InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York Governor proclaims January 21-27 as Data Privacy Awareness Week
On January 26, New York Governor, Kathy Hochul, issued a proclamation establishing January 21-27, 2024, as Data Privacy Awareness Week in partnership with several state agencies, including NYDFS. Generally celebrated as a Data Privacy Day, this will be the first time that the event expands to an entire week. This proclamation addresses ways that citizens can protect their personal information against bad actors. The week is designed to help “educate the public” and heighten the importance of data privacy. The press release highlights how consumers can keep their personal information private and protect themselves, including: keeping applications up to date; using unique and complex passwords for every account; enabling multi-factor authentication on devices; exercising caution when opening unsolicited links in emails or messages; limiting the amount of personal data collected by websites; considering what personal information is shared on social media; setting up a virtual private network, or VPN; and being careful when using public wi-fi networks.
California Attorney General investigates streaming services for CCPA violations
On January 26, California State Attorney General Rob Bonta announced an investigative initiative by issuing letters to businesses operating streaming apps and devices, accusing them of non-compliance with the California Consumer Privacy Act (CCPA). The focus of the investigation is the evaluation of streaming services’ adherence to the CCPA's opt-out requirements, in particular those businesses that sell or share consumer personal information. The investigation targets businesses failing to provide a direct mechanism for consumers wishing to prevent the sale of their data.
AG Bonta urged consumers to know about and exercise their rights under the CCPA, emphasizing the right to instruct businesses not to sell their personal information. The CCPA grants California consumers enhanced rights regarding the collection, sharing, and disclosure of their personal information by businesses, and compliance responsibilities include responding to consumer requests and providing necessary notices about privacy practices. AG Bonta noted that the right to opt-out under the CCPA mandates that businesses selling or sharing personal data for targeted advertising must facilitate an easy and minimal-step process for consumers to exercise their right. For example, users should be able to easily navigate their streaming service’s mobile application settings to enable the “Do Not Sell My Personal Information” option. The expectation is that this choice remains effective across various devices if users are logged into their accounts when electing to opt-out. Finally, Bonta added that consumers should be given easy access to a streaming service’s privacy policy outlining their CCPA rights.
FTC hosts tech summit on artificial intelligence; CFPB weighs in
On January 25, the FTC hosted a virtual tech summit focused on artificial intelligence (AI). The summit featured speakers from the FTC––including all three commissioners––software engineers, lawyers, technologists, entrepreneurs, journalists, and researchers, among others. First, Commissioner Slaughter spoke on how there are three main acts that led to where we are today in creating guardrails for AI use: first, the emergence of social media; second, industry groups and whistleblowers rang the alarm on data privacy and forced regulators to play catch-up; third, regulators must now urgently grapple with difficult social externalities such as impacts on society and political elections.
The first panel discussed the various business models at play in the AI space. One journalist spoke on the recent Hollywood writers’ strike, opining that copyright law is a poor legal framework by which to regulate AI, and suggested labor and employment law as a better model. An analyst at a venture capital firm discussed how her firm finds investment opportunities by reviewing which companies use a language-learning model, as opposed to the transformer model, which is more attractive to that firm.
Before the second panel, Commissioner Bedoya discussed the need for fair and safe AI, and said that in order for the FTC to be successful, it must execute policy with two topics in mind: first, people need to be in control of technology and decision making, not the other way around; and second, competition must be safeguarded so that the most popular technology is the one that works the best, not just the one created by the largest companies.
During the second panel, a lawyer from the CFPB spoke on how the CFPB is doing “a lot” with regards to AI, and that the CFPB gives AI technology no exceptions in the laws it oversees. The CFPB recently issued releases on how the “black box” model in credit decision making needs to be fair and free from bias. When discussing future AI enforcement actions, the CFPB lawyer said in a “high-level” way that AI enforcement is currently “capacity building”; they are building out their resources to be more intellectually diverse, including having recently created their technologist program.
States endorse the CFPB’s rule to regulate fintechs
Recently, 19 state attorneys general submitted a comment letter supporting the CFPB’s proposed rule that would expand the CFPB’s supervisory authority to regulate nonbank fintech firms that offer digital payment services. They emphasized the importance of regulating nonbank financial institutions, including popular digital payment applications. The proposed rule aims to protect consumers from fraud, unregulated investment risks, and data privacy concerns. It addresses issues such as the lack of FDIC insurance for funds stored in digital payment applications, customer service problems, and potential risks associated with investment activities. The state attorneys general commend the CFPB for exercising its authority to improve the regulation of consumer financial products and urge prompt publication and implementation of the final rule.
CFTC’s subcommittee report on decentralized finance highlights its findings and recommendations
On January 8, the CFTC issued a report on decentralized finance ahead of the CFTC’s event on artificial intelligence, cybersecurity, and decentralized finance. Authored by the CFTC’s Subcommittee on Digital Assets and Blockchain Technology, which is a group of fintech experts selected by the CFTC, the report urged government and industries to work together and advance the developments of decentralized finance in a responsible and compliant way.
The report lists many key findings and recommendations for policymakers to implement. For example, the report highlights how policymakers should keep in mind customer and investor protections, promotion of market integrity and financial stability, and efforts to combat illicit finance when creating regulations, among others. Recommendations for policymakers include increasing their technical understanding of this space, surveying the existing regulatory “perimeter,” identifying and cataloging risks, identifying the range of regulatory strategies, and applying regulatory framework on digital identity, KYC and AML regimes, and calibration on privacy in decentralized finance.
For further learning on decentralized finance, IOSCO released a publication on its nine recommendations, which was previously covered by InfoBytes here.
FTC alleges data broker company mishandled consumer location data
On January 9, the FTC released a proposed order and complaint against a data broker that sells consumer location data to companies. According to the complaint, which alleges seven violations of the FTC Act, the data broker company had no policies or procedures in place to remove any of the raw data from the location data sets that it sold, which could be used to identify sensitive personal information. The FTC alleges that because of this, the data broker company failed to provide “necessary technical safeguards” to ensure that consumers’ privacy choices were honored. The FTC also alleges that the data broker’s contracts with entities to purchase the data were “insufficient to protect consumers from the substantial injury caused by the collection, transfer, and use of the consumers’ location data” as they visit sensitive locations, such as churches, healthcare facilities, and schools.
The data broker company collected 10 billion location data points daily worldwide throughout its apps, but it failed to inform its consumers that it sold this data to advertisers, employers, or government contractors. The FTC further alleges that the data broker’s business practices are likely to cause substantial injury to consumers due to its lack of reasonable data security measures.
According to the proposed order, the company must comply with FTC mandates that include requiring it to prohibit misrepresentations using the data, prohibit the use, sale, or disclosure of sensitive location data, and implement a sensitive location data program. The data broker neither admits nor denies any wrongdoing and the FTC did not levy a money judgment.
New York Governor highlights NYDFS in 2024 State of the State proposal
On January 2, New York Governor Kathy Hochul revealed a proposed plan focused on consumer protection and affordability as the initial part of the Governor’s 2024 State of the State address. The plan includes changes to New York’s consumer protection laws, regulations for buy now pay later products, increased paid medical and disability leave benefits, measures to eliminate co-pays for insulin in specific insurance plans, and legislation addressing medical debt.
Changes to consumer protection laws would give the Attorney General more power to enforce the laws and help the state to address unfair and abusive business practices. Additionally, proposed legislation would require buy now pay later providers to obtain licenses and introduce regulations focusing on disclosure, dispute resolution, credit standards, fee limits, data privacy, and preventing excessive debt.
NYDFS also detailed Governor Hochul’s plan to update and broaden New York’s hospital financial assistance law to provide increased protection against medical debt. The proposed legislation aims to limit hospitals’ ability to sue low-income patients (earning less than 400 percent of the Federal Poverty Level) for medical debt and expand financial assistance programs. It also seeks to cap monthly payments and interest rates on medical debt while enhancing access to financial aid. This consumer protection and affordability plan builds on Governor Hochul and her administration’s efforts to make New York more affordable and livable.
FCC adopts updated data breach notification rules
On December 21, 2023, the FCC announced it adopted an updated data breach notifications rule. The rule was formerly designed to protect consumers against pretexting, “a practice in which a scammer pretends to be a particular customer or other authorized person to obtain access to that customer’s call detail or other private communications records.” As previously covered by InfoBytes, the FCC promulgated its notice of proposed rulemaking in January 2023. The rule has been updated to expand the data breach notification requirements to, among other things: (i) cover different categories of personally identifiable information that carriers hold; (ii) expand the definition of “breach” to cover unintended disclosures of consumer information, except in situations where such information is obtained in good faith by an employee or representative of a carrier or telecommunications relay service (“TRS”) provider, and where there’s no improper use or further disclosure of that information; (iii) require TRS providers and carriers to notify the FCC, FBI, and U.S. Secret Service as soon as practicable and no later than seven business days after the reasonable determination of a breach; (iv) no longer require TRS providers and carriers to notify consumers of a data breach if they reasonably determine no harm to consumers is reasonably likely; and (v) no longer require carriers to follow a mandatory waiting period to notify consumers of a breach. FCC Chairwoman Jessica Rosenworcel said in her statement that the update to the data breach policy is the first in 16 years and that under the Communications Act, “carriers have a duty to protect the privacy and security of consumer data.” The rule was adopted on December 13, 2023.
FTC, DOJ convene with G7 on AI policy future
On November 8, the FTC and DOJ met with the G7 Competition Authorities and Policymakers’ Summit on how to better regulate AI while addressing its competitive concerns. The Summit took place in Tokyo, Japan, and both the FTC’s and the DOJ’s Antitrust Division participated with the international group. The G7 issued a statement on how generative AI can pose not only anti-competitive risks, but also risks in “privacy, intellectual property rights, transparency and other concerns.” All policymakers shared concerns on how to best enforce fair competition laws with AI, iterating that “existing competition law applies to [AI]” and that they were “prepared to confront abuses if AI becomes dominated by a few players with market power.” The G7 stated a need to enforce competition laws and “develop policies necessary to ensure that principles of fair competition are applied to digital markets.”
The G7’s report outlines its initiatives to promote and protect competition in digital markets, its commitment to address competition concerns, and its recognition of the need for internal cooperation on digital competition.
CFPB proposes a rule to regulate fintech firms like banks
On November 7, the CFPB proposed a rule to supervise large non-bank fintech firms that offer services like digital wallets and payment apps, applicable to larger firms handling greater than 5 million transactions per year, in the same way many large banks and credit unions are supervised. While fintech agencies offer consumer banking services, they are not regulated as stringently as banks are.
The CFPB found that many consumers from middle- and lower-income backgrounds now prefer using digital consumer payment applications over cash. This shift from traditional banking puts consumers at risk since fintech applications are not subject to “traditional banking safeguards… like deposit insurance.” The CFPB’s proposed rule ensures these non-bank companies:
- Adhere to federal consumer financial protection laws that encompass protections against unfair, deceptive, and abusive practices, consumers’ rights when transferring money, and privacy rights. The CFPB would supervise larger participants to ensure compliance.
- Follow the same rules as banks and credit unions, fostering fair competition and consistent enforcement of federal consumer financial protection laws.
The Consumer Financial Protection Act (CFPA) provides the CFPB with the authority to conduct supervisory examinations over all non-bank companies in the mortgage, payday loan, and private student loan industries, as well as those who serve as service providers to banks and credit unions. In addition, the CFPB can supervise individual entities that pose a risk to consumers, as well as larger participants in other markets. This proposed rule would give the CFPB greater regulatory authority and oversight over large technology firms in consumer financial markets.