the companies reported consumer relief in response to less than two percent of covered complaints. According to the CFPB, this number is down from relief in response to 25% of covered complaints in 2019. The Fair Credit Reporting Act (FCRA) requires Equifax, Experian, TransUnion, and other consumer reporting agencies to conduct a review of complaints where consumers allege inaccurate or incomplete information in their consumer reports. According to the CFPB’s analysis, Experian and TransUnion “stopped providing substantive responses to consumers’ complaints if they suspected that a third-party was involved in submitting a complaint” in 2020.
FTC Issues Biennial National Do Not Call Registry Report to Congress. On January 5, the FTC issued its biennial report to Congress on the National Do-Not-Call Registry (Registry). The biennial report is required pursuant to the Do Not Call Registry Fee Extension Act of 2007, and it contains a summary of the Registry’s current operations, the effect of new telecommunication technologies on the Registry, and the impact of the established business relationship exception on agency enforcement. The report notes that of the 5 million Registry complaints that the FTC received over FY 2021, nearly 3.5 million of those were reported as coming from robocalls as compared to live telemarketing. The report also notes that while the FTC received approximately 63,000 consumer complaints per month about robocalls in 2009, that number has grown substantially – the agency reported receiving 300,000 complaints per month pertaining to robocalls in the first three quarters of FY 2021.
FTC Releases New Inflation-Adjusted Civil Penalty Amounts for 2022. On January 6, the FTC announced new maximum civil penalty amounts for sixteen (16) FTC Act provisions, as required by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The Act obligates agencies to implement annual inflation adjustments based on a prescribed formula. The new civil penalty amounts will take effect upon publication in the Federal Register.
CFPB Launches Inquiry Into “Buy Now, Pay Later” Services. On December 16, the CFPB issued a series of orders to Affirm, Afterpay, Klarna, PayPal, and Zip, which offer “buy now, pay later” (BNPL) services. The CFPB defines BNPL as “a type of deferred payment option that generally allows the consumer to split a purchase into smaller installments, typically four or less, often with a down payment of 25 percent due at checkout. The application process is quick, involving relatively little information from the consumer, and the product often comes with no interest.” According to the CFPB, the agency issued the orders based on potential concerns regarding accumulating consumer debt, regulatory arbitrage, and data gathering. Among other things, the orders seek information regarding company business models; consumer safeguards that the companies have implemented; and contacts with consumers.
CFPB Releases FAQs Regarding Compliance with the EFTA. On December 13, the CFPB released a set of Frequently Asked Questions (FAQs) pertaining to the Electronic Fund Transfer Act (EFTA) and its implementing Regulation E. The EFTA and Regulation E apply to electronic fund transfers that authorize a financial institution to debit or credit consumer accounts. Among other things, the FAQs explain the applicability of EFTA and Regulation E to person-to-person (P2P) payments, and provide more detail on error resolution obligations.
Significant Enforcement Actions
FTC Requires Lead Generator to Pay $1.5 Million to Settle Alleged FCRA Violations. On January 7, the FTC announced that it reached a settlement with ITMedia Solutions LLC (ITMedia) to resolve a complaint that the company allegedly operated websites that deceptively persuade consumers to share sensitive financial information such as Social Security numbers and bank account information, while widely disseminating the information to third parties. Additionally, the FTC alleged that ITMedia violated the FCRA by obtaining consumer reports without a permissible purpose under the FCRA and failing to comply with FCRA reselling requirements. The FTC’s settlement order prohibits ITMedia from making misleading statements to consumers and from selling consumer personal information in certain circumstances. Moreover, ITMedia is required to pay $1.5 million in civil penalties.
FTC Bans Provider from the Merchant Cash Advance Industry. On January 5, the FTC announced a settlement with RAM Capital Funding, LLC (RAM), to resolve a complaint that RAM allegedly used deceptive and illegal methods in the course of recovering assets from small businesses, non-profits, and religious organizations to which it provided cash advances, in violation of the FTC Act and the GLBA. The settlement requires RAM to pay $675,000 to settle agency allegations and permanently bans RAM from acting as a merchant cash advance company.
FTC Requires Mortgage Analytics Firm to Implement Additional Information Security Safeguards. On December 22, the FTC announced that it entered into a settlement with Ascension Data & Analytics, LLC (Ascension) over allegations that the company failed to maintain a comprehensive information security program as required by the GLBA Safeguards Rule. As we explained in our December 2020 Newsletter, the FTC alleged that Ascension failed to ensure that OpticsML – which Ascension hired to perform text recognition scanning for mortgage documents – was adequately securing consumer data under the Safeguards Rule. The settlement requires Ascension to bolster its data security practices and vendor oversight policies.
FTC Finalizes Settlement Banning Company from Consumer Monitoring Business. On December 21, the FTC announced that it finalized an order banning Support King, LLC d/b/a SpyFone.com (SpyFone) and its CEO from engaging in consumer monitoring business activities. As we explained in our September 13 Newsletter, the FTC alleged that the company secretly collected data on users’ movements, phone usage, and online activities. The agency claimed that SpyFone’s monitoring products and services injured device users by enabling purchasers to stalk users surreptitiously.
CFPB Bans Fintech from Lending Industry for Violating Industry Order. On December 21, the CFPB announced that it reached a settlement with LendUp Loans (LendUp) after the company allegedly violated a 2016 order which prohibits it from misrepresenting borrowing benefits. According to the CFPB, LendUp made claims to consumers that, by repaying loans in a timely fashion and taking courses, the consumers would move up the “LendUp Ladder” and receive lower interest rates on future loans and access to larger loan principals. The CFPB’s proposed stipulated final judgment and order would prohibit LendUp from “(1) making new loans; (2) collecting on outstanding loans to harmed consumers; (3) selling consumer information; and (4) making misrepresentations when providing loans or collecting debt or helping others that are doing so.” The order would also impose a $100,000 civil money penalty.
CFPB Sues Structured Settlement Company and Attorney for Allegedly Misleading Consumers. On December 17, the CFPB announced that it filed a proposed stipulated final judgement and order in the U.S. District Court for the District of Maryland against Access Funding, LLC (Access Funding) for allegedly violating the Consumer Financial Protection Act of 2010 (CFPA). Access Funding offered lump sum payments to consumers with structured settlements. The CFPB alleges that the company violated the CFPA by steering “financially unsophisticated” consumers “in need of the funds” to receive “independent advice” from attorney Charles Smith about Access Funding’s lump sum payment offer. However, Smith was purportedly being paid directly by Access Funding, and informed consumers that the potential transactions with Access Funding would require very little scrutiny. The proposed stipulated final judgement and order requires Access Funding to pay $40,000 in disgorgement and a $10,000 civil penalty.
DOJ and FTC Ban Background Report Provider from Negative Option Marketing. On December 16, the FTC announced that it banned background check provider MyLife.com, Inc. (MyLife) from engaging in negative option marketing and required the company to pay $21 million. Negative option marketing refers to a category of commercial transactions where sellers interpret a customer’s inaction to either reject or cancel an agreement as an agreement to be continuously charged for goods or services. According to the Department of Justice’s (DOJ) complaint filed on behalf of the FTC, MyLife allegedly deceived consumers into auto-renewing premium subscriptions with “teaser background reports” that claimed that background reports on certain individuals contained arrest reports when they did not. The complaint also alleged that MyLife violated the FCRA by, among other things, failing to maintain reasonable procedures to verify how customers would use its products, and that MyLife violated the Telemarketing Sales Rule by misrepresenting its policies for refunds and cancellations.
FTC Settles with Advertising Platform for $2 Million Over Alleged COPPA Rule Violations. On December 15, the FTC announced that OpenX Technologies, Inc. (OpenX), a California-based online advertising platform, would be required to pay $2 million to resolve allegations that the company collected the personal information of children under the age of 13 without obtaining parental consent, a violation of the Children’s Online Privacy Protection Act Rule (COPPA Rule). The COPPA Rule requires websites, apps, and other online services that are directed towards children under the age of 13 or that knowingly collect personal information from children to notify parents and obtain parental consent before collecting information. OpenX operates a bidding platform that allows apps and websites to monetize by selling advertising space. The FTC alleges that OpenX allowed “hundreds” of child-directed websites and apps to participate in its advertising exchange, and allegedly “received millions, if not billions, of ad requests directly or indirectly from child-directed Apps, and transmitted millions, if not billions, of bid requests containing personal information of children to OpenX’s demand-side partners.” The FTC alleges that the data included location information and persistent identifiers used for online behavioral advertising. The FTC also alleged that OpenX violated the FTC Act by falsely claiming that the company did not collect geolocation from users who opted out of such data collection. In addition to the settlement amount, the FTC’s consent order requires OpenX to delete all of its ad request data to the extent that the data includes information capable of identifying a specific individual or individual’s device.
Upcoming Comment Deadlines and Events
FTC Revisions to Safeguards Rule Take Effect on January 10, 2022. The FTC’s revisions to the Safeguards Rule were published in the Federal Register on December 9. The Safeguards Rule requires financial institutions subject to the GLBA to implement information security programs to protect consumer financial information. Covered companies include many online financial technology (fintech) companies, mortgage lenders, and companies otherwise involved in credit transactions, among others. Accordingly, by January 10, 2022 and as we discussed in greater detail here, the revised rule will require financial institutions to, among other things, implement periodic risk assessments and modify their information security programs based in part on those risk assessments. More detailed requirements will go into effect on December 9, 2022.
FTC Seeks Comment on Proposal to Further Amend Safeguards Rule to Include Incident Reporting Requirement for Covered Financial Institutions. Comments are due February 7, 2022 on a supplemental notice of proposed rulemaking to require reporting of certain security incidents to the FTC by covered companies within 30 days of discovery. Specifically, the proposed additional amendment to the Safeguards Rule would require financial institutions to report defined “security events” to the FTC if a determination has been made that consumer information has been misused, or is reasonably likely to be misused, in an event affecting at least 1,000 consumers.
FTC Seeks Comment on Petitions for Rulemaking. Comments are due January 26 on petitions for rulemaking filed by Accountable Tech and the Institute for Policy Integrity. The Accountable Tech petition asks the agency to promulgate rules to prevent what it calls “surveillance advertising,” or the practice of displaying ads to individual consumers based on inferences about their interests, demographics, or other characteristics based on their activities over time. The Institute for Policy Integrity, meanwhile, asks the FTC to regulate “drip pricing,” which it defines as “the practice of advertising only part of a product’s price upfront and revealing additional charges later as consumers go through the buying process.”
FTC Seeks Comment on Business and Government Impersonation Fraud. Comments are due February 22 on an Advance Notice of Proposed Rulemaking (ANPRM) proposing a rule targeting business and government impersonation fraud, which we describe in greater detail here. The ANPRM specifically targets business and government impersonation fraud committed via telephone calls, text messages, and other forms of communication.
More Analysis from Wiley
Podcast: Why the FTC Matters for Fintech
FTC Commences Rulemaking Targeting Business and Government Impersonation Fraud
Privacy in Focus: White House Seeks to Develop AI Bill of Rights and Calls for Feedback on Use of Biometric Data
Privacy in Focus: CISA Publishes Cybersecurity Incident Response and Vulnerability Response Playbooks with Intent of Increasing Expectations for the Private Sector
Podcast: Artificial Intelligence Can Do Really Dumb Things With Personal Information
FTC Releases Detailed Information Security Requirements and Proposes Breach Notification for Financial Institutions
Duane Pozza Discusses FTC’s Updated Safeguards Rule
Privacy in Focus: Data Transfers from the EU – Further Guidance Issued
Duane Pozza Discusses Emerging Regulatory Approach to Crypto and DeFi
Privacy in Focus: Latest Changes at FTC Will Drive Federal Action on Privacy, Data Security, and AI
Privacy in Focus: FTC Policy Statement Signals Increasing Scrutiny on the Protection of Sensitive Personal Health Information
Privacy in Focus: AI Risk Management Framework Is Among Emerging Federal Initiatives on AI
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.
Download Disclaimer: Information is current as of January 10, 2022. This document is for informational purposes only and does not intend to be a comprehensive review of all proceedings and deadlines. Deadlines and dates are subject to change.