InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York Consumer Privacy Bill Takes Effect
Last week, a New York law designed to protect consumers’ social security numbers took effect. As previously reported, Assembly Bill 8992 prohibits private businesses from conditioning the provision of services on a consumer’s willingness to disclose his or her Social Security number upon request. The law provides several exceptions, including when the collection of the Social Security Number is (i) otherwise required by law, (ii) requested in connection with the opening of a deposit account or a credit transaction initiated by the consumer, or (iii) required for any business function allowed under the Gramm Leach Bliley Act.
FTC Announces Departure of Consumer Protection Director
On December 17, the FTC announced that the Director of its Bureau of Consumer Protection, David Vladeck, will leave the agency on December 31, 2012. Since taking the position in 2009, Mr. Vladeck has led the Bureau’s focus on financial fraud and consumer privacy. Charles Harwood, who currently serves as a Deputy Director in the Bureau, will take over as Acting Director of the Bureau of Consumer Protection. The FTC also announced that Eileen Harrington, the agency’s Executive Director, will retire at the end of year, and that Pat Bak, who currently serves as Deputy Executive Director, will serve as Acting Executive Director.
FTC Orders Data Brokers to Provide Consumer Data Practices Information
On December 18, the FTC issued orders requiring nine data brokerage companies to provide information about (i) the nature and sources of the consumer information the data brokers collect, (ii) how they use, maintain, and disseminate the information, and (iii) the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold. The FTC states that it plans to use the data to study privacy practices in the data broker industry, and to make recommendations as to how the industry could improve its privacy practices. Earlier this year, members of the House and Senate issued separate requests for similar material. The brokers targeted by the various requests and orders overlap only in part.
FTC Finalizes Children's Online Privacy Rule Amendments
On December 19, the FTC announced final amendments to the Children’s Online Privacy Protection Act Rule. According to the FTC’s release, the final amendments (i) include geolocation information, photographs, and videos in the list of “personal information” that cannot be collected from children under 13 without parental notice and consent, (ii) offer companies a streamlined, voluntary, and transparent approval process for new ways of getting parental consent, (iii) close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent, (iv) require compliance by such third parties in some of those cases, (v) require compliance by persistent identifiers that can recognize users over time and across different websites or online services, (vi) require that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential, (vii) require that covered website operators adopt reasonable procedures for data retention and deletion, and (viii) strengthen the FTC’s oversight of self-regulatory safe harbor programs. The amendments also modify several other key definitions in the rule. Notably, the revised definition of “operator” clarifies that the rule covers a child-directed site or service that integrates outside services that collect personal information from its visitors, but it does not extend liability to platforms that merely offer the public access to child-directed apps. FTC Commissioner Maureen Ohlhausen voted against the amendments and issued a dissenting statement in which she argued that the new definition of “operator” goes beyond what Congress authorized by imposing obligations on websites or online services that do not collect personal information from children or have access to or control of such information collected by a third party.
CFPB Releases Student Lending Examination Procedures
On December 17, the CFPB released its Student Lending Examination Procedures, which are an extension of the CFPB’s General Supervision and Examination Manual and will be used as a field guide by CFPB examiners to review student lender compliance with federal consumer financial laws. The Student Lending Examination Procedures are organized in seven modules: (i) Advertising, Marketing, and Lead Generation, (ii) Application, Qualification, Loan Origination, and Disbursement, (iii) Loan Repayment, Account Maintenance, Payoff Processing, and Payment Plans, (iv) Customer Inquiries and Complaints, (v) Collections, Accounts in Default, and Credit Reporting, (vi) Information Sharing and Privacy, and (vii) Examination Conclusion and Wrap-up. Under the first module, for example, CFPB examiners will assess whether a lender’s advertising and marketing practices are deceptive, misleading, or discriminatory by sampling all of the lender’s marketing and advertising materials, including print, electronic and other media, such as the Internet, email and text messages, telephone solicitation scripts, agreements and disclosures. With regard to borrower complaints, examiners will assess, among other things, the systems, procedures, and policies used by a lender for tracking, handling, investigating, and resolving consumer inquiries, disputes, and complaints. The CFPB has the authority to supervise large bank and nonbank student lenders, and, as with its other procedures, the CFPB will use the same examination procedures across both types of institutions.
Congress Acts on Several Banking Bills, Two Set for President's Signature
On December 11, the U.S. Senate passed by voice vote two bills impacting bank supervision and compliance. The first, H.R.4014, amends the Federal Deposit Insurance Act to protect information submitted to the CFPB as part of its supervisory process. The bill provides CFPB-supervised institutions the same non-waiver of privilege protections already afforded to information submitted by supervised entities to federal, state, and foreign banking regulators. For more information about these issues, please see our recent Special Alert. The second bill, H.R. 4367, amends the Electronic Fund Transfer Act to remove the requirement that ATMs have an attached placard disclosing fees. The amended law will require only that fees be disclosed on the ATM screen. Both bills previously were passed by the U.S. House of Representatives and now go to the President. On December 12, the House passed H.R. 5817, which would exempt from Gramm-Leach-Bliley Act (GLBA) annual privacy policy notice requirements any financial institution that (i) provides nonpublic personal information only in accordance with specified requirements, and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from those included in its most recent disclosure. The bill now proceeds to the Senate. A fourth bill, S. 3637, which would extend the Transaction Account Guarantee program for two additional years, was blocked in the Senate on December 13, 2012. The program, which was established by the Dodd-Frank Act to provide unlimited deposit insurance for noninterest-bearing transaction accounts, will expire at the end of 2012 if legislators do not take further action to extend the program.
FTC Report Urges Mobile Application Developers to Improve Disclosures, Announces Multiple COPPA Investigations
On December 10, the FTC issued a staff report on the privacy disclosures and practices of mobile applications offered for children in certain online application stores. The report provides the results of an FTC survey of the disclosures and links on the promotion page in the application store, on the application developer’s website, and within the application, for hundreds of applications for children. According to the report, most mobile applications failed to give parents any information needed to determine what data is being collected from their children, how it is being shared, and with whom it is being shared. Further, the FTC states that many applications shared certain information with third parties without disclosing that fact to parents, and a number of applications contained interactive features – such as advertising, the ability to make in-application purchases, and links to social media – without disclosing these features to parents prior to download. The report also states that FTC staff is launching multiple nonpublic investigations of certain entities that may have violated the Children’s Online Privacy Protection Act (COPPA) or engaged in unfair or deceptive trade practices in violation of the FTC Act, and the FTC “strongly urges” the mobile application industry to develop and implement best practices to protect privacy, including those recommended in an FTC privacy report issued earlier this year. In a related development, on December 11, the Center for Digital Democracy filed a complaint with the FTC seeking an investigation of one firm for allegedly offering and operating a mobile application in violation of COPPA.
California AG Files First Mobile Application Privacy Suit
On December 6, California Attorney General Kamala Harris (AG) announced an enforcement action against Delta Airlines for allegedly failing to comply with the state’s Online Privacy Protection Act. This is the first action brought by the AG’s office under this law and follows other efforts by the AG’s office to require enhanced mobile privacy disclosures. In October, the AG’s office sent letters to 30 companies, including Delta, advising those entities that their mobile applications failed to comply with the state privacy law and providing them 30 days to remedy the alleged failure. The complaint alleges that since at least 2010, Delta has operated a mobile application that may be used to, for example, check-in online for an airplane flight, view reservations for air travel, or rebook cancelled or missed flights. The AG claims that the Delta application collections substantial personally identifiable information but does not have a privacy policy. The suit seeks to enjoin Delta from distributing its application without a privacy policy and penalties of up to $2,500 for each violation.
California AG Notifies Mobile Application Developers of Non-Compliance
On October 30, California Attorney General (AG) Kamala Harris announced that her office’s Privacy Enforcement and Protection Unit sent letters to numerous mobile application developers advising those entities of their noncompliance with state privacy law. Specifically, the AG alleges that the targeted mobile application developers failed to post a privacy policy that is reasonably accessible to the consumer, as required by the California Online Privacy Protection Act. Under the state unfair competition law, violation of the Act may result in penalties of up to $2,500 per violation. A violation in this instance is each download of a mobile application that does not properly include a privacy policy. The letters provide thirty-day notice of noncompliance as required by the Act, within which each developer must provide specific plans and a timeline for compliance, or an explanation of why the application is not covered by the Act.
Federal Banking Regulators Issue Guidance Regarding Supervision of Technology Service Providers
On October 31, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Supervision of Technology Service Providers Booklet (TSP Booklet). The revised TSP Booklet, which is part of the FFIEC Information Technology Examination Handbook, provides guidance for examiners and financial institutions on the supervision of technology service providers by describing the federal banking regulators’ statutory authority to supervise third-party service providers, outlining the regulators’ risk-based supervision program, and providing the Uniform Rating System for examinations. The TSP Booklet clarifies that outsourced activities should be subject to the same risk management, security, privacy, and other internal controls and compliance policies as if such functions were performed internally, and that a financial institution’s board of directors and management have the responsibility for ensuring that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.
Concurrent with the release of the updated TSP Booklet, the Federal Reserve Board, the FDIC, and the OCC issued new Administrative Guidelines for the Implementation of Interagency Programs for the Supervision of Technology Service Providers. The Guidelines are separate from the FFIEC IT Examination Handbook and describe how the agencies implement their interagency supervisory programs. The Guidelines are primarily a resource for examiners and include the reporting templates used by examiners.