InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FINRA Releases New Guidance on Rules Concerning Digital Communications
On April 25, FINRA issued new guidance on the application of its rules governing communications with the public concerning social media networking sites and online business communications. In 2010 and 2011, FINRA released Regulatory Notices 10-06 and 11-39 to provide initial guidance on these specific rules, and in 2013, “adopted amendments to Rule 2010 that codif[ied] guidance provided in the Notices with respect to the supervision of interactive social media posts by member firms.” In December 2014, FINRA issued its Respective Rule Review Report, which was designed to “assess whether the communications rules are meeting their intended investor protection objectives . . . and to take steps to maintain or improve the effectiveness of the rules.” FINRA Regulatory Notice 17-18 is the response to the report’s request for additional guidance and provides examples of how FINRA applies its rules to the following topics: text messaging, personal communications, hyperlinks and content sharing, native advertising, online testimonials and endorsements, correction of third-party content, and BrokerCheck. FINRA further notes that Regulatory Notice 17-18 is intended to deliver further guidance and does not alter principles previously provided in prior notices.
California Company Settles FTC Charges, Agrees to Provide Effective Opt-Out for Consumers
On April 21, the FTC announced that it had reached a settlement with a California company, which enables sellers to target digital advertisements to consumers, over allegations in violation of the FTC Act that the company deceived consumers by tracking them online and through their mobile devices even after consumers elected to opt out of such tracking. According to the 2016 complaint, the company’s privacy policy conveyed to consumers that its “opt-out mechanism would be effective in blocking tailored, anonymous ads on websites and apps. However, the opt-out cookie applied only to mobile browsers, and was not effective in blocking tailored, anonymous ads on mobile applications.” Moreover, the complaint also alleged that the company used unique identifiers to track specific consumers, even after they had blocked or deleted cookies.
Following a 30-day public comment period, the Commission voted 2-0 to approve the final order. The order prohibits the company from misrepresenting “the extent to which [it] collects, uses, discloses, retains, or shares” consumers’ information and the ability of consumers to limit, control, or prevent the ways the company uses their data. Furthermore, the company must direct consumers to a disclosure explaining the types of information the company collects and how it uses it for targeted advertising. Clear, easily-accessible opt-out options for consumers who choose not to have their information used in targeted advertising must also be featured. Notably, the Commission stated in letter-responses to two commenters that while it lacks the authority to obtain civil penalties for initial violations under Section 5 of the FTC Act, the company would risk civil penalties of up to $40,654 per violation per day as a compliance incentive and to deter other companies from engaging in similar conduct.
FTC Approves Final Orders to Settle Allegations That Companies Misrepresented Participation in International Privacy Program
On April 14, the FTC announced final orders against three U.S. companies, resolving allegations that the companies had falsely represented their participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system in their online privacy policies (see previous InfoBytes post). Following a 30-day public comment period, the Commission voted 2-0 to approve the final orders, which prohibit the companies from “misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.” Furthermore, the Commission issued a response letter to one of the commenters stating that although the Commission is not authorized to seek civil penalties for an initial violation, upon approval of the final order, one of the companies “will be subject to civil penalties of up to $40,654 per violation per day,” as a compliance incentive and to deter other companies from engaging in similar conduct.
New Mexico Enacts Data Breach Notification Act
On April 6, New Mexico Governor Susana Martinez signed into law the Data Breach Notification Act (H.B. 15), making New Mexico the 48th state to pass a data breach notification law. Under the new law—which is scheduled to take effect on June 16—companies are now required to notify any New Mexico residents (and in certain circumstances consumer reporting agencies and the state’s attorney general) following the discovery of a “security breach” involving that resident’s “personal identifying information.” The Act—which unanimously cleared both New Mexico’s House and Senate—also establishes standards for the secure storage and disposal of data containing personal identifying information and provides for civil penalties for violations.
According to the Act, “personal identifying information” consists of an individual’s first name or first initial and last name in combination with any one or more of the following data elements: (i) Social Security number; (ii) driver's license number or government issued identification number; (iii) account number, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (iv) biometric data. As with many other states’ breach notice laws, the term “security breach” is defined as “the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” However, notice to affected residents is not required if the entity “determines that the security breach does not give rise to a significant risk of identity theft or fraud.” The Act also sets out the required contents of, and methods for providing, notification—which generally must be made no later than 45 days after the breach was discovered—including substitute methods if certain criteria are met. Certain entities, including those subject to GLBA or HIPAA, are exempt from the requirements of the Act.
Notably, the Act does not provide its citizens with a private right of action, but rather charges the state’s attorney general with enforcing the Act through legal actions on behalf of affected individuals. The Act provides for the issuance of injunctive relief and/or damages for actual losses including consequential financial losses. For knowing or reckless violations of the Act, a Court also may impose civil penalties of $25,000, or in the case of a failure to notify, a penalty of $10 per instance up to a maximum penalty of $150,000.
New York AG Announces Settlements with Three Mobile Health Application Developers over Misleading Marketing Practices and Privacy Policies
On March 23, the New York Attorney General’s (NYAG) office announced settlements with U.S.-, Austria-, and Israel-based mobile application (app) developers who allegedly participated in misleading marketing practices and the mismanagement of consumer information—both of which are violations of New York Executive, Education, and General Business Laws. Two of the three developers claimed their health-related apps accurately measured heart rates, and a third allegedly claimed its app would measure a fetal heartbeat. However, all three failed to test the apps for accuracy, conduct comparisons to other approved products, or obtain approval by the U.S. Food and Drug Administration. The developers have agreed to provide additional testing information, will correct misleading advertisements, obtain affirmative consent from consumers for developers’ privacy policies, and will pay $30,000 in combined penalties to the NYAG’s office. Furthermore, all three developers have also made changes to their privacy policies and disclose the collecting and sharing of information that “may be personally identifying” including “users’ GPS location, unique device identifier, and ‘deidentified’ data that third parties may be able to use to reidentify specific users.”
Congress Approves Joint Resolution to Repeal FCC’s Broadband Privacy Rules, Signed into Law by President Trump
On April 3, President Trump signed into law a measure (S.J.Res. 34) rescinding the new Federal Communications Commission (FCC) broadband privacy rules related to Internet service providers (ISPs). As previously covered on InfoBytes, the privacy rules—passed last year in a 3-2 party-line vote under former Democratic FCC Chairman Tom Wheeler—require, among other things, that ISPs receive express consent from users concerning the use of their personal data for marketing purposes. FCC Chairman Ajit Pai has taken the position that the new FCC regulations are inconsistent with the Federal Trade Commission’s (FTC) framework. The rules had been partially stayed by the FCC in response to multiple reconsideration petitions. Approved last week in the Senate by a 50-48 margin, and subsequently passed by a 215-205 House vote, S.J.Res. 34 was sent to President Trump on Friday for his signature. The President signed the joint resolution into law on Monday evening, thereby repealing the FCC regulations pursuant to the Congressional Review Act, 5 U.S.C. §§ 801-808. Notably, per the language of the resolution—which was originally introduced by Sen. Jeff Flake (R-AZ) in early March—the FCC is also prohibited from re-issuing new rules without the passage of a new law authorizing them.
FTC Releases 2016 Annual Highlights
On March 28, the FTC released its 2016 Annual Highlights Report, which outlines the agency’s ongoing efforts over the past year to protect consumers and promote competition. Acting Chairman Maureen K. Olhausen stated, “2016 was a historic year for the FTC. We obtained almost $12 billion in redress for consumers, and took action in more than a dozen merger cases to preserve competition.” Key highlights in four sections—enforcement, policy, education, and stats and data—covered multiple sectors such as health care, technology, and other consumer products and services. Regarding enforcement highlights in 2016, the report covered a range of administrative and court actions related to, among other things, privacy and data security issues, particularly in the mobile marketplace, as well as the Commission’s largest false advertising settlement in its history with a global auto manufacturer. The policy section of the report highlights eight amicus briefs filed on topics such as reverse payments and the FDCPA, as well as its efforts to provide guidance and recommendations on topics such as sharing economy platforms, big data, and fraud. The education section covers topics such as consumer guidance on fraud, scams, and deceptive business practices prevention, and notes that it published almost 200 blog posts for consumers. Notably, according to the stats and data section of the report, the FTC received more than three million consumer complaints in 2016, consisting of 858,090 debt collection complaints, 503,967 “other” complaints, and 406,578 imposter scam complaints.
FTC Commissioners Testify Before Senate Committee on Enforcement Efforts to Combat Fraud
On March 21, Federal Trade Commission (FTC) Acting Chairman Maureen K. Ohlhausen and Commissioner Terrell McSweeny testified before the Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Consumer Protection, Product Safety, and Data Security to describe the agency’s law enforcement work to combat fraud. The testimony noted that in the past year, the agency obtained judgments of more than $11.9 billion to consumers “harmed by deceptive and unfair business practices” and received more than three million consumer complaints. Commissioner Terrell McSweeny noted that the “top three categories of complaints were debt collection, impostor frauds, and identity theft,” and that for the first time “imposter scam complaints . . . surpassed the number of identity theft complaints.” FTC Acting Chairman Maureen K. Ohlhausen also presented testimony and emphasized two populations in particular—military consumers and small businesses—both of whom are attractive targets for fraudsters, and for whom the agency actively works with to provide fraud recognition tools to prevent future victims. Also discussed at the hearing was the creation of the Office of Technology Research and Investigation to help the agency “keep abreast of technology changes affecting consumers” as well as the agency’s fraud prevention and education outreach initiatives that impact “tens of millions of people and businesses each year.”
OCC Announces February 2017 Enforcement Actions
On March 17, the Office of the Comptroller of the Currency (OCC) released a list of administrative enforcement actions taken against banks and bank officers in February. Several of the reported actions included payment of civil money penalties (CMPs) for, among other things, violations of the Federal Trade Commission Act, Bank Secrecy Act (BSA) deficiencies, and unsafe or unsound practices by institution-affiliated parties for breaches of fiduciary duty. Among the actions containing CMPs a Tennessee bank fined $1 million for deficiencies related to billing practices with regard to an identity protection product consumers paid for but never received, and a California bank fined $1 million for continuous non-compliance with a 2010 Consent Order for BSA deficiencies including “inadequate risk assessment process[es], inadequate system of internal controls, inadequate suspicious activity monitoring and reporting process[es], inadequate customer due diligence and enhanced due diligence programs, ” as well as having a “BSA/AML independent audit [that] failed to identify . . . significant internal control weaknesses.”
Federal District Court Allows Discovery in Class Action Concerning Internet Company’s Collection of Biometric Data
In a Memorandum Opinion and Order handed down on February 27, a District Court in the Northern District of Illinois declined to dismiss a putative class action alleging that a cloud-based photographic storage service offered by an Internet company (the Company) violated the Illinois Biometric Information Privacy Act (BIPA) by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. Specifically, the Court rejected the Company’s argument that application of BIPA to facial geometry scanning by by an internet service located outside of Illinois is an improper extraterritorial application of Illinois law.
The Plaintiffs alleged that the Company failed to both (i) obtain the necessary authorization or consent to the creation and subsequent storing of “faceprints” by the photo storage service, or (ii) make publicly available a data retention and destruction schedule as required under the BIPA. In responding to these claims, the Company argued that the term “biometric identifier,” as defined in the BIPA, does not extend to “in-person scans of facial geometry” and does not cover photographs or information derived from photographs. The Company also sought to dismiss the case on jurisdictional grounds, arguing that under principles of federalism, pre-emption, and the extra-jurisdictional application of state law, the BIPA cannot properly regulate activity – such as the storage of data on the Company’s servers – that does not occur “primarily and substantially” within the state of Illinois.
In analyzing the Company’s argument, the Court looked to the following two definitions set forth in the Illinois law:
- “Biometric identifier,” which is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and explicitly “do[es] not include writing samples, written signatures, photographs. . . .”; and
- “Biometric information,” which is defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual,” and explicitly “does not include information derived from items or procedures excluded under the definition of biometric identifiers.”
Ultimately, the Court disagreed with the Company’s reading of “biometric data” because, among other reasons, “nothing in the text of [the BIPA] directly supports this interpretation.” The Court deferred deciding on the Company’s arguments that the claims would require extraterritorial application of the statute and/or would violate the Dormant Commerce Clause by reaching beyond state boundaries, because, among other reasons, “[d]iscovery is needed to determine whether there are legitimate extraterritoriality concerns.”
On March 9, the Company filed a motion seeking permission to file an interlocutory appeal to the Seventh Circuit, with a request for a stay of further proceedings pending the appellate court’s decision on the request for an appeal.