InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Obtains Consumer Privacy Consent Order From Web Analytics Company
On October 22, the FTC announced a proposed consent order with an Internet tracking and analytics company that allegedly gathered personal data without consumer consent and failed to honor its promises to protect personal data. According to the FTC, Compete Inc. encouraged consumers to download its tracking software by promising rewards and information about the websites that customers visited. After installation, Compete’s software automatically collected information that consumers entered into websites, including usernames, passwords, search terms, and credit card and Social Security numbers. The FTC stated that Compete violated promises to consumers to collect only the names of websites that consumers visited, to remove personally identifiable information, and to protect consumer information. The proposed consent order requires Compete to (i) fully disclose what information it collects, (ii) obtain consumers’ express consent prior to collecting data, (iii) delete or anonymize previously collected information, and (iv) implement an information security program with regular third-party audits for the next twenty years.
FTC Announces Two Privacy Events
On October 15, the FTC announced that it will host a workshop to examine the practices and privacy implications of comprehensive collection of consumers' online activities. On December 6, 2012, consumer protection organizations, academics, business and industry representatives, privacy professionals, and other stakeholders will review Internet data collection methods, identify those companies currently capable of comprehensive Internet data collection, consider what new legal protections are needed, and explore other related topics. The workshop is one step the FTC promised to pursue in a March 2012 report that urged companies to implement certain consumer privacy protections. On October 17, the FTC announced an upcoming forum on using enforceable industry codes of conduct to protect consumers in cross-border commerce. The forum will focus on the use of systems, like the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system which was created earlier this year, when information moves between countries with different privacy rules. The forum will bring together government officials, academics, industry members, and consumer groups to discuss the increasing use of such codes.
GAO Urges Federal Actions to Protect Mobile Device Users' Privacy
On October 11, the GAO released a report on its examination of how the mobile industry collects location data and the resulting impact on consumers. According to the report, privacy advocates expressed concerns that consumers are generally unaware of how location data is used by third-parties and that consumers could be subject to increased risk of surveillance by law enforcement, identity theft, and threats to personal safety. The GAO examined how companies have applied practices recommended by industry associations and privacy advocates to protect consumers' privacy while using mobile location data. The report reviews actions taken by federal agencies to provide consumer education and develop industry codes of conduct. The GAO recommends, among other things, that NTIA work with stakeholders to develop industry codes of conduct and that the FTC consider issuing guidance on mobile companies' appropriate actions to protect location data privacy.
Federal Reserve Board Reports on CFPB Consumer Protection Unit
This week, the Office of the Inspector General (OIG) for the Federal Reserve Board issued an evaluation of the CFPB’s Consumer Response Unit, which is responsible for managing the CFPB’s consumer complaint system. The report provides a concise overview of the CFPB’s consumer complaint process and includes the OIG’s evaluation of that process. Specifically, the OIG concludes that the CFPB’s consumer complaint process is reasonable, generally compliant with the Dodd-Frank Act, and consistent with industry best practices. However, the report also indicates that the CFPB Consumer Response Unit could improve its process by further addressing (i) inaccurate manual data entry of consumer complaints, (ii) inconsistent complaint management system data, (iii) lack of a finalized agency-wide privacy policy, (iv) lack of a comprehensive quality assurance program, and (v) lack of a centralized tracking system for quality assurance reviews.
House Members Introduce Mobile Device Privacy Legislation
On September 12, Representatives Edward Markey (D-MA) and Diana DeGette (D-CO) unveiled new legislation to establish consumer privacy protections with regard to mobile applications. The Mobile Device Privacy Act (H.R. 6377) would direct the FTC to promulgate regulations that require upfront disclosure of (i) the existence of any monitoring software on a device, (ii) the types of information that could be collected, (iii) the identity of those with access to the collected information, and (iv) the expected use of the information. Prior consumer consent to the collection of information and procedures for enabling consenting device owners to stop such collection would also be required. In addition, the bill would mandate information security practices in connection with information collected from mobile device users, and establish an enforcement regime involving both the FTC and the FCC, as well as state attorneys general and private suits.
CFPB Releases Examination Procedures for Consumer Reporting Agencies
On September 5, the CFPB released procedures to guide its staff in examining “larger participant” consumer reporting agencies (CRAs). In July, the CFPB adopted a rule that will allow it to supervise CRAs with more than $7 million in annual receipts from consumer reporting activities starting September 30, 2012. The procedures outline how examiners should assess a CRA’s compliance with federal requirements, primarily under the Fair Credit Reporting Act, relating to (i) using and providing accurate consumer information, (ii) handling consumer disputes, (iii) providing disclosures to consumers, and (iv) preventing fraud and identity theft. While the procedures focus on issues specific to consumer reporting, they include a module that directs examiners to consider whether a CRA offers any other consumer financial product or service that creates other risks to consumers, particularly with regard to Gramm-Leach-Bliley privacy requirements and potential unfair, deceptive, or abusive acts or practices (UDAAP violations).
Federal Court Dismisses Consumer Privacy Action Brought Under California's Shine the Light Act
On August 24, the U.S. District Court for the Northern District of California dismissed a putative class action alleging that Time magazine failed to establish procedures to comply with California’s Shine the Light Act (SLA). Murray v. Time, Inc., No 12-00431, 2012 WL 3634387 (N.D. Cal. Aug. 24, 2012). The SLA requires businesses to disclose to California consumers upon request any information collected and shared with third-party direct marketers. Alternatively, businesses can adopt a policy of not sharing consumer information without first obtaining consumer consent. All businesses must make consumers aware of their SLA rights by (i) maintaining a disclosure on their website and providing contact information for consumers to make a request about information shared with direct marketers, (ii) requiring customer service agents to provide the contact information upon request, or (iii) making the contact information available at every place of business in the state. The named plaintiff contends that by the nature of its business Time only could provide the required information on its website, and that it failed to do so. The court dismissed the case, holding that the named plaintiff suffered no economic or informational injury and therefore lacked standing to pursue his claims. The court held that the plaintiff’s general allegations concerning the “inherent monetary value” of consumer data are presented without any facts regarding the value of his specific personal information and therefore could not prove any economic injury. With regard to informational injury, the court explained that the plaintiff does not claim that he was deprived any information in response to a request, but rather that he was deprived of the ability to make the request. Such a procedural violation of the SLA, the court held, does not equate to informational injury. The court allowed the plaintiff to re-plead additional facts in support of his claim, but he may not add other plaintiffs or defendants.
FTC Issues Advertising and Privacy Guidelines for Mobile Application Developers
On September 5, the FTC published “Marketing Your Mobile App: Get It Right from the Start,” a guide to assist mobile application developers in complying with federal advertising and privacy requirements. The Guide provides basic guidance and principles related to truthful advertising and consumer privacy protections. For example, the guide urges application developers to (i) disclose key information in advertising materials clearly and conspicuously, (ii) collect sensitive information only with user’s affirmative consent, and (iii) avoid collecting unnecessary data and ensure the security of any sensitive data that is collected.
Privacy Challenge to Bank's Overseas Call Centers Dismissed
On August 28, the U.S. District Court for the District of Columbia dismissed a putative class action that claimed that a bank’s use of overseas call centers subjects private financial records to U.S. government review in violation of the Right to Financial Privacy Act (RFPA). The RFPA generally prohibits financial institutions from providing customer information to a government authority. Stein v. Bank of Am. Corp., No. 11-1400, 2012 WL 3671009 (D.D.C. Aug. 28, 2012). The bank customer plaintiffs claim that because foreign states and foreign nationals are not subject to U.S. privacy laws, including the RFPA, the bank’s transmission of account and other customer data to an overseas call center risks making that data available for potential review by federal national security authorities. The bank moved to dismiss for lack of subject matter jurisdiction and failure to state a claim. The court granted the bank’s motion, finding that the plaintiffs failed to allege a cognizable injury sufficient to establish standing. The court held that the bank customers do not allege that the bank actually provided any records to a government entity and therefore, the customers do not adequately plead “a concrete and particularized injury, free of conjecture or speculation.”
FTC Extends Comment Period for Children's Privacy Rule
On August 27, the FTC extended through September 24, 2012 the time period for comments on proposed changes to the Children’s Online Privacy Protection Rule. The comment period originally was due to close on September 10, 2012.