InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California’s CPPA issues advisory on “dark patterns”
On September 4, the California Privacy Protection Agency (“CPPA”) issued an enforcement advisory warning businesses against using “dark patterns” in their user interfaces. “Dark patterns” are choices a company makes regarding its user interface design, which the CPPA argued can impair consumer autonomy and decision-making. The advisory emphasized that the effect of these interfaces, not the intent behind them, may violate the CPPA. The advisory provides examples of non-compliant interfaces, such as processes for opting out of a data sale that are more cumbersome than opting in, and cookie choices that only include “yes” or “ask me later” options were contrasted with compliant interfaces, such as banners offering clear “Accept All” and “Decline All” options. The agency reminded businesses to review their practices to ensure that their user interfaces are compliant by offering symmetrical choices and using clear and understandable language, particularly when obtaining consumer consent.
FTC files amicus brief in defense of COPPA
On August 19, the FTC filed an amicus brief supporting a class of plaintiffs representing their minor children in a case alleging that an educational technology company unlawfully collected, used and sold the children’s data in violation of COPPA. In the class action litigation, the educational technology company moved to compel arbitration based on its agreement with school districts, arguing that, under COPPA, the school district acts as agents for the parents and thus the district’s agreement is binding on the parents.
The FTC’s amicus brief disputed the company’s conclusion, arguing instead that COPPA does not address whether parents and children were bound by arbitration agreements when school districts agree to terms of service for classroom software. The FTC emphasized that COPPA’s provisions are limited to parental notice and consent requirements and do not extend to contractual obligations.
The FTC clarified in its brief that its guidance on schools’ roles under COPPA is limited to the notice and consent process and made clear that the commission’s commentary relied on by the company does not create an agency relationship between parents and school districts beyond the context of this the notice and consent. The FTC argued that the educational technology company’s reliance on COPPA (to justify binding parents and children to arbitration agreements) is unfounded in the rule implementing COPPA or FTC commentaries on the rule. Through its submission, the FTC, as the agency primarily tasked with enforcing COPPA, aimed to provide the court with its interpretation of COPPA thus emphasizing that the statute and its implementing rule do not support compelling arbitration of the parents’ claims in this case. The agency’s involvement also aims to underscore its commitment to protecting children’s online privacy and ensuring that companies adhere to COPPA’s requirements.
District Court grants preliminary approval of $1.5M class action settlement for insurance company data breach
On August 27, the U.S. District Court for the Eastern District of North Carolina granted a plaintiff’s unopposed motion for preliminary approval of a class action settlement related to an insurance company’s data breach that occurred in December 2022. The court certified a plaintiff class, including all individuals in the U.S. whose private information was compromised in the breach.
The court found the proposed $1.5 million settlement to be “fair, reasonable, and adequate.” The settlement included both monetary and non-monetary benefits and according to the court, the parties agreed to the settlement through “good faith, arms’ length negotiations.” The court has approved the proposed notice program, which included informing class members of their rights and the process for submitting claims, objecting to the settlement, or opting out. Class members wishing to exclude themselves must submit a written request by the specified opt-out date, while those wishing to object must file a written notice by the objection deadline. Participating class members can claim a period of free credit monitoring and request up to $10,000.
Review finds a large percentage of companies use dark patterns
Recently, the FTC, along with the International Consumer Protection and Enforcement Network and the Global Privacy Enforcement Network, shared their data and results on dark patterns in a review of selected websites, finding that “a large percentage” of websites and mobile applications may use dark patterns designed to manipulate consumers into purchasing products or giving up their privacy. Specifically, the report found that of the 642 websites during the review, 75 percent used at least one dark pattern, and 66 percent used multiple dark patterns.
The review listed the types of dark patterns it found:
- Sneaking, which happens when companies engage in asymmetric information during a consumer’s purchase decision, like difficulties in turning off auto-renewal subscriptions
- Interface interference, which occurs when companies frame information that steers consumers to decide in favor of the business instead of the consumer
- “Confirmshaming,” which occurs when companies use language to evoke a particular emotion to manipulate consumers
- Obstruction, which occurs when companies dissuade a consumer from acting, such as when the cancelation is more complex than enrollment
- Social proof, when companies nudge consumers to decide on the supposed behaviors of other consumers.
The review also discussed additional dark patterns like forced action, urgency, and nagging.
CPPA releases NPRM for data broker registration
On July 5, the California Privacy Protection Agency (CPPA) issued an NPRM for adopting new regulations for data broker registration to implement and enforce SB 362, known as the Delete Act (covered by InfoBytes here).
The proposed regulations aim to clarify issues that data brokers faced after the CPPA administered the data broker registration process for the first time this past January by (i) specifying the registration fee details, (ii) defining terms in the Delete Act such as “minor” and “direct relationship” to clarify what businesses are data brokers, (iii) detailing the registration requirements for data brokers’ employees or agents, and (iv) clarifying that each data broker business is required to register, regardless of status as a parent company or subsidiary, among other things.
Public comments on the proposed regulations must be received by August 20. Additionally, a virtual public hearing will be held on the same date.
FTC and international networks reveal use of dark patterns in consumer apps and websites
On July 10, the FTC and two international consumer protection networks announced the results of its review of the websites and apps that may use dark patterns to obtain privacy consent from consumers. The review covered 642 websites and mobile apps, revealing that a significant portion may use "dark patterns" — commercial techniques designed to manipulate consumers.
Conducted by the International Consumer Protection and Enforcement Network (ICPEN) and the Global Privacy Enforcement Network, the review found nearly 76 percent of sites and apps employed at least one dark pattern, with 67 percent employing multiple. Common dark patterns included hiding information and interface interference. For example, a sneaking practice would be hiding or delaying important disclosure information, often related to costs, to influence consumer decisions. Examples include adding non-optional charges at the last minute (drip-pricing) and automatically renewing subscriptions after a free trial without consent (subscription traps). The most common sneaking practice found was preventing consumers from turning off auto-renewal during purchase, observed in 81 percent of traders with auto-renewal subscriptions. Other prevalent issues were the lack of cancellation steps (70 percent) and not providing a cancellation deadline (67 percent). Forced action practices require consumers to perform an action or provide information to access certain functionalities – the investigation found that at least 66 percent of the cases reviewed required forced action.
While it was not determined if these practices violated laws, the findings highlighted potential impacts on consumer decisions and privacy. The announcement coincided with the FTC assuming the 2024-2025 ICPEN presidency.
FINRA issues regulatory guidance on members using generative AI tools
Recently, FINRA reminded member firms that existing rules and guidance apply to the use of artificial intelligence (AI), such as generative AI tools, just as they would with any other technology or other tools. FINRA noted that while generative AI can offer potential benefits, it can also pose risks related to privacy, bias, and misuse. FINRA emphasized that firms must ensure their use of generative AI complies with existing regulations, for example, those governing member supervisory systems for the review of electronic communications and public communications made using a technology tool. The rules applicable will depend on how each firm uses the technology. For example, FINRA noted that if a member firm uses generative AI tools as a part of its supervisory system, “its policies and procedures should address technology governance, including model risk management, data privacy and integrity, reliability and accuracy of the AI model.” FINRA noted it welcomes feedback on how it could update its rules to address the use of generative AI to maintain investor protection and market integrity.
California issues NPRM on its Delete Act to clarify terms
On July 5, the California Privacy Protection Agency (CPPA) issued its NPRM to amend sections of the Delete Act. As covered by InfoBytes here, the Delete Act was signed into law in 2023 as SB 362 and transferred the administration and enforcement of the state’s Data Broker Registry from the Office of the Attorney General to the CPPA at the start of 2024. Proposed amendments to the Delete Act will include details about the registration fees, defined terms, and clarifying registration requirements and website disclosures. The CPPA stated the anticipated benefits of these proposed regulations are to provide transparency about the data collection industry and grant consumers more rights on how their data will be used.
On registration fees, the CPPA proposed a $400 fee plus any processing fees for electronic payments. Defined terms will include “minor,” “register,” “registration period,” and “reproductive health care data.” On requirements, the CPPA will clarify that each data broker business will be required to register uniquely. The CPPA will hold a virtual public hearing to facilitate oral or written statements on August 20. Oral statements will be presented at the hearing, while written comments must be submitted between now and the end of the public hearing.
FINRA publishes alert on critical software vulnerability
Recently, FINRA issued a cybersecurity alert bulletin to all member firms regarding a critical vulnerability within a software company’s transfer software, specifically affecting its Secure File Transfer Protocol module. The vulnerability could potentially allow for authentication bypass, FINRA warned. The software developer has released a security bulletin advising firms to upgrade to the latest version of the software to address this issue.
Additionally, a new risk has been identified in a third-party component within the company’s transfer software, which increases the risk of authentication bypass if not resolved. Firms are instructed to take precautionary measures, including blocking public inbound Remote Desktop Protocol access to the servers running the software and limiting outbound access to trusted endpoints only. The third-party will release a fix, which the software company will make available. The alert follows a similar incident in June 2023 for which FINRA also issued an advisory to member firms.
FINRA also reminds firms to reference Regulatory Notice 22-29 from December 2022, which provides guidance on ransomware risks and offers considerations for evaluating cybersecurity programs in response to ongoing threats.
Pennsylvania amends the Breach of Personal Information Notification Act
On June 28, Pennsylvania enacted SB 824 (the “Act”), amending a previous bill from 2005 entitled the Breach of Personal Information Notification Act, which addresses the security of computerized data, mandates notification for consumers if their personal information may have been exposed due to a security breach, and imposes penalties. The Act enhances requirements for notifying individuals of security breaches, outlines obligations for notifying consumer reporting agencies, and provides for credit reporting and monitoring services in the event of data breaches.
The Act specifically requires an entity to provide a notice to the attorney general (AG), along with the affected individuals, if a security breach affects more than 500 individuals in the state. The notification to the AG must include, when known, the name and location of the organization, the date of the security breach, a summary of the incident, and an estimate of the total number of individuals both within the state and overall, who are affected by the breach. However, there is an exemption stipulating that entities that are already subject to the requirements of 40 PA.C.S. CH. 45, which pertains to insurance data security, are exempt from these notification obligations.
Further, under the Act, entities are required to notify affected individuals of a data breach and are responsible for covering costs related to providing credit reporting and monitoring services to those individuals. Specifically, the entity must provide access to an independent credit report from a consumer reporting agency free of charge, unless the individual is already entitled to receive a free credit report under federal law. Additionally, the entity must provide free access to credit monitoring services for 12 months following the notification of the breach.
The Act also specifies that an entity must satisfy these requirements if it determines that a security breach has occurred and there is a reasonable belief that personal information, including an individual's name, in combination with their Social Security number, bank account number, or driver's license/state ID number, has been accessed.