InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC to use CIDs and subpoenas to streamline investigations
On September 14, the FTC voted 3-2, at the recommendation of the Bureau of Consumer Protection and Bureau of Competition, to approve a series of resolutions intended to streamline consumer protection and competition investigations in core FTC-priority areas over the next decade. At the recommendation of the Bureaus, the FTC authorized eight new compulsory process resolutions, which authorize the use of civil investigative demands and subpoenas when investigating the following areas: (i) acts or practices affecting U.S. servicemember and veterans; (ii) acts or practices affecting children under 18; (iii) algorithmic and biometric bias; (iv) deceptive and manipulative online conduct, including matters related to tech support scams, payment processing, marketing of goods and services, and user interface manipulation; (v) repair restrictions; (vi) intellectual property abuse; (vii) common directors and officers and common ownership; and (viii) monopolization offenses. According to the FTC, adopting these resolutions will enhance and streamline the ability of FTC investigators and prosecutors to obtain evidence in critical investigations relating to potential violations of the FTC Act. FTC Commissioner Rohit Chopra issued a statement following the vote, commenting that the adoption “will improve the agency’s ability to order documents and data in investigations and fills a notable gap in the Commission’s long list of enforcement authorizations developed over many years.”
FCC takes action against robocalls
On August 5, the FCC announced a “fair and consistent” process for reviewing actions regarding a voice service provider’s ability to comply with the FCC’s anti-spoofing caller ID authentication rules. FCC rules require broad implementation of the STIR/SHAKEN caller ID authentication framework on voice service providers’ IP networks. As previously covered by InfoBytes, the STIR/SHAKEN framework addresses, among other things, “unlawful spoofing by confirming that a call actually comes from the number indicated in the Caller ID, or at least that the call entered the US network through a particular voice service provider or gateway.” Since June 30, all major phone companies are using the STIR/SHAKEN caller ID authentication framework in their IP networks (covered by InfoBytes here). To combat illegal spoofing, the STIR/SHAKEN standards are considered a common digital language utilized by phone networks, which facilitates valid information to be passed from provider to provider. The standards also allow most caller ID information to be verified for providers and third-party consumer protection services to use that information to inform call blocking or warning services to protect customers. According to the FCC, “[t]he widespread implementation of STIR/SHAKEN is a major step forward in the FCC’s fight against malicious spoofing and scam robocalls.”
District Court: Online payment processor must face data collection class action claims
On July 28, the U.S. District Court for the Northern District of California granted in part and denied in part an online payment processor’s motion to dismiss class claims concerning several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “secretly track[ed], collect[ed], and stor[ed] the personal data and web activity of visitors to merchants’ website[s],” and created a software code allowing merchants to integrate the company’s payment platform into merchants’ applications. The complaint alleged that most consumers making online purchases were unaware that their transactions were processed by the defendant and instead believed to be communicating directly with the merchants. Specifically, the defendant allegedly (i) obtained or stored consumers’ sensitive information (such as financial information, location, IP addresses, and purchasing information); (ii) correlated all payments consumers made across the defendant’s entire payment processing platform and provided much of it to other merchant clients without informing the consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior across the defendant’s payment network. This allowed merchants to see a consumer’s purchasing history of all transactions processed by the defendant and obtain a transaction-level risk score from the defendant.
The court denied the motion to dismiss as to plaintiffs’ claims of invasion of privacy and intrusion under California’s Constitution and common law, finding that the plaintiffs have sufficiently alleged the plaintiffs did not consent to the defendant’s disclosure of their information to its merchants and customers. The court was precluded from finding that plaintiffs had no reasonable expectation of privacy because the language in the defendant’s privacy policy limited the sharing to information with third parties to assist with the prevention or detection of fraud or for processing services only.
In dismissing the wiretap claims, the court reviewed the “sign-in wrap” agreement presented to consumers at the purchase checkout page, which required plaintiffs to agree to the defendant’s terms of service and privacy policy whenever they placed an order. While the plaintiffs argued that the privacy policy “does not provide sufficient notice that [the defendant] would collect the information that it did,” the court pointed out that the policy contained provisions disclosing that third parties like the defendant “may obtain not only credit card data, but also ‘identifiers, demographic information, commercial information, relevant order information, internet activity, geolocation data, sensory information, and inferences,’” and that partners may also “use various technologies’ to ‘collect information about [consumer] online activity over time and across different websites or online services.’” Among other things, the court reasoned that the disclosures were binding on the consumers, even though they were provided by the defendant and not the merchants.
The court dismissed in part the plaintiffs’ claims under California’s Unfair Competition Law (UCL) and California Consumer Privacy Act (CCPA), in part because the CCPA “has no private right of action” and “consumers may not use the CCPA as a basis for a private right of action under any statute.” The court also dismissed the plaintiffs’ fraud prong of the UCL, but allowed the plaintiffs’ unfair competition prong under the UCL to proceed.
Commissioners discuss importance of restoring FTC’s authority
On July 28, the House Committee on Energy and Commerce’s Subcommittee on Consumer Protection and Commerce held a hearing titled “Transforming the FTC: Legislation to Modernize Consumer Protection” to discuss, among other things, the importance of restoring the Commission’s ability to secure monetary relief from companies and individuals that violate the law. Testifying before the subcommittee were FTC Chair Lina M. Khan and Commissioners Noah Joshua Phillips, Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson. Khan and the Commissioners discussed pending federal legislation intended to modify the FTC’s authority and addressed severe resource constraints affecting the FTC’s attempts to address the increasing number of global mergers and acquisitions, as well as the large number of consumer complaints related to Covid-19 pandemic-related marketplace abuses. They noted that despite these challenges, “thanks in part to the civil penalty authority provided by this Subcommittee in the COVID-19 Consumer Protection Act,” (covered by InfoBytes here) “the Commission has successfully halted dozens of COVID-related scams.”
Khan and the Commissioners also discussed the importance of restoring the FTC’s ability to secure monetary relief from those that violate the law, which was limited following the U.S. Supreme Court’s recent decision in AMG Capital Management v. FTC (covered by InfoBytes here). “[P]ending cases today involve $2 billion in potential relief to victims, which is not available after AMG,” the testimony provided. “Unless the agency has clear authority to obtain monetary relief, this decision will continue to impede our ability to provide refunds to Americans harmed by deceptive, unfair, or anticompetitive conduct.” Moreover, a recent decision issued by U.S. Court of Appeals for the Third Circuit “held that the language in Section 13(b) of the FTC Act describing a company that ‘is engaged in, or is about to engage in’ illegal conduct means the FTC can initiate enforcement actions only when a violation is either ongoing or ‘impending’ at the time the suit is filed.” This decision, the FTC claimed, “limits the Commission’s ability to hold accountable entities who engaged in illegal conduct that occurred entirely in the past.
New York expands definition of telemarketing to include text messages
On July 13, the New York governor signed S.3941, which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone calls, including unwanted robocalls. “Electronic text messages to [] mobile devices have become the newest unwelcomed invasive marketing technique. Consumers should not be burdened with excessive and predatory telemarketing in any form, including text messages,” the press release stated. The act takes effect 30 days after becoming law.
Special Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by a Buckley Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).
Highlights of the CPA include:
Connecticut amends data security breach provisions
On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection personal identification numbers; (iii) passport and military identification numbers, as well as other government-issued identification numbers; (iv) medical information; (v) health insurance policy numbers or other identifiers used by health insurers; (vi) biometric information; and (vii) user names or email addresses combined with passwords or security questions and answers used to access an individual’s online account.
The act also requires businesses to notify residents whose personal information was breached or reasonably believed to have been breached within 60 days instead of 90 days after the discovery of the breach. Should a business identify additional affected residents after 60 days, it is required to provide notice as expediently as possible. Additionally, in the event that a resident’s login credentials are breached, a business may provide notice in electronic form (or another form) that directs the individual to take appropriate measures to protect the affected online account and all other online accounts. Businesses that furnish email accounts are also required to either verify that the affected individual received the data breach notice or provide notification through another method. The act also adds provisions related to compliance with privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, and specifies that information provided in response to an investigative demand connected to a data breach will be exempt from public disclosure, but the attorney general may make the information available to third parties in furtherance of the investigation. The act takes effect October 1.
Nevada updates consumer privacy framework
On June 2, the Nevada governor signed SB 260, which revises certain provisions under the state’s existing privacy law. Among other things, the act (i) adds “data broker” to the existing privacy framework; (ii) exempts certain persons and information collected about a consumer in the state from requirements imposed on operators, data brokers, and covered information, including consumer reporting agencies, personally identifying information regulated by the FCRA or the federal Driver’s Privacy Protection Act, information collected for the purposes of fraud information, publicly available information, and financial institutions; (iii) prohibits a data broker from selling covered information collected about a consumer in the state if so directed by the consumer, and revises provisions related to the sale of certain covered information about a consumer; (iv) requires data brokers to respond to a consumer’s verified request within 60 days after receipt (a data broker may extend this period by no more than 30 days if an extension is determined to be reasonably necessary); (v) provides data brokers and operators 30 days to remedy violations of the opt-out requirement (provided they have not previously failed to comply with the opt-out requirements); and (vi) updates the definition of “sale” to include “the exchange of covered information for monetary consideration by an operator or data broker to another person.” While existing law already provides the Nevada attorney general with the authority to seek injunctive relief and impose civil penalties of no more than $5,000 per violation, the act extends this authority to cover data brokers. Additionally, the act explicitly does not provide for a private right of action against operators. The act takes effect October 1.
FTC to release closing letters on investigations
On May 24, the FTC announced that it will be releasing closing letters—letters from FTC staff telling a company or individual that the FTC is closing its investigation into their conduct—which “may supplement law enforcement with other methods, including consumer education, business guidance, warning letters, national workshops, reports.” However, the text in the letters make it clear that the “FTC reserves the right to take further action as the public interest may require.” The FTC also notes that although the closing letters “serve a narrow purpose,” they often include a guide that can help other companies with their own compliance efforts.
Colorado sues PSLF student loan servicer
On May 26, the Colorado attorney general filed a complaint against a Pennsylvania-based student loan servicer that handles the Public Service Loan Forgiveness (PSLF) program, alleging the servicer failed to comply with state law when asked to provide certain documentation. Under the Colorado Student Loan Servicers Act (SLSA), the state is “authorized to conduct examinations and investigations of student loan servicers that are servicing student education loans owned by residents of Colorado.” The SLSA also allows the state to enforce compliance by bringing a civil action to prevent servicers from violating the SLSA and to obtain other appropriate relief. According to the AG’s press release, the state requested information related to the servicer’s handling of the PSLF program during the Covid-19 pandemic. The servicer allegedly refused to produce the requested materials and only provided certain limited documents regarding non-government owned loans related to its business line. The complaint seeks a preliminary and permanent injunction compelling the servicer to comply with the AG’s oversight authority and provide the requested documentation.