Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 18, the FTC issued a complaint against a digital platform and data aggregator (the company) and ordered the company to no longer sell or license precise location data, among other requirements. As previously covered by InfoBytes, the FTC’s order followed a recent FTC decision against a data broker in which the FTC alleged the data broker’s contracts were “insufficient to protect consumers from the substantial injury” caused by location data collection as consumers visited sensitive locations, such as churches, healthcare facilities, and schools.
In this case, the company obtained large amounts of personal data on consumers’ demographic data, movements, and purchasing history and retained that information for five years. The company had applications and third-party apps that have been downloaded over 390 million times, leading to about 100 million unique devices sending location data each year to the company. Like the previous FTC order, this FTC order alleged the company collected sensitive information on where consumers live, work, and worship; where their children went to school; where they received medical treatment; and if they attended rallies or demonstrations. The FTC alleged that the company cross-references consumers’ data location histories with points of interest to advertisers, including offering a push notification about a product when a consumer is located near a store that sells that product.
The FTC alleged the company failed to notify users that consumers’ location data is used for targeted advertising. Additionally, the FTC alleged the company retains consumer data “longer than reasonably necessary” which the FTC argues could lead to future consumer injury. According to the FTC, these allegations constitute deceptive or unfair practices as prohibited by Section 5(a) of the FTC Act. Under the order, the company must not materially misrepresent how the company collects or uses consumers’ location data, the company must not sell or license location data, and the company must implement a sensitive location data program as proscribed by the order. The company must also delete all historical location data for all consumers which does not affirmatively consent to the continued retention of such data. The company neither admits nor denies any of these allegations.
On August 2, several bank and credit union trade groups petitioned the CFPB asking the Bureau to create regulations that would allow the agency to conduct routine exams and supervise data aggregators and their customers. While the Bureau is currently considering rulemaking under Section 1033 of the Dodd-Frank Act with respect to consumer access to financial records and has “affirmed its commitment to ‘monitoring the aggregation services market and ensuring consumer protection and safety,’” the petition argued that there is a “supervisory imbalance” between banks and nonbanks in terms of data oversight. “[A]mong the participants in the market for aggregation services, typically, data holders, such as banks and credit unions, are regularly supervised and examined by the CFPB, whereas nondepository institutions such as data aggregators and data users are not examined by the CFPB,” the petition stated, adding that this “creates both an unsustainable model as the aggregation services market grows and the risk that the laws applicable to the activities of those larger participants in this market will be enforced inconsistently.” As a result, the petition warned that potential consumer harm attributed to data aggregator and data user activity may not be identified and remedied in a timely manner. The trade groups called for the Bureau to create a rule that would add a definition for “larger participants of a market” for aggregation services, as well as define the term “aggregation services” to mean a “financial product or service” under Title X of Dodd-Frank. Doing so would ensure that “all providers of comparable financial products and services” are subject to similar levels of accountability, the petition said.