Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 6, the FTC voted 5-0 to approve a final settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
As previously covered by InfoBytes, in its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, which resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The approved settlement requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the settlement requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
On August 28, the U.S. District Court for the District of Arizona denied motions to dismiss an enforcement action brought by the FTC against a group of individuals and entities that allegedly facilitated a telemarketing scheme that previously resulted in the principal actors in the scheme settling with the FTC and later pleading guilty to state criminal charges. The alleged scheme involved “credit card laundering”—the creation of fictitious entities to process customer credit card transactions so that the actual entity receiving the funds would not be identified. The defendants in the current matter are an Independent Sales Organization and several of its officers allegedly involved in that effort (prior Info Bytes coverage here). The defendants first argued that the relevant part of the FTC Act only permits injunctive relief and that the FTC’s requests for restitution and disgorgement were improper because those forms of relief are penalties, not equitable relief, under Kokesh v. Securities and Exchange Commission. The court noted, however, that the Supreme Court in Kokesh expressly limited the holding to the question of the statute of limitations applicable to the SEC, and that the Ninth Circuit has subsequently approved decisions granting restitution and disgorgement under the FTC Act. The defendants also argued that injunctive relief was not warranted where the unlawful conduct in question ceased in 2013, but the court ruled that the FTC need only show that it has “reason to believe” that a defendant is violating or is about to violate the law. The court declined to address the FTC’s argument that its “reason to believe” decision is unreviewable, but it found that the FTC had pled sufficient facts to establish that it has reason to believe that the defendants would violate the statute. In particular, the court noted that a “court’s power to grant injunctive relief survives the discontinuance of illegal conduct,” that “an inference arises from illegal past conduct that future violations may occur,” and that “courts should be wary of a defendant’s termination of illegal conduct when a defendant voluntarily ceases unlawful conduct in anticipation of formal intervention.” Those factors were all present, along with the fact that the defendants “remain in the same professional occupation.”
On September 4, the FTC and the New York Attorney General announced (see here and here) a combined $170 million proposed settlement with the world’s largest online search engine and its video-sharing site subsidiary concerning alleged violations of the Children’s Online Privacy Protection Act (COPPA). According to the complaint, the video-sharing site allegedly collected personal information in the form of “persistent identifiers” from viewers of child-directed channels without first obtaining verifiable parental consent. The persistent identifiers allegedly generated millions of dollars in revenue by delivering targeted ads to viewers. The FTC and New York AG allege, among other things, that the defendants knew the video-sharing site hosted numerous child-directed channels but told advertisers that the video-sharing site contains general audience content, even informing one advertising company that it did not have users younger than 13 on its platform and therefore channels on its platform did not need to comply with COPPA.
Under COPPA, operators of websites and online services directed at children are prohibited from collecting personal information of children under the age of 13—including through the use of persistent identifiers for targeted advertising purposes—unless the company has explicit parental consent. Furthermore, third parties—such as advertising networks—must also comply with COPPA where they have actual knowledge that personal information is being collected directly from users of child-directed websites and online services.
While neither admitting nor denying the allegations, except as specifically stated within the settlement, the defendants will, among other things, (i) pay a $136 million penalty to the FTC and a $34 million penalty to New York; (ii) change their business practices to comply with COPPA; (iii) maintain a system for channel owners to designate their child-directed content on the video-sharing site; and (iv) disclose their data collection practices and obtain verifiable parental consent prior to collecting personal information from children. According to the FTC, the $136 million penalty is “by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.”
On August 27, the FTC announced a settlement with an Illinois-based educational services company and its subsidiaries (defendants) to resolve deceptive marketing allegations in violation of the FTC Act and the Telemarketing Sales Rule. In the complaint, the FTC claimed the defendants used third-party lead generators that posed as military recruiters or job-finding services to encourage consumers to provide contact information via websites. The websites did not clearly inform the consumers that the personal information entered into online forms might be sold or used in training or educational programs. Rather, the FTC asserted that the lead generators falsely informed consumers that their information would not be shared. According to the FTC, the defendants then purchased these leads to call consumers in an attempt to enroll them in post-secondary schools, with many of these calls made to consumers on the National Do Not Call Registry. While the defendants did not carry out the deceptive practices to generate the leads, the FTC stated that the defendants established control over the marketing materials and reviewed telemarketing scripts that allegedly directed lead generators to falsely identify themselves as military recruiters. The FTC’s press release emphasized that “[t]his case demonstrates that the FTC will seek to hold advertisers liable for the deceptive or illegal practices of their affiliates, publishers, or other lead generators. We expect companies purchasing leads to implement strong vendor management programs and stay on the right side of the law.” Under the terms of the settlement, the defendants are: (i) ordered to pay $30 million; (ii) required to implement a system to review any marketing materials used by lead generators; (iii), prohibited from calling numbers on the National Do Not Call Registry without obtaining written consent; and (iv) banned from falsely stating that they represent the military or prospective employers.
On August 8, the FTC announced a settlement with an email management company, which requires the company to delete the personal information it obtained from consumers’ email receipts after allegedly misleading consumers about the company’s services. In the complaint, the FTC alleges that the company, which assisted consumers in unsubscribing from unwanted subscription emails, deceptively told consumers that it would “never touch [their] personal stuff,” when providing the company access to their emails, but in reality, the company would access inboxes to collect consumers’ e-receipts to sell the purchase information to other companies. Moreover, the complaint alleges that, even after consumers chose to decline to allow the company access to their email, the company persisted with deceptive messages, which resulted in “[o]ver 20,000 consumers chang[ing] their minds and decid[ing] to complete the sign-up process after viewing the messages.” The settlement requires the company to: (i) delete from its system, and its parent company’s system, the email receipts it collected from consumers, unless it obtains their affirmative consent to maintain the information; (ii) cease misrepresenting the way it collects, uses, stores, or shares the information it collects; and (iii) notify consumers who have signed up for the service, after viewing the deceptive messages, about how it collects and shares information.
On July 29, the FTC and the Ohio attorney general announced temporary restraining orders and asset freezes issued by the U.S. District Court for the Western District of Texas against a payment processor and a credit card interest-reduction telemarketing operation (see here and here). According to the FTC, the payment processor defendants allegedly violated the FTC Act, the Telemarketing Sales Rule (TSR), and various Ohio laws by, among other things, generating and processing remotely created payment orders or checks that allowed merchants—including deceptive telemarketing schemes—the ability to withdraw money from consumers’ bank accounts. The FTC asserted that the credit card interest-reduction defendants deceptively promised consumers significant credit card interest rate reductions, along with “a 100 percent money back guarantee if the promised rate reduction failed to materialize or the consumers were otherwise dissatisfied with the service.” However, the FTC claimed that most customers never received the promised rate reduction, were refused refund requests, and often received collection or lawsuit threats. Additionally, the credit card interest-reduction defendants allegedly violated the TSR by charging advance fees, failing to properly identify the service in telemarketing calls, and failing to pay to access the FTC’s National Do Not Call Registry.
FTC and DOJ announce $5 billion privacy settlement with social media company; SEC settles for $100 million
On July 24, the FTC and the DOJ officially announced (see here and here) that the world’s largest social media company will pay a $5 billion penalty to settle allegations that it mishandled its users’ personal information. As previously covered by InfoBytes, it was reported on July 12 that the FTC approved the penalty, in a 3-2 vote. This is the largest privacy penalty ever levied by the agency, almost “20 times greater than the largest privacy or data security penalty ever imposed worldwide,” and one of the largest ever assessed by the U.S. government for any violation. According to the complaint, filed the same day as the settlement, the company allegedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC, which allowed the company to share users’ data with third-party apps that were downloaded by users’ “friends.” Moreover, the complaint alleges that many users were unaware the company was sharing the information, and therefore did not take the steps needed to opt-out of the sharing. Relatedly, the FTC also announced a separate action against a British consulting and data analytics firm for allegedly using deceptive tactics to “harvest personal information from millions of [the social media company’s] users.”
In addition to the monetary penalty, the 20-year settlement order overhauls the company’s privacy program. Specifically, the order, among other things, (i) establishes an independent privacy committee of the company’s board of directors; (ii) requires the company to designate privacy program compliance officers who can only be removed by the board’s privacy committee; (iii) requires an independent third-party assessor to perform biennial assessments of the company’s privacy program; (iv) requires the company to conduct a specific privacy review of every new or modified product, service, or practice before it is implemented; and (v) mandates that the company report any incidents in which data of 500 or more users have been compromised to the FTC.
In dissenting statements, Commissioner Chopra and Commissioner Slaughter asserted that the settlement, while historic, does not contain terms that would effectively deter the company from engaging in future violations. Commissioner Slaughter argues, among other things, that the civil penalty is insufficient and believes the order should have contained “meaningful limitations on how [the company] collects, uses, and shares data.” Similarly, Commissioner Chopra argues that the order imposes no meaningful changes to the company’s structure or financial incentives, and the immunity provided to the company’s officers and directors is unwarranted.
On the same day, the SEC announced that the company also agreed to pay $100 million to settle allegations that it mislead investors about the risks it faced related to the misuse of its consumer data. The SEC’s complaint alleges that in 2015, the company was aware of the British consulting and data analytics firm’s misuse of its consumer data but did not correct its disclosures for more than two years. Additionally, the SEC alleges the company failed to have policies and procedures in place during that time that would assess the results of internal investigations for the purposes of making accurate disclosures in public filings. The company neither admitted nor denied the allegations.
On July 22, the CFPB, FTC, and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. According to the complaints (see here and here) filed in the U.S. District Court for the Northern District of Georgia, the company allegedly engaged in unfair and deceptive practices by, among other things, (i) failing to provide reasonable security for the sensitive personal information stored within its network; (ii) deceiving consumers about its data security program capabilities; and (iii) failing to patch its network after being alerted in 2017 to a critical security vulnerability.
Under the terms of the proposed settlements (see here and here), pending final court approval, the company will pay up to $425 million in monetary relief to consumers and provide credit monitoring to affected individuals, as well as six free credit reports each year for seven years to all U.S. consumers. The company must also pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil money penalty to the Bureau. The $425 million fund will also compensate consumers who bought credit- or identity-monitoring services from the company and paid other expenses as a result of the breach. The company must also, among other things, implement a comprehensive information security program that will require annual assessments of security risks and safeguard measures, obtain third-party information security assessments, and acquire annual certifications from the board of directors that the company has complied with the settlements.
On July 12, it was reported that the FTC has approved a $5 billion penalty against the world’s largest social media company for allegedly mishandling its users’ personal information. The reported settlement would be the largest privacy penalty ever levied by the agency. According to reports, the settlement, which was approved in a 3-2 vote, resolves allegations that the company allowed a British consulting firm access to 87 million users’ personal data for political consulting purposes in violation of a 2012 privacy settlement with the FTC. Neither the FTC nor the social media company have commented on the reported settlement, which is still pending approval from the Department of Justice.
On July 17, the FTC released a notice seeking comment on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA Rule). The FTC last amended COPPA in 2013, and while the FTC usually reviews its rules every 10 years, the FTC notes that “[r]apid changes in technology, including the expanded use of education technology, reinforce the need to re-examine the COPPA Rule at this time.” The notice seeks comment on all major provisions of the COPPA Rule, including definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and the safe harbor provision. Additionally, the notice seeks responses to specific questions, including (i) has the Rule affected the availability of websites or online services directed to children?; (ii) does the Rule correctly articulate the factors to consider in determining whether a website or online service is directed to children, or should additional factors be considered?; and (iii) what are the implications for COPPA enforcement raised by technologies such as interactive television, interactive gaming, or other similar interactive media? Comments must be received within 90 days after publication in the Federal Register.
- Buckley Webcast: Government lending update
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Brandy A. Hood to discuss "How to ace your TRID exam" at the Mortgage Bankers Association Regulatory Compliance Conference
- Katherine L. Halliday to discuss "UDAP, UDAAP & the Map rule compliance basics" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Melissa Klimkiewicz to discuss "Navigating FHA rules and regs" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jeffrey P. Naimon to discuss "Washington regulatory overview" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Consenting views: Achieving positive outcomes from consent order recovery" at the ACAMS AML & Financial Crime Conference
- APPROVED Webcast: Preparing for 2020 license renewals
- Kathryn L. Ryan to discuss "The state’s role in fintech: Providing an industry framework for innovation" at Lend360
- Daniel P. Stipano to discuss "AML developments: The latest trends, challenges and opportunities" at the American Conference Institute Financial Crime Executive Roundtable
- Marshall T. Bell and Jeffrey P. Naimon to discuss "Truth in lending" at the American Bar Association National Institute on Consumer Financial Services Basics
- Amanda R. Lawrence and Michael A. Rome to discuss "California Consumer Privacy Act compliance" at the Capital Area Compliance Roundtable
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions" at the Institute of International Bankers Risk Management and Regulatory Examination/Compliance Seminar
- Daniel P. Stipano to discuss "Customer identification program/customer due diligence/enhanced due diligence" at a National Association of Federal Credit Unions webinar
- Jonice Gray Tucker to discuss "MCCA's blueprint for selling & buying - A pitch workshop for outside counsel" at the Minority Corporate Counsel Association Creating Pathways to Diversity Conference
- Kathryn L. Ryan and Moorari K. Shah to discuss "Today's regulatory environment - Are you in the know?" at the Equipment Leasing and Finance Association Annual Convention
- Kathryn L. Ryan and Tim Lange to discuss "Temporary authority to operate - Are you prepared? Hear what the states are doing" at the RegList Annual Workshop
- Jonice Gray Tucker to discuss "Fintech regulatory developments, crypto-assets, blockchain and digital banking, and consumer issues" at the Practising Law Institute Banking Law Institute
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference