InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC fines two companies $6M for inaccurate background reports
The FTC fined two companies that sell consumer background reports through subscriptions for violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). In addition to allegedly claiming, without substantiation, to have the most accurate reports available to the public, the complaint says two companies deceptively claimed individuals had criminal or arrest records when the individual did not; deceptively claimed consumers can remove information or flag it as inaccurate, and deceptively failed to disclose that third-party reviews were incentivized and biased.
The companies also furnished consumer reports to subscribers “without reason to believe those subscribers have permissible purposes to obtain such reports.”
The stipulated order requires the companies to pay a civil penalty of $5.8 million, prohibits them from advertising, marketing, promoting, or offering for sale certain reports including arrest records, bankruptcy records, and eviction records until the establish and implement a comprehensive monitoring program, and prohibits them from continuing any of the deceptive practices set forth in the complaint.
FTC, DOJ issue permanent injunction and civil penalty for violations of CAN-SPAM Act
On August 22, the DOJ and the FTC jointly announced a permanent injunction and civil penalty of $650,000 against a company that offers credit information, analytical tools, and marketing services for alleged violations of the CAN-SPAM Act, the CAN-SPAM Rule, and the FTC Act. The case, which was filed in the District Court for the Central District of California, asserts that millions of commercial emails sent to consumers did not give the recipients requisite notice of the option to opt-out of future such emails, in violation of the CAN-SPAM Act and Rule. The order enjoined the company from sending commercial emails that do not provide notice of the recipient’s ability to opt-out of future emails, it also enjoins the company from otherwise violating the CAN-SPAM Act, and subjects it to a civil penalty judgment of $650,000.
FTC temporarily halts unlawful business opportunity scheme
On August 22, the FTC announced that the U.S. District Court for the Southern District of California recently issued a temporary restraining order against a business opportunity operation for allegedly engaging in deceptive practices. According to the FTC’s complaint, the operation made claims in violation of the FTC Act, the FTC’s Business Opportunity Rule, and the Consumer Review Fairness Act of 2016 by, among other things; (i) making false claims that they offered a “venture capital-backed” and “artificial intelligence-integrated” e-commerce business opportunity for consumers to buy into; (ii) falsely promoting themselves as e-commerce experts and self-made millionaires who have assisted others in generating tens of millions of dollars; (iii) relying on false business projections, including that customers would make a “$4k-$6k consistently monthly net profit”; (iv) false claims about the use of AI tools to maximize revenues; and (v) false endorsements, including false claims of success on social media by an affiliate marketer. The court’s temporary restraining order prohibited the operation from conducting business, froze its assets, appointed a temporary receiver, and required the operation to turn over business records to the FTC. Beyond the temporary restraining order, the FTC is seeking preliminary and permanent injunctive relief, monetary relief, and additional relief as determined by the court. The FTC also highlighted that its ability to provide these refunds would not be possible if the action hadn't predated the 2021 Supreme Court ruling (covered by InfoBytes here) that the FTC lacks authority under Section 13(b) of the FTC Act to seek monetary relief in federal court. The FTC used the opportunity to encourage Congress to restore its ability to seek monetary relief in federal court.
District Court files temporary restraining order to stop scammers in FTC suit
On August 21, the FTC announced it has stopped California-based scammers (defendants) who allegedly preyed on students seeking debt relief by pretending to be affiliated with the Department of Education. According to the August 14 complaint, since at least 2019, the defendants allegedly targeted students and illegally collected $8.8 million in advance fees in exchange for student loan debt relief services that did not exist. The defendants allegedly misled consumers by charging them for services that are free through the Department of Education, claiming consumers needed to pay fees or make payments to access federal student loan forgiveness, using names like "Biden Loan Forgiveness," that does not correspond to any actual government program. For instance, one consumer was asked to pay $375 for a processing fee to have up to $20,000 in loans forgiven because of a Pell Grant. Another was told they would get a $10,000 reduction in their loan balance and a new repayment plan with six $250 monthly payments under the “student loan forgiveness program.” The FTC alleges violations of Section 5 of the FTC Act, which prohibits deceptive acts or practices, TCPA, and the Gramm-Leach-Bliley Act. The complaint also alleges that the defendants used such misrepresentations to illegally obtain consumers’ banking information, and typically collected hundreds of dollars in unlawful advance fees—sometimes through remotely created checks in violation of the Telemarketing Sales Rule. The U.S. District Court of the Central District of California filed a temporary restraining order, resulting in an asset freeze, among other things. The FTC seeks preliminary, and permanent injunctive relief, monetary relief, and other relief.
Senators, Reps request record retention information from the FTC
On August 18, members of the House and the Senate issued a letter to the FTC with various inquiries related to the FTC’s preservation of agency records. The letter notes that the FTC “has struggled to comply” with the Federal Records Act citing a February 2022 memo from the FTC Inspector General issuing two recommendations for improving records management. The letter further indicates that the FTC has not provided explanations for instances of document deletion and have asked for responses by the end of the month to identify (i) what records have been deleted and why; (ii) how the FTC is working to company with retention requirements; (iii) whether it has notified National Archives and Records Administration of any deleted records; and (iv) how it has addressed prior recommendations.
CSBS announces Nonbank Model Data Security Law
The Conference of State Bank Supervisors (CSBS) recently released a comprehensive framework for safeguarding sensitive information held at nonbank financial institutions. CSBS’s Nonbank Model Data Security Law is largely based on the FTC’s updated Safeguards Rule, which added specific criteria for financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, to undertake when conducting risk assessments and implementing information security programs. (Covered by InfoBytes here.) Adopting the Nonbank Model Data Security Law allows for a streamlined and efficient approach to data security regulations for nonbank financial institutions, CSBS explained, adding that by leveraging the existing Safeguards Rule’s applicability to state covered nonbanks, the model law imposes minimal additional compliance burdens and ensures smoother implementation for financial institutions. States can also choose an alternative approach by requiring nonbank financial institutions to conform to the Safeguards Rule, CSBS said.
The Nonbank Model Data Security Law outlines numerous provisions, which are intended to protect customer information, mitigate cyber threats, and foster a secure financial ecosystem. These include standards for safeguarding customer information, required elements that must be included in a nonbank financial institution’s information security program, and an optional section that requires entities to notify the commissioner in the wake of a security event. CSBS noted that because “the proposed rule on notification requirements for the FTC Safeguards Rule is still pending, the model law allows each state to establish their own customer threshold number, providing flexibility in determining the extent of impact that triggers the notification obligation.” CSBS also provided a list of resources for adopting the Nonbank Model Data Security Law.
CFPB, FTC to conduct inquiry into high housing costs for renters
On July 25, CFPB Director Rohit Chopra shared prepared remarks for the Community Table on a White House Blueprint for a Renters Bill of Rights to address high housing costs for renters. Chopra raised concerns about corporate investors imposing high rents and charging renters with what the director described as “junk fees and other aggressive tactics.” He mentioned that corporate investor owners, including private equity firms, are more likely to evict tenants, even when controlling for other factors, and that corporate investor ownership of rental units has risen to over 45 percent. Chopra also emphasized the growing use of artificial intelligence and social scoring in the rental process, stating that such changes can lead to rent hikes and denials of housing due to an algorithm's definition of "high-quality tenants." The remarks suggested that tenants are not being given appropriate opportunity to correct inaccurate information in their background checks, despite the legal requirement for companies to inform consumers when using such information for adverse rental decisions. The speech also stressed the CFPB's commitment to identifying inaccurate AI and illegal practices that lead to misleading data and clarified that name-only matching, a common but illegal practice in screening, can result in inaccurate information, disproportionately affecting individuals with common last names. To address these issues, Chopra announced a joint inquiry with the FTC, to collect feedback from the public about their experiences with tenant screening.
FTC, HHS say tracking technology may impermissibly disclose personal health data
On July 20, the FTC and U.S. Department of Health and Human Services for Civil Rights issued a joint letter cautioning hospitals and telehealth providers of the risks related to the use of online tracking technologies within their systems that may impermissibly disclose consumers’ personal data to third parties. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said “when consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties.” According to the letter, recent research has highlighted concerns about the use of technology to track users’ online activities and sensitive data including, health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. The FTC warned that the impermissible disclosures of personal data can result in identity theft, financial loss, discrimination, and more. The letter included a reminder that under the FTC Act and the FTC Health Breach Notification Rule, even if they are not covered by HIPAA, hospitals and telehealth providers remain obligated to protect against impermissible disclosures of personal health information.
E-commerce company fined $25 million for alleged COPPA violations
On July 19, the DOJ and FTC announced that a global e-commerce tech company has agreed to pay a penalty for alleged privacy violations related to its smart voice assistant’s data collection and retention practices. The agencies sued the company at the end of May for violating the Children’s Online Privacy Protection Act Rule and the FTC Act, alleging it repeatedly assured users that they could delete collected voice recordings and geolocation information but actually held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. (Covered by InfoBytes here.)
The stipulated order requires the company to pay a $25 million civil money penalty. The order also imposes injunctive relief requiring the company to (i) identify and delete any inactive smart voice assistant children’s accounts unless requested to be retained by a parent; (ii) notify parents whose children have accounts about updates made to its data retention and deletion practices and controls; (iii) cease making misrepresentations about its “retention, access to or deletion of geolocation information or voice information, including children’s voice information” and delete this information upon request of the user or parent; and (iii) disclose its geolocation and voice information retention and deletion practices to consumers. The company must also implement a comprehensive privacy program specific to its use of users’ geolocation information.
FTC proposal would allow facial recognition for consent under COPPA
On July 19, the FTC announced it is seeking public feedback on whether it should approve an application that proposes to create a new method for obtaining parental consent under the Children’s Online Privacy Protection Act (COPPA). The new method would involve analyzing a user’s facial geometry to confirm the individual’s age. Under COPPA, online sites and services directed to children under 13 are required to obtain parental consent before collecting or using a child’s personal information. COPPA provides a number of acceptable methods for obtaining parental consent but also allows interested parties to submit proposals for new verifiable parental consent methods to the FTC for approval.
The application was submitted by a company that runs a COPPA safe harbor program, along with a digital identity company and a technology firm that helps companies comply with parental verification requirements. Specifically, the FTC’s request for public comment solicits feedback on several questions relating to the application, including: (i) whether the proposed age verification method is covered by existing methods; (ii) whether the proposed method meets COPPA’s requirements for parental consent (i.e., can the proposed method ensure that the person providing consent is the child’s parent); (iii) does the proposed method introduce a privacy risk to consumers’ personal information, including their biometric information; and (iv) does the proposed method “pose a risk of disproportionate error rates or other outcomes for particular demographic groups.” Comments are due 30 days after publication in the Federal Register.