InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Chairman Simons stresses collaboration with state AGs
On March 5, FTC Chairman Joseph Simons spoke at the National Association of Attorneys General (NAAG) Winter Meeting to advocate for increased collaboration with state Attorneys General. Noting that such collaboration is critical to the agency’s mission, Simons highlighted FTC consumer protection goals as well as several collaborative efforts, including joint task forces and investigation and enforcement initiatives.
State AGs support bipartisan bill to combat illegal robocalls
On March 5, Attorneys General from all 50 states, as well as from the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, sent a letter to the Senate Committee on Commerce, Science, and Transportation supporting a recently introduced bipartisan bill to combat illegal robocalls. Among other things, S. 151, the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), would: (i) grant the FCC three years to take action against robocall violations, instead of the current one-year window; (ii) authorize the agency to issue penalties of up to $10,000 per robocall; and (iii) require service providers to implement the FCC’s new call authentication framework. The AGs state that they “are encouraged that the TRACED Act prioritizes timely, industrywide implementation of call authentication protocols,” and note their support for an interagency working group that the bill would establish consisting of members from the DOJ, FCC, FTC, CFPB, other relevant federal agencies, state AGs, and non-federal stakeholders.
National Consumer Protection Week March 3 - 9
On March 3, the 21st annual National Consumer Protection Week (NCPW) began. According to the FTC announcement, NCPW will run from March 3 through March 9 and aims to help consumers understand their rights while giving them access to free educational materials. The FTC, together with its federal, state and local partners, consumer groups, and other national advocacy organizations intend to provide advice on scams, identity theft, and other fraudulent business practices. A schedule of three specific social media events hosted by the FTC is provided in the announcement.
FTC issues annual summary of ECOA activity to CFPB
On February 26, the FTC announced it had recently provided the CFPB with its annual summary of work on ECOA-related policy issues including the following FTC research and policy development initiatives:
- The FTC held a series of public hearings on competition and consumer protection in the 21st century. Session seven specifically addressed issues related to the use of algorithms, artificial intelligence, and predictive analytics. Panelists addressed how fairness, bias, and discrimination may impact the use of such technologies and debated whether current legal protections such as ECOA sufficiently cover these issues.
- The FTC continued its qualitative study of consumer experiences when buying and selling automobiles at dealerships, which the agency believes will help focus initiatives, such as educating consumers about the purchase and financing process and providing business education to promote compliance with the FTC Act and ECOA.
- The FTC’s Military Task Force, which consists of a cross-section of agency representatives, continued to work on military consumer protection issues. Workshops were conducted to examine financial issues and scams targeting military consumers, including servicemembers and veterans. In addition, the FTC participated in a training program for servicemembers and their families to discuss ECOA and Regulation B protections.
- The FTC maintained its membership in the Interagency Task Force on Fair Lending, along with the CFPB, DOJ, HUD, and the federal banking regulatory agencies, and participated in the Financial Fraud Enforcement Task Force.
Concerning fair lending, the FTC stated that it provided education on several topics, including those related to credit transactions that fall under Regulation B.
Senate Banking Committee seeks data privacy feedback
On February 13, Senate Committee on Banking, Housing, and Urban Affairs Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) invited stakeholder feedback on “the collection, use and protection of sensitive information from financial regulators and private companies” as a means of informing potential future legislation. In a press release issued by the committee, Crapo noted, “Given the exponential growth and use of data, and corresponding data breaches, it is worth examining how the Fair Credit Reporting Act should work in a digital economy, and whether certain data brokers and other firms serve a function similar to the original consumer reporting agencies.” He further stressed the importance of understanding how consumer data is compiled and protected, and how consumers are able to access and correct sensitive information. The release sought answers to five questions designed to help examine ways in which legislation, regulation, or the implementation of best practices can (i) provide consumers better control over their financial data, as well as timely data breach notifications; (ii) ensure consumers receive disclosures concerning both the type of information being collected and its purpose for collection; (iii) provide consumers control over how their data is being used—including the sharing of information by third-parties; (iv) protect consumer data and ensure the accuracy of reported information in a consumer’s credit file; and (v) allow consumers the ability to “easily identify and exercise control of data that is being . . . collected and shared” as a determining factor when establishing whether a consumer is eligible for, among other things, credit or employment.
FTC to hold public hearings on consumer privacy and data security; focus will address data security enforcement program
On October 26, the FTC announced it will hold four days of public hearings in December 2018 and February 2019 to examine the Commission’s authority to deter unfair and deceptive conduct in data security and privacy matters as part of its broader series of hearings on “Competition and Consumer Protection in the 21st Century.” According to the FTC, these hearings (i) “will provide the first comprehensive re-examination of the FTC’s approach to consumer privacy since 2012,” and (ii) “will provide an opportunity to reexamine the Commission’s work in light of changing technologies, legal regimes, and business models.”
The FTC will continue to accept public comments through March 13, 2019, regarding items to be discussed at the February 2019 hearing. As previously covered by InfoBytes, a coalition of bipartisan state Attorneys General submitted a comment letter to the FTC last August requesting that they be included in the discussions regarding consumer protection during the Commission’s hearing process. Specifically, the letter emphasized the states’ “long history of protecting consumers from unfair and deceptive practices” under each state’s consumer protection authority, and noted consumers’ concerns over personal information and data security.
California reinstates provisions of Homeowner Bill of Rights
On September 14, the California governor signed SB 818, which permanently reinstates and amends certain provisions of California’s Homeowner Bill of Rights (HBOR), which expired on January 1, 2018. The revised and restored provisions of the HBOR, among other things, require entities that foreclosed on more than 175 first lien mortgages and deeds of trust on owner-occupied residences during the prior reporting year to: (i) stop foreclosure proceedings if a complete loan modification application is submitted and pending, a homeowner is in compliance with a foreclosure prevention alternative, or an appeal of a loan modification denial is pending; (ii) include in the notice of default a specified declaration regarding contact with a borrower; (iii) send a written notice of a loan modification denial, specifying the reasons for the denial and providing foreclosure prevention alternatives; (iv) assign a single point of contact to any borrower who requests foreclosure prevention assistance; (v) not charge fees in conjunction with applications for foreclosure prevention alternatives; and (vi) honor loss mitigation alternatives following servicing transfers. The legislation also adds a legislative intent clause that emphasizes that any amendment, addition, or repeal of an HBOR section will not have the effect to release, extinguish, or change any liability under a previous section that was in effect at the time of an action.
Pennsylvania appeals court upholds broad standard for “deception” under state consumer protection law
On September 12, the Superior Court of Pennsylvania held that Pennsylvania’s Uniform Trade Practices and Consumer Protection Law (UTPCPL) imposes strict liability on businesses who deceive consumers and does not require proof of fraud or negligent misrepresentation to state a claim. The plaintiffs brought common law claims of fraudulent and negligent misrepresentation and a statutory claim under the UTPCPL against insurance companies related to the sale of various insurance products. The common law claims of fraudulent and negligent misrepresentation went to a jury, which returned verdicts on both counts in favor of the insurance companies. The trial judge, however, found that the insurance companies violated the “deceptive” provision of the UTPCPL and awarded damages to the consumers. The insurance companies appealed, arguing that (i) the jury verdict on the common law claims required the court to dismiss the UTPCPL claim, and (ii) challenging the judge’s damages award calculation.
The appellate court affirmed the trial court’s determination that the defendants acted deceptively under the UTPCPL. The insurance companies argued that the UTPCPL claim was barred by the doctrines of collateral estoppel and res judicata based on the jury’s determination that the defendants had not committed a negligent misrepresentation. The appellate court, however, explained that these doctrines do not apply because the UTPCPL raises distinct issues. The court rejected the argument that the consumer must prove common law negligent misrepresentation to bring a claim under the deceptive prong of the UTPCPL. The court concluded that “any deceptive conduct, ‘which creates a likelihood of confusion or of misunderstanding,’” is actionable under the UTPCPL “whether committed intentionally (as in a fraudulent misrepresentation), carelessly (as in a negligent misrepresentation), or with the upmost care (as in strict liability).” The court also upheld the trial court’s damages determination under the UTPCPL, finding that the judge’s calculation was appropriate and consistent with the statute.
29 bipartisan state Attorneys General respond to FTC's consumer protection hearing announcement
On August 20, a bipartisan coalition of 29 state Attorneys General, led by Oregon Attorney General Ellen Rosenblum, submitted a comment letter to the FTC regarding the agency’s June announcement of public hearings on “Competition and Consumer Protection in the 21st Century.” The letter requests that the state Attorneys General be included in the discussions regarding consumer protection during the agency’s hearing process, which intends to address “whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.” The letter emphasizes the states’ “long history of protecting consumers from unfair and deceptive practices” under each state’s consumer protection authority and offers specific comment on three areas of the FTC request: (i) privacy and big data; (ii) communication and media technology; and (iii) algorithmic decision tools and other artificial intelligence. Specifically, the Attorneys General note consumers’ concerns over personal information and data security, stating the “[i]ndustry must place privacy and security front and center in its research and development of products and services.” The letter concludes with a request that the agency take into account the “important role” the Attorneys General have in consumer protection and include their offices in the hearing process.
Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement
On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:
- In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
- If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
- Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
- If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.
The law also includes security and notification requirements for Colorado governmental entities.