InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Reports Mobile Shopping App Consumer Disclosures Are Insufficient
On August 1, the FTC released a staff report on the agency’s review of shopping apps—those used for comparison shopping, to collect and redeem deals and discounts, and to complete in-store purchases. The FTC staff examined information available to consumers before they download the software onto their mobile devices—specifically, information describing how apps that enable consumers to make purchases dealt with fraudulent or unauthorized transactions, billing errors, or other payment-related disputes. The staff also assessed information on how the apps handled consumer data. The FTC staff determined that the apps studied “often failed to provide pre-download information on issues that are important to consumers.” For example, according to the report, few of the in-store purchase apps provided any information prior to download explaining consumers’ liability or describing the app’s process for handling payment-related disputes. In addition, according to the FTC, most linked privacy policies “used vague language that reserved broad rights to collect, use, and share consumer data, making it difficult for readers to understand how the apps actually used consumer data or to compare the apps’ data practices.” The FTC staff recommends that companies that provide mobile shopping apps to consumers: (i) disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions; (ii) clearly describe how they collect, use, and share consumer data; and (iii) ensure that their strong data security promises translate into strong data security practices. The report also includes recommended practices for consumers.
CFPB, FTC, And State Authorities Coordinate Action Against Foreclosure Relief Companies
On July 23, the CFPB, the FTC, and 15 state authorities coordinated to take action against foreclosure relief companies and associated individuals alleged to have employed deceptive marketing tactics to obtain business from distressed borrowers. The CFPB filed three suits, the FTC filed six, and the state authorities collectively initiated 32 actions. For example, the CFPB claims the defendants (i) collected fees before obtaining a loan modification; (ii) inflated success rates and likelihood of obtaining a modification; (iii) led borrowers to believe they would receive legal representation; and (iv) made false promises about loan modifications to consumers. The CFPB and FTC allege that the defendants violated Regulation O, formerly known as the Mortgage Assistance Relief Services (MARS) Rule, and that some of the defendants also violated the Dodd-Frank Act’s UDAAP provisions and Section 5 of the FTC Act, respectively. The state authorities are pursuing similar claims under state law. For example, New York Attorney General Eric Schneiderman announced that he served a notice of intent to bring litigation against two companies and an individual for operating a fraudulent mortgage rescue and loan modification scheme that induced consumers into paying large upfront fees but failed to help homeowners avoid foreclosure.
FTC Report Calls For Increased Data Broker Transparency
On May 27, the FTC released a report that claims—based on a study of nine data brokers—that data brokers generally operate with a “fundamental lack of transparency.” The FTC describes data brokers as companies that collect personal information about consumers from a wide range of sources and then provide that data for purposes of verifying an individual’s identity, marketing products, and detecting fraud or otherwise mitigating risk. The report is based in part on the nine brokers’ responses to FTC orders that required the brokers to provide information about: (i) the nature and sources of the consumer information the data brokers collect; (ii) how they use, maintain, and disseminate the information; and (iii) the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold or shared. The report summarizes the companies’ data acquisition processes, their product development and the types of products they provide, the quality of the data collected and sold, the types of clients to whom the data is sold, and consumer controls over the information. The FTC recommends that Congress consider enacting data broker legislation that would, among other things: (i) require data brokers to give consumers access to their data and the ability to opt out of having it shared for marketing purposes; (ii) require data brokers to clearly disclose that they not only use raw data, but that they also derive certain inferences from the data; (iii) address gaps in FCRA to provide consumers with transparency when a company uses a data broker’s risk mitigation product that limits a consumer’s ability to complete a transaction; and (iv) require brokers who offer people search products to allow consumers to access their own information and opt out of the use of that information, and to disclose the sources of the information and any limitations of the opt out.
White House Big Data Review Addresses Discrimination, Privacy Risks
On May 1, the White House’s working group on “big data” and privacy published a report on the findings of its 90-day review. In addition to considering privacy issues associated with big data, the group assessed the relationship between big data and discrimination, concluding, among other things, that “there are new worries that big data technologies could be used to ‘digitally redline’ unwanted groups, either as customers, employees, tenants, or recipients of credit” and that “big data could enable new forms of discrimination and predatory practices.” The report adds, “[t]he same algorithmic and data mining technologies that enable discrimination could also help groups enforce their rights by identifying and empirically confirming instances of discrimination and characterizing the harms they caused.” The working group recommends that the DOJ, the CFPB, and the FTC “expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law in such cases,” and adds that the President’s Council of Economic Advisers should assess “the evolving practices of differential pricing both online and offline, assess the implications for efficient operations of markets, and consider whether new practices are needed to ensure fairness.” The working group suggests that federal civil rights offices and the civil rights community should collaborate to “employ the new and powerful tools of big data to ensure that our most vulnerable communities are treated fairly.” With regard to privacy the report states that the “ubiquitous collection” of personal information and data, combined with the difficulty of keeping data anonymous, require policymakers to “look closely at the notice and consent framework that has been a central pillar of how privacy practices have been organized for more than four decades.” Among its policy recommendations, the working group urges (i) enactment of a Consumer Privacy Bill of Rights, informed by a Department of Commerce public comment process, and (ii) the adoption of a national data breach bill along the lines of the Administration’s May 2011 Cybersecurity legislative proposal. It also calls for data brokers to provide more transparency and consumer control of data.
FTC Settles Suit Against Tribe-Affiliated Lenders; Dispute Over CFPB Investigation Of Tribe-Affiliated Lenders Moves To Federal Court
On April 11, the FTC announced that a tribe-affiliated payday lending operation and its owner agreed to pay nearly $1 million to resolve allegations that they engaged in unfair or deceptive acts or practices and violated the Credit Practices Rule in the collection of payday loans. The FTC alleged that the lenders illegally tried to garnish borrowers’ wages and sought to force borrowers to travel to South Dakota to appear before a tribal court, and that the loan contracts issued by the lenders illegally stated that they are subject solely to the jurisdiction of the Cheyenne River Sioux Tribe. The announced settlement payment includes a $550,000 civil penalty and a court order to disgorge $417,740. The companies and their owner also are prohibited from further unfair and deceptive practices and are barred from suing any consumer in the course of collecting a debt, except for bringing a counter suit to defend against a suit brought by a consumer.
Also on April 11, in a separate matter related to federal authority over tribe-affiliated lending, a group of tribe-affiliated lenders responded in opposition to a recent CFPB petition to enforce civil investigative demands (CIDs) the Bureau issued to the lenders. In September 2013, the CFPB denied the lenders’ joint petition to set aside the CIDs, rejecting the lenders’ primary argument that the CFPB lacks authority over businesses chartered under the sovereign authority of federally recognized Indian Tribes. The lenders subsequently refused to respond to the CIDs, which the CFPB now asks the court to enforce. The CFPB argues that the lenders fall within the CFPB’s investigative authority under the terms of the Consumer Financial Protection Act, which the CFPB argues is a law of general applicability, including with regard to Indian Tribes and their property interests. The lenders continue to assert that they are sovereign entities operating beyond the CFPB’s reach.
FTC Seeks Further Public Comment On Mobile Security
On April 17, the FTC announced it is seeking additional public comments on issues explored during a 2013 forum on mobile security. The announcement includes a series of specific questions within the following categories: (i) secure platform design; (ii) secure distribution channels; (iii) secure development practices; and (iv) security lifecycle and updates. The announcement indicates that the FTC is planning a report based on the forum and this subsequent information request. Comments are due by May 30, 2014.
New Jersey Federal Court First To Uphold FTC's UDAP Authority To Enforce Data Security
On April 7, the U.S. District Court for the District of New Jersey denied a hotel company’s motion to dismiss the FTC’s claims that the company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to maintain reasonable and appropriate data security for customers’ personal information. FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The company moved to dismiss the FTC’s suit, arguing that the FTC (i) lacks statutory authority to enforce data security standards outside of its explicit data security authority under statutes such as the Gramm-Leach-Bliley Act (GLBA) and FCRA; (ii) violated fair notice principles by failing to first promulgate applicable regulations; and (iii) failed to sufficiently plead certain elements of the unfairness and deception claims. The court rejected each of these arguments. First, the court held that the FTC does not need specific authority under Section 5 to enforce data security standards. The court reasoned that the data-security legislation the followed the FTC Act, such as GLBA and FCRA, provide the FTC additional data security tools that complement, rather than preclude, the FTC’s general authority under Section 5. Second, the court held that, to bring a Section 5 data security claim, the FTC is not required to provide notice of reasonable standards by issuing a new regulation because regulations are not the only means of providing sufficient fair notice. According to the court, industry standards, past FTC enforcement actions, and FTC business guidance provided sufficient notice of what constitutes reasonable security measures. Third, the court held that the FTC properly pled its unfairness and deception claims under the FTC Act.
Nevada Federal Court Affirms FTC's Authority Over Tribal Payday Lending Businesses
On March 19, the FTC reported that the U.S. District Court for the District of Nevada held that the FTC Act “grants the FTC authority to regulate arms of Indian tribes, their employees, and their contractors,” including tribe-affiliated businesses sued by the FTC over allegedly unfair and deceptive practices in the origination and collection of payday loans. FTC v. AMG Servs., Inc., No. 12-536, 2014 WL 910302 (D. Nev. Mar. 7, 2014). The court’s order affirmed a report and recommendation issued last July by a magistrate judge in which the magistrate concluded that under controlling Ninth Circuit precedent, the FTC has authority to regulate “Indian Tribes, Arms of Indian Tribes, employees of Arms of Indian Tribes and contractors of Arms of Indian Tribes with regard to” the payday lending activities at issue in the case. The district court rejected the defendant’s objections that the magistrate erred in (i) assigning the defendants the burden of establishing whether they fall within the FTC’s jurisdiction; (ii) determining that the FTC Act is a statute of general applicability; and (iii) failing to apply Indian law canons and Supreme Court opinions the defendants argued are controlling in determining whether a federal statute of general applicability applies to Indian tribes and arms of Indian tribes.
CFPB Releases Annual Report on Debt Collection
On March 20, the CFPB released its third annual report summarizing its activities in 2013 to implement and enforce the FDCPA. The report describes the CFPB’s and the FTC’s shared FDCPA enforcement authority, incorporates the FTC’s annual FDCPA update, and reiterates the intention of both the FTC and the CFPB to exercise their authority to take action—both independently and in concert—against those in violation of the FDCPA.
The report highlights the debt collection-related complaints the Bureau has received—over 30,000 since the CFPB began accepting and compiling consumer complaints in July 2013, making the third-party debt collection market the largest source of consumer complaints submitted to the CFPB. The report states that the majority of the complaints the CFPB has received involve attempts to collect debts not owed and allegedly illegal communication tactics. The report also identifies several changes within the debt collection industry over the past year that will remain points of emphasis for the CFPB, including the expansion of the debt buying market, the growth of medical debt and student loan debt in collection, and the use of expanded technologies to communicate with debtors.
FTC Announces International Privacy Initiatives
On March 6, the FTC released a memorandum of understanding (MOU) it signed with the UK’s Information Commissioner’s Office (ICO), which is designed to strengthen the agencies’ privacy enforcement partnership. The FTC stated that over the last several years it has worked with the ICO on numerous investigations and international initiatives to increase global privacy cooperation. The MOU establishes a formal framework for the agencies to provide mutual assistance and exchange of information for the purpose of investigating, enforcing, and/or securing compliance with certain privacy violations. The FTC also announced a joint project with the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) economies to map together the requirements for APEC Cross Border Privacy Rules and EU Binding Corporate Rules, which is designed to provide a practical reference tool for companies that seek “double certification” under the APEC and EU systems, and shows the substantial overlap between the two.