Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies.
CFPB Releases Outline of Proposals and Alternatives to Implement Section 1033 of the CFPA. On October 27, the CFPB released a Small Business Advisory Review Panel Outline of Proposals and Alternatives Under Consideration (Outline), in anticipation of issuing a proposed consumer data rights rule under Section 1033 of the CFPA. Section 1033 of the Dodd-Frank Act requires consumer financial services providers to make information in the possession of the provider available to consumers when the information concerns the financial product or service that the consumer obtained from the provider. The CFPB originally released an Advance Notice of Proposed Rulemaking in November 2020 concerning consumer data access under Section 1033. Among other things, the Outline indicates that the CFPB is examining which entities count as “covered data providers” under Section 1033. The Outline suggests that the CFPB may use the definitions for “financial institution” under Regulation E and “card issuer” under Regulation Z. This would effectively open both banks and nonbanks that offer a variety of services – from deposit accounts to digital wallets – to Section 1033’s consumer data sharing requirements. Parties may submit comments on the Outline through January 25. Should the agency finalize the outline, it will issue rulemaking proposals in 2023.
CFPB Issues Circular and Compliance Bulletin on Alleged Bank “Junk Fee” Practices. On October 26, the CFPB issued a Consumer Financial Protection Circular (Circular) and a Compliance Bulletin regarding fee practices that the agency characterizes as “likely unfair” under the CFPA. These actions come after President Biden called on federal agencies in September – including the CFPB and the FTC – to examine how to eliminate and reduce certain “junk fees.” The Circular characterizes an overdraft fee is a “surprise” overdraft fee when the customer does not reasonably expect to incur an overdraft fee based on their actions. The Circular further explains that such “surprise” overdraft fees may violate the CFPA, such as when they charge penalties on purchases made with a positive balance.
The Compliance Bulletin explains that bank depositor fees – which are fees charged to a depositor when a check bounces – may also violate the CFPA as an unfair practice. Specifically, the Compliance Bulletin explains that depositor fee policies may constitute unfair practices under the CFPA if the fee is assessed “irrespective of the circumstances of the transaction or patterns of behavior on the account. . . .” For example, the Compliance Bulletin notes that a consumer depositing a check “would normally be unaware of and have little to no control over whether a check originator has funds in their account, will issue a stop payment instruction, or has closed the account.” The Compliance Bulletin notes, however, that financial institutions likely do not violate the CFPA when fees are imposed only on consumers who could “reasonably avoid” injury. For example, the Compliance Bulletin states that if a depository institution only charges consumers a fee if they “repeatedly deposit bad checks from the same originator . . . those fees would likely be reasonably avoidable.”
FTC Holds October Open Commission Meeting and Votes to Approve ANPRs on Junk Fees, Fake Reviews and Endorsements, and the FTC’s Funeral Rule. On October 20, the FTC held a virtual Open Commission Meeting. During the meeting, the agency considered and voted on (1) the Advance Notice of Proposed Rulemaking (ANPR) on Junk Fees; (2) the ANPR on Fake Reviews and Endorsements; and (3) the ANPR and Staff Report on revising the FTC’s Funeral Rule.
The FTC voted 3-1 along party lines to issue the Junk Fees ANPR. The Junk Fees ANPR was issued following the issuance of a Petition for Rulemaking filed by the Institute for Policy Integrity in December 2021. The ANPR asks 21 questions about what the FTC labels as “junk fees” practices such as “drip pricing”; billing consumers for products and services without consent; and whether a “junk fees” rule should require that “businesses to disclose in all advertising one price that encompasses all mandatory component parts. . . .” Chair Khan expressed support for the Junk Fees ANPR, arguing that harm consumers and are prevalent in the market, and Commissioner Wilson dissented, stating, among other things, that the ANPR is “untethered” from the agency’s enforcement history. We summarized the Junk Fees ANPR here.
The FTC voted 3-1 along party lines to issue the ANPR on Fake Reviews and Endorsements. The ANPR asks 17 questions about the presence of fake reviews and endorsements in the marketplace, what regulatory provisions mitigate or deter them, and whether additional rules are needed. Chair Khan issued a statement in support of the ANPR, arguing that the issue of fake reviews and endorsements is “highly salient” in the economy. Commissioner Wilson dissented, stating that the ANPR diverts resources away from agency enforcement actions.
Finally, the FTC voted unanimously to approve the Funeral ANPR and Staff Report. The ANPR seeks comment on updates to the Funeral Rule, including improvements to the public accessibility of funeral home price information. The agency also voted unanimously to approve the Staff Report summarizing the results of their review of almost 200 funeral provider websites.
CFPB Issues Advisory Opinion on Purported “Junk Data” in Credit Reports. On October 20, the CFPB issued an Advisory Opinion to consumer reporting agencies (CRAs) about their obligation under the Fair Credit Reporting Act (FCRA) to monitor and eliminate purportedly false “junk data” from consumer credit reports. Specifically, the Advisory Opinion states that CRAs have a duty under Section 607(b) of the FCRA to use reasonable procedures to “ensure maximum possible accuracy” in consumer credit reports, which requires CRAs to detect and remove both inconsistent account information and information that cannot be accurate. The Advisory Opinion describes inconsistent information as two or more pieces of information that, when taken together, cannot be true, and information that cannot be accurate as information that reflects obvious impossibilities.
FTC Issues Annual Congressional Report on Protecting Older Adults. On October 18, the FTC issued a report to Congress titled, Protecting Older Consumers, 2021-2022, A Report of the Federal Trade Commission, which found that older adults in 2021 reported significantly higher losses to investment scams and business and government impersonation scams than in 2020. Additionally, the report notes that adults 60 years or older were significantly less likely to report losing money to such scams than adults aged 20 to 59. When older adults did report, however, they reported losing substantially more money.
FTC Releases ANPR on Amending the Energy Labeling Rule, Including to Include Repair-Related Information. On October 17, the FTC released an ANPR seeking comment on whether it should propose updates to its Energy Labeling Rule. As described by the FTC, the Energy Labeling Rule requires, for certain products, “the familiar yellow Energy Guide labels stating a product’s estimated annual operating cost and energy consumption, and a range for comparing the highest and lowest energy cost for similar models.” The ANPR seeks feedback on proposing to extend energy labels to a number of new consumer product categories. Additionally, the ANPR seeks comment on whether the FTC should revise the Energy Labeling Rule to require manufacturers to supply consumers with product repair instructions. Comments on the ANPR are due December 27.
Significant Enforcement Actions
CFPB Files Suit Against Event Registration Company for Allegedly Charging Deceptive Membership Fees. On October 18, the CFPB filed a complaint against ACTIVE Network, an online payment system for event registrations, for allegedly violating the CFPA by deceptively causing consumers to sign up for its subscription club service, Active Advantage, which provides its members product and service discounts. The CFPB asserts that consumers did not know they were signing up for the subscription service when they accepted a free trial of the membership upon signing up for an unrelated event. Additionally, the CFPB claims that ACTIVE raised its annual membership fee without providing timely, written notice to its members in violation of the Electronic Fund Transfer Act.
FTC Reaches Settlement With Car Dealership and Its Owner for Alleged Discrimination and Deception in Fees. On October 18, the FTC filed a complaint and proposed order against Passport Automotive Group (Passport) and its chief executive based on allegations that they deceived customers by advertising certain prices, but charging consumers more based on additional fees for inspections, certifications, or reconditioning, in violation of the FTC Act. The complaint further alleges that these fees were unnecessary and that Passport charged higher costs on average to Black and Latino customers in violation of the Equal Credit Opportunity Act and the FTC Act. The complaint marks the FTC’s first allegation of unfair discrimination based on disparate impact brought under the FTC Act, which resulted in separate statements by the majority, Commissioner Wilson (dissenting in part), and then-Commissioner Phillips (voting no). The defendants agreed pay $3.38 million under the FTC's proposed order.
FTC Reaches Settlement With Drizly and Its CEO Following Data Breach. On October 24, the FTC filed a complaint and proposed order against the alcohol delivery service app, Drizly, and it CEO, James Cory Rellas, for allegedly failing to take reasonable measures to guard against certain security vulnerabilities, allowing consumer information to be compromised. The FTC alleges that Drizly's methods for securing data collected from its consumers was unreasonable and was not consistent with statements by the company about how this data was being handled, in violation of the FTC Act. The complaint alleges that Drizly did not appoint a senior executive to monitor its data security practices and failed to develop sufficient security policies to prevent and detect data losses. The FTC's proposed order requires Drizly to destroy unnecessary consumer data, implement a security program, and only collect consumer data that is necessary for providing its services. Commissioner Wilson dissented from the inclusion of the CEO in the complaint and settlement. The FTC will shortly publish a description of the consent agreement package for public comment in the Federal Register, and following a 30-day comment period, the FTC will decide whether to make the proposed order final.
FTC and California Settle with Home Improvement Financier for Alleged Violations of the FTC Act and California's Unfair Competition and False Advertising Laws. On October 28, the FTC and California settled with Ygrene Energy Fund, Inc., a company that provides financing options for energy-related home improvements, for allegedly misrepresenting what type of collateral was used in the financing. In the complaint, the FTC asserts that Ygrene recorded liens against consumers’ property upon providing financing, without informing consumers that this lien might affect their ability to refinance or sell their homes or receiving consent from consumers to use their property as collateral. In the settlement, Ygrene has agreed to stop any deceptive practices, obtain consent from consumers when using property as collateral, and create a $3 million fund to release consumer liens that were placed without their consent.
Upcoming Comment Deadlines and Events
FTC to Hold 2022 Virtual PrivacyCon Event. The FTC’s 2022 PrivacyCon event will take place virtually on November 1. The 2022 edition of PrivacyCon “will bring together a diverse group of stakeholders, including researchers, academics, industry representatives, consumer advocates, and government regulators, to discuss the latest research and trends related to consumer privacy and data security.” Presentations will cover empirical research and presentations on topics including: algorithmic bias; “commercial surveillance” including workplace monitoring and “biometric surveillance”; new remedies and approaches to improve privacy and security practices; and the privacy risks posed by emerging technologies for children and teens.
FTC Requests Comment on ‘Commercial Surveillance’ and Data Security ANPR. Comments are due November 21 (extended from October 21) on the FTC’s Trade Regulation Rule on Commercial Surveillance and Data Security ANPR (which we summarized in greater detail here). The wide-ranging ANPR seeks feedback on dozens of questions regarding consumer privacy, data security, and algorithmic uses, and discusses a number of potential regulatory approaches to what the agency calls “commercial surveillance.” The agency defines “commercial surveillance” as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information,” and “data security” as “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.” The FTC issued the ANPR under its Section 5 FTC Act authority, which requires any eventual rule to be grounded in “unfair or deceptive acts or practices” as specified in the Act.
CFPB Seeks Comment on Methods to Spur New Mortgage Products. Comments are due November 28 on the CFPB’s Request for Information seeking comment on “(1) ways to facilitate mortgage refinances for consumers who would benefit from refinancing, especially consumers with smaller loan balances; and (2) ways to reduce risks for consumers who experience disruptions in their financial situation that could interfere with their ability to remain current on their mortgage payments.” The Request for Information specifically seeks comment on new products and services, such as refinance programs that are targeted and streamlined, refinancing products such as automatic refinancing, and automatic mortgage forbearance and assistance with long-term loss mitigation.
FTC Seeks Comment on Business and Government Impersonation NPRM. Comments are due December 16 on the FTC’s Government and Business Impersonation Fraud Advance Notice of Proposed Rulemaking (NPRM). The NPRM proposes a rule that would allow the FTC to obtain penalties against fraudsters impersonating companies, non-profit organizations, and government agencies.
More Analysis from Wiley
Duane Pozza Named a Cryptocurrency and Fintech ‘Trailblazer’ by The National Law Journal
Updates on the FTC Privacy Rulemaking: Insights from Commissioner Slaughter and Comment Deadline Extension
FTC Pushing Ahead Toward Major Privacy Regulation
FTC Launches Rulemaking on Fee Disclosures and Practices Across Industries
FTC Hosts Event to Examine Children’s Advertising in Digital Media
Crypto and Web3 Under Consumer Protection Scrutiny
How the Supreme Court’s OT 2022 Term (So Far) Might Affect Tech
With 2023 Compliance Deadlines Looming for Several New State Privacy Laws, California and Colorado Release Draft Privacy Rules
California AG Issues First Fine for CCPA Violations
California Age-Appropriate Design Code Act to Impose Significant New Requirements on Businesses Providing Online Services, Products, or Features
An Introduction to the California Age-Appropriate Design Code
NIST Is Taking Critical Steps Towards an AI Risk Management Framework
The Private Sector Should Watch NIST’s Broad Work on Privacy and Cybersecurity Guidance
FTC Seeks Comment on Proposed Rule Prohibiting Impersonation Scams
FTC Highlights Scrutiny of Health and Geolocation Data
West Virginia v. EPA and the Future of Tech Regulation
FTC Uses Enforcement Proceeding to Send Message on Account Security Practices
Executive Order on EU-U.S. Data Sharing Signed
EU Institutions Reach Agreement on Landmark Regulations Targeting Big Tech
U.S. State Privacy Law Guide
Tech and Telecom Stakeholders at #MWC22 Discuss Industry Collaboration Against Rising Financial Fraud
Cybersecurity Top of Mind at #MWC22
Webinar: Transactional Due Diligence Related to Privacy and Cybersecurity
Webinar: FTC’s Revised Safeguards Rule: How to Navigate New Information Security Requirements
Podcast: Why the FTC Matters for Fintech