InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC’s Safeguards Rule notification requirement under GLBA now in effect
On May 14, the FTC published a business blog post announcing the Safeguards Rule, an amendment to the GLBA, is in effect as of May 13. The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and aims to protect customers' private personal information through data breach reporting requirements.
Additional revisions to the Rule related to data breach reporting were announced in October 2023, with amendments requiring covered companies to notify the FTC within 30 days of a security breach impacting at least 500 consumers. For reporting, businesses must use a new online form provided by the FTC. The Rule complements existing business security measures and does not negate other state and federal legal obligations. Businesses can refer to FTC guidance for further details on the rule and compliance requirements.
FTC finalizes new rule on health data breach notification requirements
On April 26, the FTC released a final rule that will amend its Health Breach Notification Rule to require vendors of health apps and related entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify affected individuals, the FTC, and in some cases, the media of a health data breach. The NPRM was published in May 2023 (covered by InfoBytes here). The final rule will apply to breaches of unsecured personally identifiable health data and, among other things, clarify that a “breach of security” to include “an authorized acquisition of unsecured [personal health record] identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.” Further, the final rule will define a “[personal health record’s] identifiable health information” to cover health diagnoses, medications, health information tracked on applications or websites, or emergent health data to adopt health apps and privacy and data security risks collected by these technologies.
Under the rule, the FTC will require each vendor who discovered it was the target of a security breach of personal health record identifiable health information to notify each U.S. resident whose information was compromised during the security breach, notify the FTC, and, in cases where 500 or more residents are confirmed or reasonably believed to have been affected by the breach, to notify “prominent media outlets” no later than 60 days after the discovery of the breach (with an exception for law enforcement concerns). The rule will go into effect 60 days after the date of publication in the Federal Register.
FTC alleges ROSCA, GLBA and FTC Act violations against bill payment platform
On April 25, the FTC announced an enforcement action against a third-party bill payment platform and two of its co-founders (defendants) for allegedly running misleading advertisements that intercepted consumers attempting to reach their billers, using “dark patterns” to manipulate the consumers into using the platform under the false belief that they have reached the biller’s official payment site, charging “junk fees” in connection with the processing of payments, and in some cases sending untimely payments to billers. According to the FTC’s complaint, the company allegedly violated the FTC Act by making false or misleading representations that it was an official payment channel for the consumers’ billers. The FTC also claimed defendants violated the Restore Online Shoppers’ Confidence Act by charging consumers for goods or services before clearly and conspicuously disclosing to consumers all material terms of the transaction and obtaining the consumers’ informed consent to be charged, and enrolling consumers into a paid subscription service by automatically ticking a box without warning when consumers clicked on a “User Terms of Service” hyperlink. Additionally, the FTC alleged that the company caused consumers to incur late fees and other inconveniences by failing to make timely payment to consumers’ billers, despite having received timely payment from the consumer. The FTC’s complaint also alleged that defendants used fraudulent statements or representations to obtain consumer information such as bank account numbers, routing numbers, credit card numbers, and debit card numbers in violation of the Gramm-Leach-Bliley Act.
The FTC claimed that defendants received tens of thousands of consumer complaints, inquiries from two state attorney’s general offices, and temporarily lost access to a credit card company’s network due to the complaints, among other warnings regarding its practices. The FTC will seek a permanent injunction, monetary relief, and other relief.
FTC bans all non-competes for workers and new non-competes for senior executives
On April 23, the FTC released a final rule titled the “Non-Compete Clause Rule,” in a 570-page release, to “categorically ban” non-compete clauses in employment contracts with all workers after the effective date of the rule pursuant to the FTC’s UDAP authority, by rendering such clauses an unfair method of competition pursuant to Section 5 of the FTC Act. The final rule also renders most existing noncompete clauses unenforceable after the effective date of the final rule, with an exception for existing noncompete clauses for senior executives, which remain enforceable. The FTC explained that it viewed noncomplete clauses as “restrictive and exclusionary” with negative impacts on earnings, innovation, and market competition. The final rule defines “non-compete clause” as “a term or condition of employment that prohibits a worker from, penalizes a worker for, or functions to prevent a worker from (1) seeking or accepting work in the United States with a different person where such work would begin after the conclusion of the employment that includes the term or condition; or (2) operating a business in the United States after the conclusion of the employment that includes the term or condition.”
While the FTC decided against adopting a rescission requirement for non-competes in the final rule, it adopts notice requirements for all workers who are not senior executives requiring “the person who entered into the non-compete” to provide “clear and conspicuous notice to the worker by the effective date that the worker’s non-compete clause is no longer in effect and will not be, and cannot legally be, enforced against the worker.” The Commission noted that employers concerned about protecting confidential business information, may avail themselves of the protections of trade secret law and further noted that there are several states that have already substantially banned non-competes, and that within these states employers have found alternative methods to protect their investments.
The FTC’s final rule will go into effect 120 days after publication of the final rule in the Federal Register.
FTC report to Congress suggests legislative enhancements on consumer protection
On April 10, the FTC issued a report addressed to Congress detailing its efforts to collaborate with state attorneys general (AGs) from across the U.S. on consumer protection law enforcement goals. The report, titled “Working Together to Protect Consumers: A Study and Recommendations on FTC Collaboration with the State Attorneys General,” was issued pursuant to the FTC Collaboration Act of 2021 and included legislative recommendations to enhance the FTC’s consumer protection efforts. The report followed a request for information issued by the FTC in June 2023, seeking public comments on how the FTC might improve collaboration with state AGs to protect consumers from fraud and ensure fairness in the marketplace.
The FTC's report was divided into three main sections:
- The first section outlined the existing collaborative practices between the FTC and state AGs, detailing their shared roles in combating frauds and scams, the respective law enforcement authority of the FTC and the AGs, and the ways federal and state enforcers can share the information they gather, including through networks such as the Consumer Sentinel Network consumer complaint database.
- The second section described best practices to ensure effective collaboration between the FTC and state AGs, including strong information-sharing practices and coordination of enforcement actions. It also suggested ways to expand the sharing of technical resources and expertise between federal and state agencies.
- The third section provided legislative recommendations aimed at improving collaboration efforts by providing the FTC with clearer authority to pursue legal actions. This section emphasized a request for Congress to restore the FTC’s authority to seek monetary refunds for consumers who have been defrauded, following a 2021 U.S. Supreme Court decision holding that such relief was not available to the Commission (covered by InfoBytes here). Additionally, this section suggested giving the FTC independent authority to seek civil penalties and clear authority to take legal action against facilitators of unfair or deceptive practices.
In its report to Congress, the FTC emphasized the importance of a collaborative approach to consumer protection among enforcement agencies and states, continuing to seek ways to strengthen its ties with state AGs to address future challenges.
FTC orders mental health service company to pay for privacy and data violations
On April 15, the FTC released its administrative complaint and joint stipulated order against a mental health service provider, requiring the provider to pay a total of more than $7 million, including $5.1 million for consumer refunds and $2 million in civil penalties. According to the complaint, the defendant collected sensitive personal health information and sold online mental healthcare treatments (i.e., telehealth) through its website to “hundreds of thousands” of patients between 2021 to 2022. The FTC alleged the mental health service provider had engaged in deceptive and unfair practices relating to the marketing of its data security practices, like failing to disclose material items, failing to obtain consumers’ express informed consent, and failing to implement adequate data security measures. In addition, the FTC alleged that the provider misled consumers about its cancellation of services, including failure to provide a mechanism to stop recurring charges. The FTC’s complaint specifically found that the company misrepresented how it would use and disclose patients’ personal information, mishandled and exposed “hundreds of thousands” of personal information, and failed to provide a means to cancel subscriptions. The FTC charged the defendant with violating Section 5 of the FTC Act covering deceptive privacy practices, deceptive data security practices, unfair privacy and data security practices, and deceptive cancellation practices – allegedly violating the Opioid Act, and violating the Restore Online Shoppers’ Confidence Act (ROSCA).
In the joint stipulated order, although the defendant neither admitted nor denied these allegations, the judgment prohibited the defendant from disclosing any covered information to any third party for advertising purposes, disclosing any covered information to an outside party without obtaining a consumer’s affirmative express consent, and misrepresenting its cancellation policies. The order also required the defendant to implement stronger protections of the private information of individuals and initiate regular assessments of its data security practices. The court ordered the defendant to pay $5,087,252 as monetary relief to consumers and a civil money penalty of $10 million, which the FTC agreed to suspend in exchange for a payment of $2 million, based on the defendant’s inability to pay the full civil money penalty.
FTC amends the TSR on recordkeeping and prohibiting misrepresentations
On April 16, the FTC issued a final rule amending the Telemarketing Sales Rule (TSR) to add requirements for telemarketers to maintain transaction records, prohibit misrepresentations, and add a new definition for “previous donor” in the context of robocalls on behalf of charitable organizations. This will be the fifth time the TSR has been amended since its enactment in 1995, with previous amendments creating the National Do Not Call Registry in 2003, prohibiting sellers to use prerecorded messages (i.e., robocalls) in 2008, banning debt relief services from requiring an advance fee in 2010, and most recently, barring certain payment mechanisms used in fraudulent transactions in 2015. The FTC’s new amendments to the TSR will require telemarketers to retain a copy of each prerecorded message, call detail records, records to show an established business relationship, records on charitable donations and the do-not-call registry. On the rule’s efforts to prohibit misrepresentations, marketers will be prohibited from making misrepresentations about the good or service they are selling or false statements to induce a charitable contribution. The final rule also will update the definition of “previous donor” to allow telemarketers to place robocalls on behalf of a charity only to customers who have donated to a charity within the previous two years. The amendment will go into effect on May 16 with mandatory compliance beginning October 16.
CFPB, FTC submit amicus brief in FCRA case
On March 29, the CFPB and the FTC filed an amicus brief in the U.S. Court of Appeals for the Eleventh Circuit, arguing that the FCRA mandated consumer reporting agencies (CRAs) when a consumer challenged the “completeness or accuracy of any item or information” in their file, must perform a “reasonable reinvestigation.”
In the underlying case, a consumer claimed she identified multiple inaccuracies in her credit report held by the defendant CRA, including issues with her name, address, and Social Security number. She allegedly contacted the defendant three times to dispute these errors, but the defendant directed her to resolve the issues with the misinformation sources and did not conduct its own reinvestigation as the consumer believed was required by the FCRA.
The consumer then filed a lawsuit against the defendant CRA for not performing the reinvestigation. The district court acknowledged that the defendant should have completed the reinvestigation under the FCRA but nonetheless concluded that the defendant did not violate the statute because it did not reasonably interpret that the FCRA did not require a reinvestigation.
The case will now be under the appeal process and the CFPB and FTC have submitted a joint amicus brief arguing that the FCRA required a CRA to reinvestigate a consumer’s dispute about personal identifying information, and that the district court correctly determined that a reinvestigation was required. The brief also argued that the district nonetheless erred in concluding that the defendant did not negligently or willfully violate the FCRA because the defendant’s interpretation of the FCRA was not “objectively reasonable.”
FTC to hold an informal hearing on its proposed “junk fee” rules
On March 27, the FTC published a notice in the Federal Register informing the public of its decision to hold an informal hearing on its proposed rule prohibiting “junk fees.” As previously covered by InfoBytes, the FTC released a notice of proposed rulemaking (“NPRM”) titled “Rule on Unfair or Deceptive Fees” and extended the comment period last October. In the NPRM, the FTC presented the opportunity for any party to present their positions orally. The FTC announced that 17 commenters requested to partake in the informal hearing by presenting oral statements and an administrative law judge for the FTC will serve as the presiding officer. The informal hearing will be presented virtually on April 24 at 10:00 a.m. Eastern time. The hearing will be presented live to the public on the FTC’s website, and a recording will be placed in the rulemaking record.
CFPB, federal and state agencies to enhance tech capabilities
On March 26, the CFPB announced as a part of a coordinated statement with other federal and state agencies, the intent to enhance its technological capabilities. As part of this initiative, the CFPB will be hiring more technologists to help enforce laws and find remedies for consumers, workers, small businesses, etc. These technologists will join interdisciplinary teams within the CFPB to monitor and address potential violations of consumer rights within the evolving tech landscape, particularly considering the growing attention to generative artificial intelligence (AI). The CFPB's technologists will be tasked with identifying new technological developments, recognizing potential risks, enforcing laws, and developing effective remedies. CFPB Director Rohit Chopra emphasized the essential role of technology in the Bureau’s efforts to regulate data misuse, AI issues, and big tech involvement in financial services. Chopra and Chief Technologist Erie Meyer remarked that the CFPB has integrated technologists into its core functions, with these experts now actively involved in supervisory examinations, enforcement actions, and other regulatory proceedings. They also note that the CFPB has researched how emerging technologies, such as generative AI and near-field communication, are used in consumer finance. To foster a competitive and “law-abiding” marketplace, Chopra and Meyer also note that the CFPB will continue to issue policy guidance to assist firms with understanding legal obligations.