InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court dismisses FTC’s privacy claims in geolocation action
On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling precise geolocation data from hundreds of millions of mobile devices which can be used to trace individuals’ movements to and from sensitive locations (covered by InfoBytes here). The FTC sought a permanent injunction to stop the data broker’s practices, as well as additional relief. The data broker, upon learning that the FTC planned to filed a lawsuit against it, filed a preemptive lawsuit challenging the agency’s authority.
The court first dismissed the data broker’s preemptive bid to block the FTC’s enforcement action, ruling that the data broker has not identified any “viable cause of action” to support its request for injunctive relief. The court explained that injunctive relief is a “drastic remedy” that is only available if no other legal remedy is available. However, the data broker possesses an “adequate remedy at law,” the court said, “because it can seek dismissal of, and otherwise directly defend against, the FTC’s enforcement action.”
With respect to the FTC’s action, the court granted the data broker’s motion to dismiss the FTC’s complaint, but gave the agency leave to amend. The court agreed with the data broker that the FTC’s complaint lacks sufficient allegations to support its unfairness claim under Section 5 of the FTC Act. While the court disagreed with the data broker’s assertion that it did not have “fair notice that its sale of geolocation data without restrictions near sensitive locations could violate Section 5(a) of the FTC Act” or that the FTC had to allege a predicate violation of law or policy to state a claim, the court determined that the FTC failed to adequately allege that the data broker’s practices created “a ‘significant risk’ of concrete harm.” Moreover, the court found that “the purported privacy intrusion is not severe enough to constitute ‘substantial injury’ under Section 5(n).” The court noted, however that some of the deficiencies may be cured through additional factual allegations in an amended complaint.
OCC, FDIC say some overdraft fees may be unfair or deceptive
On April 26, the OCC and FDIC issued supervisory guidance addressing consumer compliance risks associated with bank overdraft practices. (See OCC Bulletin 2023-12 and FDIC FIL-19-2023.) The guidance highlighted certain practices that may result in increased risk exposure, including assessing overdraft fees on “authorize positive, settle negative” (APSN) transactions and assessing representment fees each time a third party resubmits the same item for payment after being returned by a bank for non-sufficient funds. The agencies provided guidance for banks that may help control risks associated with overdraft protection programs and achieve compliance with Dodd-Frank’s UDAAP prohibitions and section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices.
The FDIC’s supervisory guidance expanded on the 2019 Consumer Compliance Supervisory Highlights (covered by InfoBytes here), and warned that APSN overdraft fees present risks of unfairness under both statutes as consumers “cannot reasonably avoid” receiving these fees because they lack “the ability to effectively control payment systems and overdraft processing systems practices.” The FDIC cited the “complicated nature of overdraft processing systems” as another impediment to a consumer’s ability to avoid injury. The FDIC also emphasized that risks of unfairness exist both in “available balance” or “ledger balance” methods of assessing overdraft fees, but cautioned that risks may be “more pronounced” when a bank uses an available balance method. Furthermore, the FDIC warned that disclosures describing how transactions are processed may not mitigate UDAAP and UDAP risk. Banks are encouraged to “ensure customers are not charged overdraft fees for transactions consumers may not anticipate or avoid,” and should take measures to ensure overdraft programs provided by third parties comply with all applicable laws and regulations, as such arrangements may present additional risks if not properly managed, the FDIC explained.
The OCC’s guidance also warned that disclosures may be deceptive under section 5 if they fail to clearly explain that multiple or additional fees may result from multiple presentments of the same transaction. Recognizing that some banks have already implemented changes to their overdraft protection programs, the OCC also acknowledged that “[w]hen supported by appropriate risk management practices, overdraft protection programs may assist some consumers in meeting short-term liquidity and cash-flow needs.” The OCC encouraged banks to explore other options, such as offering low-cost accounts and low-cost alternatives for covering overdrafts, such as overdraft lines of credit and linked accounts.
FTC finalizes gaming company order on dark patterns
On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes, the FTC filed an administrative complaint claiming players were able to accumulate unauthorized charges without parental or card holder action or consent. The FTC alleged that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Under the terms of the final decision and order, the company is required to pay $245 million in refunds to affected card holders. The company is also prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the company is barred from blocking players from accessing their accounts should they dispute unauthorized charges.
Separately, last month the U.S. District Court for the Eastern District of North Carolina entered a stipulated order against the company related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). The FTC claimed the company failed to protect underage players’ privacy and collected personal information without first notifying parents or obtaining parents’ verifiable consent. Under the terms of the order, the company is required to ensure parents receive direct notice of its practices with regard to the collection, use or disclosure of players’ personal information, and must delete information previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company is required to implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, obtain regular, independent audits, and pay a $275 million civil penalty (the largest amount ever imposed for a COPPA violation).
FTC proposes changes to Negative Option Rule
On March 23, the FTC announced a notice of proposed rulemaking (NPRM) seeking feedback on proposed amendments to the agency’s Negative Option Rule, which is used to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs. (See also FTC fact sheet here.) Claiming that current laws and regulations do not clearly provide a consistent legal framework for these types of programs, the NPRM, which applies to all subscription features in all media, proposes to add a new “click to cancel” provision that would make it as easy for consumers to cancel their enrollment as it was to sign up. The NPRM would also require sellers to first ask consumers whether they want to hear about new offers or modifications before making a pitch when consumers are trying to cancel their enrollment. If a consumer says “no” a seller must immediately implement the cancellation process. Sellers would also be required to provide consumers who are enrolled in negative option programs with an annual reminder involving anything other than physical goods before they are automatically renewed.
Commissioner Christine Wilson issued a dissenting statement, in which she argued that while the NPRM “may achieve the goal of synthesizing the various requirements in one rule,” it “is not confined to negative option marketing [as it] also covers any misrepresentation made about the underlying good or service sold with a negative option feature.” Wilson commented, “as drafted, the Rule would allow the Commission to obtain civil penalties, or consumer redress under Section 19 of the FTC Act, if a marketer using a negative option feature made misrepresentations regarding product efficacy or any other material fact.”
CFPB scrutinizes discharged private student loan billing and collection practices
On March 16, the CFPB released a compliance bulletin discussing student loan servicers’ practice of collecting on private student loans discharged in bankruptcy. The bulletin also notified regulated entities on how the Bureau intends to exercise its enforcement and supervisory authorities on this issue. Bulletin 2023-01: Unfair Billing and Collection Practices After Bankruptcy Discharges of Certain Student Loan Debts addressed the treatment of certain private student loans following bankruptcy discharge. The Bureau explained that in order to secure a discharge of a qualified education loan in bankruptcy, a borrower must demonstrate that the loan would impose an undue hardship if not discharged. Loans that do not meet this qualification (“non-qualified student loans”) can be discharged under standard bankruptcy discharge orders, the Bureau said.
Bureau examiners found, however, that several servicers failed to determine whether a borrower’s loan was qualified or non-qualified. As a result, non-qualified student loans were returned to repayment after a bankruptcy concluded, wherein servicers continued to bill and collect payments on the loans even through the borrower was released from this debt through the bankruptcy discharge. According to the Bureau, many borrowers, when faced with collection activities in violation of a bankruptcy court order, continued to make payments on debts they no longer owed.
The Bureau explained that servicers who collected on student loans that were discharged by a bankruptcy court violate the prohibition on unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. The bulletin described unfair practices observed by examiners, such as servicers relying entirely on loan holders to distinguish among the loans and not ensuring that such holders had in fact done so. The bulletin also provided examples of student loans that are eligible for standard bankruptcy discharge, including loans made to students attending schools that are ineligible for federal student aid and loans made to students attending school less than half time. Bureau examiners instructed servicers to immediately stop collecting on discharged loans and take remedial action, including conducting a multi-year lookback and issuing refunds to affected borrowers.
FTC orders refunds over compromised health data
On March 2, the FTC filed a complaint against an online counseling service alleging the respondent violated the FTC Act by monetizing consumers’ sensitive health data for targeted advertising purposes. As part of the process to sign up for the respondent’s counseling services, consumers are required to provide sensitive mental health information, as well as other personal information. Consumers are promised that their personal health data will not be used or disclosed except for limited purposes, such as for counseling services. However, the FTC claimed the respondent used and revealed consumers’ sensitive health data to third parties for advertising purposes. According to the FTC, the respondent failed to maintain sufficient policies or procedures to protect the sensitive information and did not obtain consumers’ affirmative express consent before disclosing the health data. The respondent also allegedly failed to limit how third parties could use the health data and denied reports that it revealed consumers’ sensitive information.
Under the terms of the proposed consent order, the respondent will be required to pay $7.8 million in partial refunds to affected users and will be banned from disclosing health information to certain third parties for re-targeting advertising purposes. This will be the first FTC action returning funds to consumers whose health data was compromised. The respondent will also be prohibited from misrepresenting its sharing practices and must also (i) obtain users’ affirmative express consent before disclosing personal information to certain third parties for any purpose; (ii) implement a comprehensive privacy program with strong safeguards to protect users’ data; (iii) instruct third parties to delete shared personal data; and (iv) implement a data retention schedule imposing limits on how long personal data can be retained.
CFPB orders nonbank title lender to pay $15 million for numerous violations
On February 23, the CFPB entered a consent order against a Georgia-based nonbank auto title lender (respondent) for alleged violations of the Military Lending Act (MLA), the Truth in Lending Act, and the Consumer Financial Protection Act. According to the Bureau, the respondent allegedly charged nearly three times the MLA’s 36 percent annual interest rate cap on auto title loans made to military families. The respondent also allegedly changed military borrowers’ personal information in an attempt to hide their protected status, included mandatory arbitration clauses and unreasonable notice provisions in its loans, and charged fees for an insurance product that provided no benefit to the borrower. The Bureau noted that the respondent has been under a consent order since 2016 for allegedly engaging in unfair and abusive acts related to its lending and debt collection practices (covered by InfoBytes here). While neither admitting nor denying any of the allegations, the respondent has agreed to pay $5.05 million in consumer redress and a $10 million penalty. The respondent must also implement robust measures to prevent future violations.
Gaming company to pay $520 million to resolve FTC allegations
On December 19, the DOJ filed a complaint on behalf of the FTC against a video game developer for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by failing to protect underage players’ privacy. The FTC also alleged in a separate administrative complaint that the company employed “dark patterns” to trick consumers into making unwanted in-game purchases, thus allowing players to accumulate unauthorized charges without parental involvement. (See also FTC press release here.)
According to the complaint filed in the U.S. District Court for the Eastern District of North Carolina, the company allegedly collected personal information from players under the age of 13 without first notifying parents or obtaining parents’ verifiable consent. Parents who requested that their children’s personal information be deleted allegedly had to take unreasonable measures, the FTC claimed, and the company sometimes failed to honor these requests. The company is also accused of violating the FTC Act’s prohibition against unfair practices when its settings enabled, by default, real-time voice and text chat communications for children and teens. These default settings, as well as a matching system that enabled children and teens to be matched with strangers to play the game, exposed players to threats, harassment, and psychologically traumatizing issues, the FTC maintained. While company employees expressed concerns about the default settings and players reported concerns, the FTC said that the company resisted turning off the default setting and made it difficult for players to figure out how to turn the voice chat off when the FTC did eventually take action.
Under the terms of a proposed court order filed by the DOJ, the company would be prohibited from enabling voice and text communications unless parents (of players under the age of 13) or teenage users (or their parents) provide affirmative consent through a privacy setting. The company would also be required to delete players’ information that was previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company must implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, and obtain regular, independent audits. According to the DOJ’s announcement, the company has agreed to pay $275 million in civil penalties—the largest amount ever imposed for a COPPA violation.
With respect to the illegal dark patterns allegations, the FTC claimed that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Players were able to purchase in-game content by pressing buttons without requiring any parental or card holder action or consent. Additionally, the company allegedly blocked access to purchased content for players who disputed unauthorized charges with their credit card companies, and threatened players with a lifetime ban if they disputed any future charges. Moreover, cancellation and refund features were purposefully obscured, the FTC asserted.
To resolve the unlawful billing practices, the proposed administrative order would require the company to pay $245 million in refunds to affected players. The company would also be prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the order would bar the company from blocking players from accessing their accounts should they dispute unauthorized charges.
States say student loan trusts are subject to the CFPA’s prohibition on unfair debt collection practices
On November 15, a bipartisan coalition of 23 state attorneys general led by the Illinois AG announced the filing of an amicus brief supporting the CFPB’s efforts to combat allegedly illegal debt collection practices in the student loan industry. As previously covered by InfoBytes, in February, the U.S. District Court for the District of Delaware stayed the Bureau’s 2017 enforcement action against a collection of Delaware statutory trusts and their debt collector after determining there may be room for reasonable disagreement related to questions of “covered persons” and “timeliness.” The district court certified two questions for appeal to the U.S. Court of Appeals for the Third Circuit related to (i) whether the defendants qualify as “covered persons” subject to the Bureau’s enforcement authority; and (ii) whether the case can be continued after the Supreme Court’s 2020 decision in Seila Law v. CFPB (which determined that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau—covered by a Buckley Special Alert). Previously, the district court concluded that the suit was still valid and did not need ratification because—pointing to the majority opinion in the Supreme Court’s decision in Collins v. Yellen (covered by InfoBytes here)—“‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[,]’” and therefore the Bureau’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” The district court later acknowledged, however, that Collins “is a very recent Supreme Court decision” whose scope is still being “hashed out” in lower courts, which therefore “suggests that there is room for reasonable disagreement and thus supports an interlocutory appeal here.”
The states argued that they have a “substantial interest” in protecting state residents from unlawful debt collection practices, and that this interest is implicated by this action, which addresses whether the defendant student loan trusts are “covered persons” subject to the prohibition on unfair debt collection practices under the CFPA. Urging the 3rd Circuit to affirm the district court’s decision to deny the trusts’ motion to dismiss, the states contended among other things, that hiring third-party agencies to collect on purchased debts poses a large risk to consumers. These types of trusts, the states said, “profit only when the third parties that they have hired are able to collect on the flawed debt portfolios that they have purchased.” Moreover, “[d]ebt purchasing entities, including entities like the [t]rusts, are thus often even more likely than the original creditors to resort to unlawful tactics in undertaking collection activities,” the states stressed, explaining that in order to combat this growing problem, many states apply their prohibitions on unlawful debt collection practices “to all debt purchasers that seek to reap profits from these illegal activities, including those purchasers that outsource collection to third parties.” The Bureau’s decision to do the same is therefore appropriate under the CFPA, the states wrote, adding that “as a practical matter, these debt purchasers are as problematic as debt purchasers that collect on their own debt. The [t]rusts’ request to be treated differently because of their decision to hire third party agents to collect on the debts that they have purchased (and reap the profits on) should be rejected.”
FTC looks to Section 5 in enforcing “unfair” competition
On November 10, the FTC issued a policy statement announcing that it would “rigorously enforc[e] the federal ban on unfair methods of competition.” According to the announcement, the FTC intends to make wider use of the FTC Act to police companies that use unfair tactics to try to gain a competitive advantage. “When Congress created the FTC, it clearly commanded us to crack down on unfair methods of competition,” FTC Chair Lina M. Khan said. “Enforcers have to use discretion, but that doesn’t give us the right to ignore a central part of our mandate. Today’s policy statement reactivates Section 5 and puts us on track to faithfully enforce the law as Congress designed.” In enacting Section 5, Congress purposely introduced the phrase “unfair methods of competition” in the statute to distinguish the FTC’s authority from the definition of “unfair competition” at common law, the policy explained, adding that Section 5 was designed to extend beyond the reach of antitrust laws. However, recognizing that a static definition would become outdated, Congress afforded the FTC flexibility to adapt to changing circumstances. The policy statement lays out the FTC’s approach for policing unfair methods of competition, and will allow the Commission to, among other things, sue companies under its mandate to protect consumers from fraudulent practices, price discrimination, exclusive deals and loyalty rebates, and misleading business practices such as commercial bribery and false or deceptive advertising.