InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ and FTC find UDAPs in handling of women’s health data
On June 23, the DOJ and FTC announced the government has obtained substantial injunctive relief, and that the department will collect $100,000 in civil penalties, from an Illinois-based healthcare corporation pursuant to a stipulated federal court order. In the complaint, the United States claimed that the corporation violated Section 5 of the FTC Act, in which the defendant engaged in unfair and deceptive acts in connection with its period and ovulation tracking mobile app. The government alleged that the corporation shared consumers’ persistent identifiers and sensitive personal information to third-party companies without user notice or consent. Additionally, the corporation allegedly failed to disclose how those third-party companies would use consumers’ personal information. The complaint also alleges the corporation failed to take “reasonable measures” surrounding data and privacy risk when they integrated third-party software into the mobile application, and that they violated the HBNR.
The order entered by the court requires that the corporation: (i) “implement a comprehensive privacy and data security program with safeguards to protect consumer data”; (ii) “hire an independent third-party to regularly assess its compliance with the privacy program for a period of 20 years”; (iii) “[is] enjoined from sharing health information with third-parties for advertising purposes, from sharing health information with third-parties for other purposes without obtaining users’ affirmative express consent, and from making misrepresentations about [the corporation’s] privacy practices”; and (iv) comply with the HBNR’s notification provisions in any future breach of Security.
FTC sues genetic testing company over privacy failures
On June 16, the FTC filed an administrative complaint against a California-based genetic testing company for allegedly deceiving consumers about its privacy and data security practices. Marking the FTC’s first case to focus on both the privacy and security of genetic information, the complaint claims the respondent (which sells DNA health test kits and provides health reports to consumers that include personal information) failed to secure genetic and health data and misled consumers about its ability to delete consumers’ data. These alleged actions contradicted claims made by the respondent on its website that personal health information is collected, processed, and stored “in a responsible, transparent and secure environment.” Additionally, the FTC alleged that the respondent failed to implement a policy to ensure DNA samples were destroyed by contract laboratories and made changes to its privacy policy that retroactively expanded the types of third parties authorized to share consumers’ data without notifying consumers or obtaining their consent. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in the announcement.
The respondent is further accused of storing unencrypted personal health information on a publicly accessible cloud storage repository. Several warnings about storing unencrypted data were allegedly sent to the respondent before customers were notified.
Under the terms of the proposed consent order, the respondent will be required to pay $75,000 to go towards consumer refunds. The respondent must also strengthen its protection measures, cease misrepresenting the extent of its security or privacy practices, and instruct third-party contract laboratories to delete all DNA samples that have been retained longer than 180 days. Additionally, the respondent must obtain consumers’ affirmative express consent before sharing health data with third parties, notify the FTC should consumers’ personal health information be compromised, and implement a comprehensive information security program to address the identified alleged security failures.
FTC proposes changes to Health Breach Notification Rule
On May 18, the FTC issued a notice of proposed rulemaking (NPRM) and request for public comment on changes to its Health Breach Notification Rule (Rule), following a notice issued last September (covered by InfoBytes here) warning health apps and connected devices collecting or using consumers’ health information that they must comply with the Rule and notify consumers and others if a consumer’s health data is breached. The Rule also ensures that entities not covered by HIPAA are held accountable in the event of a security breach. The NPRM proposed several changes to the Rule, including modifying the definition of “[personal health records (PHR)] identifiable health information,” clarifying that a “breach of security” would include the unauthorized acquisition of identifiable health information, and specifying that “only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.” The modifications would also authorize the expanded use of email and other electronic methods for providing notice of a breach to consumers and would expand the required content for notices “to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information.” Comments on the NPRM are due 60 days after publication in the Federal Register.
The same day, the FTC also issued a policy statement warning businesses against making misleading claims about the accuracy or efficacy of biometric technologies like facial recognition. The FTC emphasized that the increased use of consumers’ biometric information and biometric information technologies (including those powered by machine learning) raises significant consumer privacy and data security concerns and increases the potential for bias and discrimination. The FTC stressed that it intends to combat unfair or deceptive acts and practices related to these issues and outlined several factors used to determine potential violations of the FTC Act.
FTC obtains TROs to halt student loan debt relief schemes
On May 8, the FTC announced that the U.S. District Court for the Central District of California recently issued temporary restraining orders (TROs) against two student loan debt relief companies that allegedly tricked consumers into paying for nonexistent repayment and loan forgiveness programs. According to the complaints (see here and here), the defendants allegedly made deceptive claims in order to lure low-income consumers into paying hundreds to thousands of dollars in illegal upfront fees as part of a purported plan to pay down their student loans. The defendants allegedly made consumers believe that they were enrolled in a legitimate loan repayment program, that their loans would be forgiven in whole or in part, and that most or all of their payments would be applied to their loan balances. The FTC alleges that, in reality, the defendants pocketed the borrowers’ payments. The FTC also charged the defendants with falsely claiming to be or be affiliated with the Department of Education and stating that they were purchasing borrowers’ debt from federal student loan servicers in order to secure debt relief on their behalf. When consumers realized the debt relief program did not exist, the defendants allegedly often refused to provide refunds.
According to the FTC, these deceptive misrepresentations violated Section 5 of the FTC Act and the Telemarketing Sales Rule (TSR). The FTC also alleges that the companies violated the Gramm-Leach-Bliley Act (GLBA), by using deceptive tactics to obtain consumers’ financial information, and the TSR, by calling numbers listed on the National Do Not Call Registry and by failing to pay required Do Not Call Registry fees for access. In issuing the TROs (see here and here), which temporarily halt the two schemes and freeze the defendants’ assets, the court noted that, upon “[w]eighing the equities and considering the FTC’s likelihood of ultimate success on the merits,” there is good cause to believe that immediate and irreparable harm will occur as a result of the defendants’ ongoing violations of the FTC Act, the TSR, and the GLBA, unless the defendants are restrained and enjoined.
District Court dismisses FTC’s privacy claims in geolocation action
On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling precise geolocation data from hundreds of millions of mobile devices which can be used to trace individuals’ movements to and from sensitive locations (covered by InfoBytes here). The FTC sought a permanent injunction to stop the data broker’s practices, as well as additional relief. The data broker, upon learning that the FTC planned to filed a lawsuit against it, filed a preemptive lawsuit challenging the agency’s authority.
The court first dismissed the data broker’s preemptive bid to block the FTC’s enforcement action, ruling that the data broker has not identified any “viable cause of action” to support its request for injunctive relief. The court explained that injunctive relief is a “drastic remedy” that is only available if no other legal remedy is available. However, the data broker possesses an “adequate remedy at law,” the court said, “because it can seek dismissal of, and otherwise directly defend against, the FTC’s enforcement action.”
With respect to the FTC’s action, the court granted the data broker’s motion to dismiss the FTC’s complaint, but gave the agency leave to amend. The court agreed with the data broker that the FTC’s complaint lacks sufficient allegations to support its unfairness claim under Section 5 of the FTC Act. While the court disagreed with the data broker’s assertion that it did not have “fair notice that its sale of geolocation data without restrictions near sensitive locations could violate Section 5(a) of the FTC Act” or that the FTC had to allege a predicate violation of law or policy to state a claim, the court determined that the FTC failed to adequately allege that the data broker’s practices created “a ‘significant risk’ of concrete harm.” Moreover, the court found that “the purported privacy intrusion is not severe enough to constitute ‘substantial injury’ under Section 5(n).” The court noted, however that some of the deficiencies may be cured through additional factual allegations in an amended complaint.
FTC obtains permanent ban against debt relief operators
On May 1, three individuals accused of allegedly participating in a credit card debt relief scheme agreed to court orders permanently banning them from telemarketing and selling debt relief products and services. As previously covered by InfoBytes, last November the FTC filed a lawsuit claiming the defendants and their affiliated companies violated the FTC Act and the Telemarketing Sales Rule by using telemarketers to pitch their deceptive scheme, in which they falsely claimed to be affiliated with a particular credit card association, bank, or credit reporting agency, and promised they could improve consumers’ credit scores after 12 to 18 months. The defendants also allegedly misrepresented that the upfront fee, which in some cases was as high as $18,000, was charged to consumers’ credit cards as part of the overall debt that would be eliminated, and therefore would not actually have to be paid. Without admitting or denying the allegations, the defendants agreed to the court orders (available here, here, and here) imposing numerous conditions, including (i) a permanent ban on advertising, selling, or assisting in any debt relief product or service or participating in telemarketing; (ii) a broad prohibition forbidding defendants from deceiving consumers about any other products or services they sell or market; and (iii) the surrender of certain property interests and assets that will be used to provide restitution to affected consumers. The orders impose a total monetary judgment of approximately $17.5 million, for which each defendant is jointly and severally liable, to be satisfied by defendants’ surrender of certain assets and subject to a partial suspension of the remainder of the judgment pursuant to defendants’ truthfulness regarding their financial status and ability to pay.
FTC, Pennsylvania ban debt collection operation
On April 26, the FTC and the Commonwealth of Pennsylvania announced that the U.S. District Court for the Eastern District of Pennsylvania recently entered an order permanently banning a debt collection firm and two associated individuals from the industry. The FTC and Pennsylvania sued the defendants in 2020 for their involvement in a telemarketing operation that allegedly misrepresented “no obligation” trial offers to organizations and then enrolled recipients in subscriptions for several hundred dollars without their consent (covered by InfoBytes here). The complaint charged the defendants with violating the FTC Act by, among other things, illegally threatening the organizations if they did not pay for the unordered subscriptions and claimed the debt collection firm handled collections nationwide despite not having a valid corporate registration in any state and only being licensed to collect debt in Washington State. In addition to permanently enjoining the defendants from participating in the debt collection industry (whether directly or through an intermediary), the court order requires the defendants’ continued cooperation as the case proceeds against the other defendants.
OCC, FDIC say some overdraft fees may be unfair or deceptive
On April 26, the OCC and FDIC issued supervisory guidance addressing consumer compliance risks associated with bank overdraft practices. (See OCC Bulletin 2023-12 and FDIC FIL-19-2023.) The guidance highlighted certain practices that may result in increased risk exposure, including assessing overdraft fees on “authorize positive, settle negative” (APSN) transactions and assessing representment fees each time a third party resubmits the same item for payment after being returned by a bank for non-sufficient funds. The agencies provided guidance for banks that may help control risks associated with overdraft protection programs and achieve compliance with Dodd-Frank’s UDAAP prohibitions and section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices.
The FDIC’s supervisory guidance expanded on the 2019 Consumer Compliance Supervisory Highlights (covered by InfoBytes here), and warned that APSN overdraft fees present risks of unfairness under both statutes as consumers “cannot reasonably avoid” receiving these fees because they lack “the ability to effectively control payment systems and overdraft processing systems practices.” The FDIC cited the “complicated nature of overdraft processing systems” as another impediment to a consumer’s ability to avoid injury. The FDIC also emphasized that risks of unfairness exist both in “available balance” or “ledger balance” methods of assessing overdraft fees, but cautioned that risks may be “more pronounced” when a bank uses an available balance method. Furthermore, the FDIC warned that disclosures describing how transactions are processed may not mitigate UDAAP and UDAP risk. Banks are encouraged to “ensure customers are not charged overdraft fees for transactions consumers may not anticipate or avoid,” and should take measures to ensure overdraft programs provided by third parties comply with all applicable laws and regulations, as such arrangements may present additional risks if not properly managed, the FDIC explained.
The OCC’s guidance also warned that disclosures may be deceptive under section 5 if they fail to clearly explain that multiple or additional fees may result from multiple presentments of the same transaction. Recognizing that some banks have already implemented changes to their overdraft protection programs, the OCC also acknowledged that “[w]hen supported by appropriate risk management practices, overdraft protection programs may assist some consumers in meeting short-term liquidity and cash-flow needs.” The OCC encouraged banks to explore other options, such as offering low-cost accounts and low-cost alternatives for covering overdrafts, such as overdraft lines of credit and linked accounts.
FTC, DOJ sue payment processor for tech support scams
On April 17, the DOJ filed a complaint on behalf of the FTC against several corporate and individual defendants for violating the FTC Act and the Telemarketing Sales Rule (TSR) by allegedly engaging in credit card laundering for tech support scams. (See also FTC press release here.) According to the complaint, since at least 2016, the defendants—a payment processing company and several of its subsidiaries, along with the company’s CEO and chief strategy officer—worked with telemarketers who made misrepresentations to consumers about the performance and security of their computers through the use of deceptive pop ups in order to sell technical support scams. Defendants’ involvement included assisting and facilitating the illegal sales and laundering the credit card charges through their own merchant accounts (thus giving the scammers access to the U.S. credit card network) where defendants received a commission for each charge. The complaint maintained that the defendants “engaged in this activity even though it and its officers knew or consciously avoided knowing that its tech support clients were engaged in deceptive telemarketing practices.”
The proposed court orders (see here, here, and here) each impose monetary judgments of $16.5 million and (i) prohibit the defendants from engaging in credit card laundering through merchant accounts; (ii) require the defendants to screen and monitor any high-risk clients and take action if clients should charge consumers without authorization or violate the TSR; and (iii) prohibit the defendants from engaging in payment processing or assisting tech support companies that engage in false or unsubstantiated telemarketing or advertising. According to the DOJ’s announcement the defendants will be required to pay a combined total of $650,000 in consumer redress. This payment will result in the suspension of the total monetary judgment of $49.5 million due to the defendants’ inability to pay.
FTC, Florida AG sue “chargeback mitigation” company
On April 12, the FTC and the Florida attorney general filed a complaint in the U.S. District Court for the Middle District of Florida alleging a “chargeback mitigation” company and its owners (collectively, “defendants”) used numerous unfair tactics to thwart consumers trying to dispute credit card charges through the chargeback process. The chargeback process allows consumers to contest unwanted, fraudulent, or incorrect credit card charges with their credit card companies. According to the complaint, the defendants regularly sent screenshots and statements on behalf of company clients to credit card companies allegedly showing that consumers had agreed to the disputed charges. However, the FTC claimed that in many instances, the misleading screenshots did not come from the merchant’s website where the consumer made the disputed purchase. The complaint further alleged that the defendants used a system that allowed company clients to run numerous small-value transactions via prepaid debit cards in order to raise the number of transactions, thus lowering the percentage of charges that were disputed by consumers. The service, the FTC maintained, “enabled fraudulent merchants to evade or delay chargeback monitoring programs, fines, and account terminations designed to protect consumers from fraud.”
The FTC noted that three of the defendants’ major clients (for which the defendants disputed tens of thousands of chargebacks on behalf of each of the companies) were previously sued by the FTC for engaging in deceptive negative-option marketing practices. The complaint accused the defendants of ignoring clear warning signs that the screenshots were misleading, including instances where the name of the product referenced in the screenshot did not match the product in the disputed purchase. The defendants also allegedly often overlooked company clients that opened and used a large number of different merchant accounts to process charges. Asserting violations of the FTC Act and the Florida Unfair and Deceptive Trade Practices Act, the complaint seeks permanent injunctive relief, restitution, and civil penalties.