InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC alleges a common enterprise’s software misrepresented consumers’ sensitive browsing data
On February 22, the FTC released a complaint and decision against multiple software companies operating as a common enterprise for allegedly violating three counts of Section 5 of the FTC Act for (1) unfairly collecting consumers’ browsing information; (2) deceptively failing to disclose tracking of consumers; and (3) stating false representations on data aggregation and anonymization. From 2014 to 2020, the FTC alleged that the companies distributed software with several privacy claims including that the software would block cookies and prevent browser tracking without obtaining consumers’ consent and deceiving consumers about the true nature of their actions.
The FTC alleged the companies collected browser information through browser extensions and antivirus software. While the companies claimed that these extensions provided security and privacy services, the companies used the extensions to collect browser information from users including URLs of visited webpages, URLs of background resources (e.g., cookies or images pulled from other domains), consumers’ search queries, and cookie values. While the companies made claims about the privacy and security of their products, they failed to disclose to consumers that their browsing information was sold to third parties and misrepresented how the data was shared. This browsing information can comprise sensitive data, possibly revealing a consumer’s religious beliefs, health information, political ideology, location, finances, and “interests in prurient content.” The FTC noted that when the companies in 2019 asked software users to opt-in to collect browser information, less than 50% of consumers agreed.
Under the FTC’s Decision, the companies must pay $16.5 million in monetary relief. Additionally, the FTC enjoined the companies from licensing or selling any browsing data from branded products to third parties for advertising purposes, and the companies are required to (a) obtain consent from consumers before selling consumers’ browsing data from non-branded products for advertising; (b) delete consumer web browsing information and certain products or algorithms derived from that data; (c) notify consumers whose information was previously sold without their consent; and (d) implement a privacy program.
FTC bans data aggregator company from selling consumer data
On January 18, the FTC issued a complaint against a digital platform and data aggregator (the company) and ordered the company to no longer sell or license precise location data, among other requirements. As previously covered by InfoBytes, the FTC’s order followed a recent FTC decision against a data broker in which the FTC alleged the data broker’s contracts were “insufficient to protect consumers from the substantial injury” caused by location data collection as consumers visited sensitive locations, such as churches, healthcare facilities, and schools.
In this case, the company obtained large amounts of personal data on consumers’ demographic data, movements, and purchasing history and retained that information for five years. The company had applications and third-party apps that have been downloaded over 390 million times, leading to about 100 million unique devices sending location data each year to the company. Like the previous FTC order, this FTC order alleged the company collected sensitive information on where consumers live, work, and worship; where their children went to school; where they received medical treatment; and if they attended rallies or demonstrations. The FTC alleged that the company cross-references consumers’ data location histories with points of interest to advertisers, including offering a push notification about a product when a consumer is located near a store that sells that product.
The FTC alleged the company failed to notify users that consumers’ location data is used for targeted advertising. Additionally, the FTC alleged the company retains consumer data “longer than reasonably necessary” which the FTC argues could lead to future consumer injury. According to the FTC, these allegations constitute deceptive or unfair practices as prohibited by Section 5(a) of the FTC Act. Under the order, the company must not materially misrepresent how the company collects or uses consumers’ location data, the company must not sell or license location data, and the company must implement a sensitive location data program as proscribed by the order. The company must also delete all historical location data for all consumers which does not affirmatively consent to the continued retention of such data. The company neither admits nor denies any of these allegations.
FTC alleges data broker company mishandled consumer location data
On January 9, the FTC released a proposed order and complaint against a data broker that sells consumer location data to companies. According to the complaint, which alleges seven violations of the FTC Act, the data broker company had no policies or procedures in place to remove any of the raw data from the location data sets that it sold, which could be used to identify sensitive personal information. The FTC alleges that because of this, the data broker company failed to provide “necessary technical safeguards” to ensure that consumers’ privacy choices were honored. The FTC also alleges that the data broker’s contracts with entities to purchase the data were “insufficient to protect consumers from the substantial injury caused by the collection, transfer, and use of the consumers’ location data” as they visit sensitive locations, such as churches, healthcare facilities, and schools.
The data broker company collected 10 billion location data points daily worldwide throughout its apps, but it failed to inform its consumers that it sold this data to advertisers, employers, or government contractors. The FTC further alleges that the data broker’s business practices are likely to cause substantial injury to consumers due to its lack of reasonable data security measures.
According to the proposed order, the company must comply with FTC mandates that include requiring it to prohibit misrepresentations using the data, prohibit the use, sale, or disclosure of sensitive location data, and implement a sensitive location data program. The data broker neither admits nor denies any wrongdoing and the FTC did not levy a money judgment.
Oregon enacts registration requirements for data brokers
On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others. There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.
11th Circuit affirms majority of $380 million data breach settlement
On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a data breach of the CRA. (Covered by InfoBytes here.) The 11th Circuit’s opinion resolves challenges brought by objectors to the settlement who argued that plaintiffs lacked Article III standing because they did not have their identities stolen, and challenged, among other things, certain procedural requirements, the appropriateness of class certification given the possibility that some class members may have been able to recover state statutory damages, and the district court’s adoption of an approval order “ghostwritten” by plaintiffs’ counsel. The objectors also argued that the settlement was inadequate given the “unique risks associated with stolen social security numbers,” and disagreed with the award of $77.5 million in attorneys’ fees, as well as the district court’s decision to impose appeal bonds of $2,000 on each objector.
On appeal, the 11th Circuit rejected almost all of the objectors’ arguments after determining that class members—even if they were not victims of identity theft—faced a material risk of harm. The appellate court also held that the procedural requirements were not particularly burdensome given the roughly 147 million class members involved. Moreover, the appellate court concluded that the fact that class members in a couple of states could have argued for statutory damages did not make the named plaintiffs inadequate class representatives. Furthermore, the appellate court noted that (i) the settlement addressed the seriousness of the stolen social security numbers; (ii) attorneys’ fees (equal to 20.36 percent of the common fund) were within the reasonable range; (iii) objectors failed to show any “practice of uncritically adopting counsel’s proposed orders”; and (iv) the district court did not “abuse its discretion when it imposed the appeal bonds based on its finding that there was a ‘substantial risk that the costs of appeal will not be paid unless a bond is required.’” Moreover, the 11th Circuit noted that “[a]bsent the settlement, the class action could have faced serious hurdles to recovery, and now the class is entitled to significant settlement benefits that may not have even been achieved at trial,” adding that the FTC, CFPB, and state attorneys general for 48 states, the District of Columbia, and Puerto Rico all support the settlement.
The appellate court, however, did reverse the district court’s award of incentive payments to class representative and remanded the case solely for the purpose of vacating the awards.
CFPB to release ANPR on consumer access to financial records
On July 24, the CFPB announced plans to issue an Advanced Notice of Proposed Rulemaking (ANPR) on consumer-authorized access to financial records later this year. The future ANPR relates to the February Symposium held by the Bureau covering this subject and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. As previously covered by InfoBytes, the purpose of this symposium was “to elicit a variety of perspectives on the current and future state of the market for services based on consumer-authorized use of financial data.” The symposium consisted of three panels: (i) the current landscape and benefits and risks of consumer-authorized data access; (ii) market developments; and (iii) considerations for policymakers. Along with the ANPR announcement, the Bureau released a report summarizing the February symposium.
According to the Bureau, the future ANPR will solicit feedback on (i) how the Bureau can effectively and efficiently implement the financial access rights described in Section 1033 of Dodd-Frank; (ii) the possible scope of data that might be subject to protected access; and (iii) how the Bureau may be able to solve the regulatory uncertainty of Section 1033’s interaction with other statutes, such as the FCRA.
CFPB holds symposium on consumer access to financial records
On February 26, the CFPB held a symposium covering consumer access to financial records and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. In her opening remarks, Director Kathy Kraninger pointed out three major changes in data aggregation since the OCC first warned banks about aggregating consumer data in 2001: (i) “the range of actors involved has expanded greatly”; (ii) “the extent to which they are using aggregated data to provide new products and services to millions of American consumers has grown in scope and scale”; and (iii) “technologies that enable safer and more efficient consumer authorized data sharing continue to evolve and proliferate.” According to the CFPB’s press release, the purpose of this symposium was “to elicit a variety of perspectives on the current and future state of the market for services based on consumer-authorized use of financial data.” The symposium consisted of three panels: (i) the current landscape and benefits and risks of consumer-authorized data access; (ii) market developments; and (iii) considerations for policymakers. Panel highlights include:
- Panel #1. The panelists considered potential benefits and risks for consumers around data access as well as the current landscape and benefits and risks of consumer-authorized data access. Panelists agreed that consumers should be given control over their data and also mentioned the need to educate consumers on data security. One panelist suggested that consumers need to understand not only the breadth of data that is accessible, but also what sensitive consumer data is being accessed, stored, and shared. She stressed that entities storing/accessing the data should be subject to the same supervision for cyber security standards as banks.
- Panel #2. The panel, which was comprised of experts in market developments and trends, including in the areas of cash flow underwriting and the business of securing consumer permission to access checking account data, discussed market developments in consumer-authorized data access. One panelist suggested that the U.S. is behind countries like Australia and Canada (where government intervention in the market clarified consumers’ legal right to access their financial data) because of a lack of connectivity and of data field availability in the U.S. Others discussed alternatives to the current screen scraping model—which does not advance transparency or traceability for consumers—such as a model based on an application program interface (API) (APIs can be used to combine data from various sources into one application). The panelists also discussed tokenized authentication as a possible middle phase when going from screen scraping to APIs. Panelists suggested that the market is making significant technological improvements, but lacks guidance from policymakers.
Panel #3. The third panel, focused on “where we are going and how we get there” or the “future of the market” and “considerations for policymakers on how to” ensure consumer data is safeguarded “while ensuring that consumers have continual access to their data.” Among other things, the panel discussed that regulatory intervention in this space has not been common. Many panelists also mentioned areas of uncertainty, including whether banks or consumers should decide the limitations of rights to consumer data. Regarding Section 1033, one panelist suggested that the bank view is that the CFPB does not need to regulate here and should not provide consumers and their agents with access to their information, however, any entities that have access to the data should be regulated. Others believed that banks and other financial institutions do not view Section 1033 correctly. Another area of uncertainty discussed was whether the consumer data right is an ownership right, and whether a bank can decide to whom it will or will not provide consumer data.
CFPB symposium on consumer access to financial records set for February 26
On February 20, the CFPB announced that its fourth symposium, regarding Consumer Access to Financial Records and Section 1033 of the Dodd-Frank Act, will be held February 26 at 9:30 am EST. The event will be webcast on the Bureau’s website. According to the Bureau, Section 1033 “addresses consumers’ rights to access information about their financial accounts.” The symposium—featuring remarks from Director Kathy Kraninger and consisting of three panels of experts—will solicit a variety of perspectives on the current and future market for services based on consumer-authorized use of financial data. The first panel, moderated by Paul Watkins, Assistant Director in the Bureau’s Office of Innovation, will discuss the current landscape of holders of consumer data and the benefits and risks of consumer-authorized data access. The second panel will examine market developments in consumer-authorized data access and will be moderated by Will Wade-Gery, Senior Advisor in the Bureau’s Office of Innovation. The third panel will assess the future state of the market, as well as considerations for policymakers on safeguarding consumer data while ensuring consumers have continual access to their data. This panel will be moderated by Thomas Devlin, Managing Counsel in the Bureau’s Research, Markets and Regulation Division.
Find prior InfoBytes symposium coverage here.
Data breach settlement of $380.5 million approved in consumer reporting agency class action
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data breach of the company. After the company announced the breach, many consumers filed suit and were eventually joined into a proposed settlement class. As previously covered by InfoBytes, the plaintiffs alleged that the company (i) failed to provide appropriate security to protect stored personal consumer information; (ii) misled consumers regarding the effectiveness and capacity of its security; and (iii) failed to take proper action when vulnerabilities in their security system became known. The company and the plaintiffs later submitted a proposed settlement order to the court.
According to the final order and judgment, the court certified the settlement class of the approximately 147 million affected consumers, finding the class was adequately represented, and approved the “distribution and allocation plan” as fair and reasonable. In the order granting final approval of the settlement the company agreed to, among other things, pay $380.5 million into a settlement fund and potentially up to $125 million more to cover “certain out-of-pocket losses,” $77.5 million for attorneys’ fees, and approximately $1.4 million for reimbursement of expenses. Class members are eligible for additional benefits including up to 10 years of credit monitoring and identity theft protection services or cash compensation if they already have those services, as well as identity restoration services for seven years. The company also agreed to spend at least $1 billion on data security and technology in the next five years.
Missouri AG Announces Investigation Into Tech Company’s Privacy Policies and Use of Consumer Data
On November 13, Missouri Attorney General Joshua Hawley announced that his office has issued a civil investigative demand (CID) to a major California-based technology company as part of an investigation into suspected violations of the Missouri Merchandising Practices Act and the state’s antitrust laws. The investigation is focused on certain business practices, including, with respect to privacy issues, the company’s collection, use, retention, storage, sale, and dissemination of information and data about its users and their online activities. The CID requests documents and communications related to, among other things, (i) the company’s privacy policies; (ii) the collection and sharing of data that constitutes “personal information” related to the company’s users; (iii) disclosures concerning the collection of consumers’ credit or debit card transactions; (iv) data the company discloses or shares with third parties, and the identification of third-party partners; and (v) how the company tracks users’ online activities. The company has until January 22, 2018 to comply.