Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
FTC Seeks Comment on Rulemaking Petition Proposing Revisions to Commissioner Disqualification and Recusal Rules. On September 26, the FTC published a petition for rulemaking filed by the U.S. Chamber of Commerce that requests that the agency commence a rulemaking to amend its current Commissioner disqualification rules to (1) “formalize legal consultation with ethics experts in the FTC’s Office of General Counsel,” and (2) “enhance transparency and improve actual and perceived integrity of agency adjudications by requiring Commissioners, including the Commissioner whose disqualification is sought, to provide the public with a written statement outlining the reasons for declining any recusal decisions.” The petition also requests that the Commissioner’s written statement regarding the recusal petition be entered into the record for the FTC’s final order resolving the recusal petition. Further, the petition recommends timing obligations regarding the Commissioner’s written statement (within 14 days of receiving a disqualification petition) and regarding the FTC’s determination on the disqualification petition (within 14 days following receipt of a non-recusing Commissioner’s written determination). Comments on the petition for rulemaking are due October 26.
CFPB Commences Rulemaking Proposing Significant Changes to the FCRA. On September 21, the CFPB announced that it is commencing a rulemaking process to consider, among other significant changes, a proposal to regulate certain data brokers as consumer reporting agencies (CRAs) under the Fair Credit Reporting Act (FCRA) and its implementing regulations. Specifically, the CFPB’s Outline of Proposals and Alternatives Under Consideration (Outline) provides, among other things, that “consumer information provided to a user who uses it for a permissible purpose is a ‘consumer report’ regardless of whether the data broker knew or should have known the user would use it for that purpose ... [and] data brokers that sell certain types of consumer data ... are selling consumer reports ... .”
The Outline also proposes substantive changes to the scope of the FCRA, including defining the terms “assembling” and “evaluating” under the FCRA, and specifying that credit header data and aggregated or anonymized data can constitute a consumer report in certain circumstances. Further significant proposals in the Outline include a proposal that the failure to protect consumer reports from a data breach or other unauthorized access may constitute a violation of the FCRA’s requirement that consumer reports only be used for certain permissible purposes, and expansions to CRA and furnisher dispute obligations under the FCRA. If finalized, the Outline would also remove medical bills from consumer credit reports, prohibit creditors from relying on medical debts to make underwriting decisions, and restrict certain collections practices based on past medical debts.
The Outline is being issued under the CFPB’s Small Business Regulatory Enforcement Fairness Act process, which requires the agency to consult with small entities that are likely to be subject to the regulation before issuing proposed rules. Stakeholders may generally provide written feedback on the Outline by October 30, 2023.
CFPB and FTC File Amicus Brief in Second Circuit Challenging a District Court Decision on FCRA Data Deletion Obligations. On September 28, the CFPB and FTC announced that they filed an amicus brief in Suluki v. Credit One Bank, NA, urging that the U.S. Court of Appeals for the Second Circuit reverse a U.S. District Court for the Southern District of New York decision regarding whether a furnisher is obligated under the FCRA to delete disputed information that cannot be verified. The Suluki case involves a consumer who disputed with CRAs information on her credit reports that allegedly resulted from credit cards that the consumer’s mother opened in her name without her permission or knowledge. The CRAs sent the dispute to the credit card companies – the furnishers – for investigation. After one of the companies refused to remove the information after an investigation, the consumer sued the furnisher for violations of the FCRA.
The amicus brief filed by the CFPB and FTC argues that “[w]hen a furnisher is unable to verify the disputed information, the appropriate response will be to delete the unverifiable information from the data that the furnisher reports to consumer reporting agencies.” Moreover, the amicus brief further argues that “[a]ny interpretation of a furnisher’s obligations ... that allows the furnisher to continue reporting unverifiable information would effectively rewrite that section to state only that a furnisher must delete, modify, or cease reporting information that is inaccurate or incomplete.” Additionally, the amicus brief cites that this position is consistent with the FTC’s FCRA guidance in 40 years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations, which specifies that “[u]nless the furnisher is able to confirm the disputed item of information, it must cease reporting it.”
FTC Extends Deadline to Consider COPPA Parental Consent Mechanism That Uses Machine Learning Technology. On September 25, the FTC announced that it extended by 120 days the October 2, 2023 deadline to consider whether to approve a June 2, 2023 Application from the Entertainment Software Rating Board, Yoti Ltd. and Yoti (USA) Inc., and SuperAwesome Ltd. (the Applicants) to use “Privacy-Protective Facial Age Estimation” technology to obtain parental consent under the Children’s Online Privacy Protection Act (COPPA) Rule. Public comments on the Application were due August 21. The COPPA Rule requires website operators to obtain “verifiable parental consent” before collecting, using, or disclosing personal information from children under the age of 13. The COPPA Rule also permits parties to file written requests for FTC “approval of parental consent methods” not listed in the COPPA Rule.
According to the Applicants, the “Privacy-Protective Facial Age Estimation” technology “uses computer vision and machine learning technology to estimate a person’s age based on analysis of patterns in an image of their face. The system takes a facial image, converts it into numbers, and compares those numbers to patterns in its training dataset that are associated with known ages.” Among other things, the request for comment asks whether the technology: (a) is covered by existing methods; (b) meets the requirements under the COPPA Rule; or (c) poses a privacy risk to consumers’ personal information, including their biometric information.
FTC Signs a Cross-Border Consumer Protection MMOU with Chile, Colombia, Mexico and Peru. On September 29, the FTC announced that it signed a multilateral memorandum of understanding (MMOU) with its consumer protection counterparts in Chile, Colombia, Mexico and Peru in an effort to combat fraud schemes both inside and outside of the U.S. The MMOU specifically permits the signatories to share consumer complaints; provide investigative assistance; coordinate enforcement actions against international violations of law; provide other practical case assistance; participate in econsumer.gov; and cooperate on non-investigatory measures, including “exchanging approaches to consumer protection policy issues and participating in staff exchanges, joint training programs and workshops.” The MMOU also includes a mechanism that allows other consumer protection authorities to join the agreement in the future.
CFPB Issues Consumer Advisory on Canceling Credit Repair Services. On September 22, the CFPB issued a Consumer Advisory notifying consumers that they have the right to see the results of credit repair services before paying pursuant to the Telemarketing Sales Rule and the Consumer Financial Protection Act. According to the Consumer Advisory, companies are also required to provide consumers a consumer report showing the results, and the report must be generated more than six months after the results were claimed to have been achieved.
CFPB Issues Consumer Financial Protection Circular on the Use of AI for Adverse Actions in Credit Decisioning. On September 19, the CFPB issued a Consumer Financial Protection Circular on legal requirements that lenders must abide by under the Equal Credit Opportunity Act (ECOA) and Regulation B when using artificial intelligence (AI) or complex credit models. ECOA, which is implemented by Regulation B, prohibits creditors from discriminating in credit transactions on the basis of race, color, religion, national origin, sex, marital status, and other specified factors. The Circular concludes that when using AI or complex credit models for credit decisioning, “creditors may not rely on the checklist of reasons provided in the sample forms (currently codified in Regulation B) to satisfy their obligations under ECOA if those reasons do not specifically and accurately indicate the principal reason(s) for the adverse action.” The Circular further concludes that, as a general matter, creditors may not rely on overly broad or vague reasons for taking an adverse action against an applicant, “to the extent that they obscure the specific and accurate reasons relied upon.”
FTC Holds September 2023 Open Commission Meeting. On September 14, the FTC held its monthly virtual Open Commission Meeting. During the meeting, the FTC voted to issue: 1) a Policy Statement Concerning Brand Drug Manufacturers’ Improper Listing of Patents in the Orange Book (Policy Statement); and (2) a Staff Perspective on Protecting Kids from Stealth Advertising in Digital Media (Staff Perspective). The Policy Statement concerns the purportedly improper listing of patents in the Food and Drug Administration’s publication of Approved Drug Products With Therapeutic Equivalence Evaluations, commonly known as the “Orange Book.” The Policy Statement also discusses whether improper listing of patents in the Orange Book may increase the cost of and reduce access to essential prescription drugs, and analyzes whether the listing of patents in the Orange Book that do not comport with listing requirements may constitute an unfair method of competition.
The Staff Perspective provides recommendations on the blurring of advertising and content on digital media and how it affects kids, including teens. It builds on an October 19, 2022 event that staff hosted to survey existing research, understand the potential harms to kids from blurred advertising, and discuss possible solutions. The Staff Perspective makes the following five recommendations for online advertisers: (1) do not blur advertising – there should be clear separation between kids’ entertainment content and advertising; (2) provide prominent just-in-time disclosures verbally and in writing; (3) create easy-to-understand and easy-to-see icons to signal advertising; (4) look for ways to educate kids, parents, and teachers about how digital advertising works; and (5) consider policies, tools, and controls to address blurred advertising.
FTC Joins FCC in Renewing Cross-Border MOU to Combat Illegal Telemarketing and Calling Scams. On September 21, the FTC joined the Federal Communications Commission (FCC) in renewing a memorandum of understanding (MOU) between public authorities who are members of the Unsolicited Communications Enforcement Network (UCENet) The purpose of UCENet is to “promote international spam enforcement cooperation and address spam related problems, such as online fraud and deception, phishing, and dissemination of viruses.” The MOU is specifically aimed at promoting cross-border collaboration to combat unsolicited communications, including calling, email, and texting scams, and illegal telemarketing. The MOU was originally signed by the FTC, FCC, and other UCENet partners in 2016.
Recent Enforcement Actions
FTC Settles with Online Shoe Retailer for Allegedly Suppressing Negative Reviews. On September 1, the FTC filed a complaint and stipulated order in the U.S. District Court for the District of Nevada against Hey Dude, Inc. for allegedly violating the FTC Act and the Commission’s Mail, Internet, or Telephone Order Merchandise Rule. The FTC alleges that Hey Dude used a third-party to sort through all its reviews and only post five-star reviews to its website in violation of the FTC Act. Additionally, the FTC alleges that Hey Dude violated the FTC Mail Order Rule when it failed to provide adequate notice and remedies to consumers when the retailer experienced shipping delays or failed to send the purchased product to the consumer. Hey Dude has agreed to pay $1.95 million in monetary relief in addition to injunctive relief.
CFPB Settles with Consumer Finance Company for Alleged Deceptive Leasing Practices. On September 11, the CFPB filed a consent order and stipulation against Tempoe, LLC, for alleged violations of the Consumer Financial Protection Act. The CFPB alleges Tempoe used deceptive acts and practices when issuing leasing purchase agreements to consumers. Specifically, the CFPB alleges that Tempoe failed to provide consumers with the full lease terms, forced consumers to exercise the purchase option of their lease purchase agreement by not accepting product returns, and did not provide consumers required disclosures to those paying month-to-month for more than six months. Tempoe has agreed to pay a $2 million civil money penalty, release all consumers from existing lease agreements, and cease engaging in any leasing activities.
FTC Settles with Online Career Coaching Business and Executives for Deceptive Advertising. On September 27, the FTC filed a complaint in the U.S. District Court for the District of Maryland against Lurn, an online business coaching program, and its CEO, Anik Singal, and spokespeople, Tyrone Cohen and David Kettner. The FTC alleges that misled consumers by promising lofty financial returns for consumers who purchased Lurn’s business programs or individual coaching services and followed the business advice and plans outlined, but in most cases consumers did not make any profit. The defendants all agreed to settle with the FTC. Lurn and Singal will pay a $14 million monetary judgment, which will be used in part to refund consumers, and all defendants have also agreed to injunctive relief.
Upcoming Comment Deadlines and Events
FTC to Host Virtual Roundtable on AI and Content Creation. The FTC will hold a virtual roundtable “to better understand the impact of the use of generative artificial intelligence on music, filmmaking, and other creative fields” on October 4 at 3 p.m. ET. Specifically, FTC staff seek to better understand how the growing development and deployment of generative AI tools may impact competition or enable unfair business practices. FTC Chair Lina Khan will provide opening remarks before hearing from representatives from a variety of creative fields. The agenda for the event can be found here and the webcast will be available at the FTC.gov webpage.
DOJ and FTC Announce Additional Workshops on Draft Merger Guidelines. The U.S. Department of Justice (DOJ) (collectively, the Agencies) will hold workshops on the Agencies’ draft update of the merger guidelines (Draft Guidelines) on October 5 at the Harvard Kennedy School and on November 3 at the University of Chicago Law School. The tentative event page for the October 5 workshop can be found here, and participants can register for the workshop here.
FTC Issues Supplemental Proposed Amendments to Testing Methods Under the Amplifier Rule. Comments are due October 20 on the FTC’s Supplemental Notice of Proposed Rulemaking (SNPRM) proposing amendments to the agency’s Amplifier Rule. The Amplifier Rule, formally known as the Rule Relating to Power Output Claims for Amplifiers Utilized in Home Entertainment Products, regulates power output claims for home entertainment amplifiers. The SNPRM proposes to amend the Amplifier Rule to, among other things, set standard test conditions for measuring amplifier power output; clarify which power output disclosures comply with the Amplifier Rule and which do not; and to revise language in the rule related to these proposed modifications.
FTC Seeks Research Presentations for PrivacyCon 2024. Research presentations for the FTC’s annual PrivacyCon event are due December 6 and may be submitted here. The FTC announced that PrivacyCon 2024 will be particularly focused on: automated systems and AI; health-related “surveillance;” children’s and teen’s privacy; deepfakes and voice clones; worker “surveillance;” and advertising practices. PrivacyCon 2024 will take place virtually on March 6, 2024, and the agenda will be posted here prior to the event. Members of the public wishing to attend the event may visit the FTC’s website at www.ftc.gov to access the live webcast.
More Analysis from Wiley
CFPB Poised to Significantly Expand the Reach of the Fair Credit Reporting Act
FTC and HHS Caution Hospitals and Telehealth Providers on Tracking Tech
DHS Calls for Critical Harmonization of Cyber Incident Reporting
Biden Administration Looks at Harmonizing Cyber Regulations Amidst Flurry of New Activity
CTIA Highlights Wireless Cybersecurity at MWC
Coming Soon: New Cyber Labeling Program for IoT Devices
Podcast: The FTC Safeguards Rule: A Deep Dive into the Revisions Effective June 9, 2023
Webinar: How to Keep Up with the Influx of New State Privacy Laws and Regulations
Podcast: What could AI regulation in the US look like?
The FTC Is Targeting Crypto Too - With a Significant New Enforcement Action
California Eyes New Privacy, Cyber, and AI Obligations
California privacy law changes draw in more businesses
U.S. Fulfills Its Commitments to Implement the EU-U.S. Data Privacy Framework
Companies May Begin Submitting EU-U.S. Data Privacy Framework Certifications
European Commission Adopts EU-U.S. Data Privacy Framework Adequacy Decision
California AG Initiates CCPA Investigations, Despite Setback in Court
DOD Devotes Resources to Responsible Adoption of Generative AI
A New White House Project on Responsible AI Sends a Message to the Private Sector, Including Contractors
Podcast: AI: The Next Big Thing in Government Contracting
FCC Launches Privacy and Data Protection Task Force
Initial Takeaways on the FCC’s New Privacy and Data Protection Task Force
FTC Issues Policy Statement on Biometric Information, Signaling a New Enforcement Priority
FTC Joins the Cloud Security Discussion
5 Takeaways From Recent CFPB, FTC Equal Credit Push
Podcast: AI Risk Management: A Discussion with NIST’s Elham Tabassi on the NIST AI Risk Management Framework
Generative AI Policies: Five Key Considerations for Companies to Weigh Before Using Generative AI Tools
Federal Legislators Are Taking AI Implementation and Oversight Seriously
NIST Announces Generative AI Working Group
Webinar: Staying Ahead of State Privacy Laws: Tips and Best Practices for Building Compliant Strategies for Five Key States
U.S. State Privacy Law Guide
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.