InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Settles Privacy, Data Security Charges Based On Peer-to-Peer File Sharing Against Two Firms
On June 7, the FTC announced two new cases (and simultaneous settlements), one against a debt collector and the other against an auto dealer, alleging privacy and data violations based on the use of peer-to-peer file sharing software. In both cases, the FTC claims that the firms allowed file-sharing software to be installed on company computers, thereby allowing files containing personal customer information to be accessed by any other person using a networked computer. Both companies, according to the FTC, (i) did not have adequate security plans, (ii) did not use reasonable measures to enforce compliance with existing security policies, (iii) did not adequately train employees, (iv) did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks, and (v) failed to assess risk to consumers. For the debt collector, the FTC alleges that the failures constituted an unfair act or practice in violation of the FTC Act. The FTC claims that the auto dealer also violated the FTC Act and, for the first time, charges an auto dealer with violations of certain Gramm-Leach-Bliley (GLB) Act rules. The settlement orders with both companies bar misrepresentations regarding the privacy, security, confidentiality, and integrity of any personal information and require that the firms establish comprehensive information security programs that will be audited every other year for 20 years. The auto dealer also is barred from violating the GLB rules at issue.
D.C. Federal Court Holds FCRA Credit Report Notice Requirements Apply to Auto Dealers Engaging in Third Party Financing Transactions
On May 22, the U.S. District Court for the District of Columbia rejected the National Automobile Dealer's Association's (NADA) challenge to an FTC determination that an automobile dealer that executes a credit contract based on a third party financing source "uses a consumer report" under FCRA, and, thus, must provide prospective buyers with a risk-based pricing notice. National Automobile Dealers Assoc. v. Federal Trade Commission, No. 11-cv-01711, 2012 WL 1854088 (D.D.C. May 22, 2012). A risk-based pricing notice must be provided to buyers who, based upon information contained in their consumer reports, are offered credit at terms materially less favorable than the most favorable terms available to a substantial proportion of consumers. The notice is intended to alert buyers to the existence of negative information in their credit reports to enable them to correct any inaccuracies. The FTC's 2011 amendments to the Fair Credit Risk-Based Pricing Regulations clarified that even in the context of a third-party transactionwhere the auto dealer is not the ultimate source of financing and does not physically obtain a consumer's credit reportthe auto dealer must provide a risk-based pricing notification. According to NADA, the FTCs interpretation placed an unreasonable burden on auto dealers who outsource financing to banks or other entities. NADA also argued that the interpretation was arbitrary and capricious and that it was not entitled to Chevron deference. In its ruling, the court rejected these challenges, stating, among other things, that the FTC's determination was "eminently reasonable" and consistent with the overall regulatory scheme of FCRA because auto dealers are able to obtain credit report information and are best suited to convey that information to consumers. NADA intends to appeal the decision.
FTC, CFPB, DOJ File Brief in Suit Challenging FCRA Constitutionality
On May 8, the FTC announced that it had joined the CFPB and the DOJ to file a brief supporting the constitutionality of the Fair Credit Reporting Act (FCRA). The brief was filed in a lawsuit in the U.S. District Court for the Eastern District of Pennsylvania in which a consumer alleged that a consumer reporting agency (CRA) violated FCRA by reporting on arrest records that were more than seven years’ old. Responding to these allegations, the CRA argued that the Supreme Court’s decision in Sorell v. IMS Health, Inc., 131 S. Ct. 2653 (2011), rendered FCRA’s seven-year limitation unconstitutional under the First Amendment. The federal entities’ brief counters that Sorell does not alter the test for commercial speech restrictions established in Central Hudson Gas and Electric Corp. v. Public Service Commission of New York, 447 U.S. 557 (1980). It goes on to argue that, under this test, the government has a substantial interest in protecting individuals’ privacy and that FCRA protects this interest while accommodating businesses’ competing interest in obtaining complete information about potential borrowers.
FTC Affirms Holder in Due Course Rule
On May 10, the FTC released an advisory opinion affirming that the Holder in Due Course Rule does not limit or preclude a consumers right to recovery other than to restrict awards to monies paid under a contract. The opinion was prepared in response to a request by consumer groups concerned by court decisions, beginning with Ford Motor Credit Co. v. Morgan, 536 N.E.2d 587 (Mass. 1989), that had limited recovery under the Rule to cases in which the consumer is entitled to rescission or similar relief under state law. Noting that such courts have misinterpreted the Rules Statement of Basis and Purpose, the advisory opinion states that the plain language of the Rule is clear and does not limit affirmative recovery to those circumstances where rescission is warranted or where the goods or services sold to the consumer are worthless.
FTC Settles Privacy Claims Against Myspace
On May 8, the FTC announced an agreement with Myspace to settle government allegations that the social networking service misrepresented the protections offered by its privacy policy. The policy promised consumers that Myspace would not share users personally identifiable information or use that information for purposes inconsistent with those for which the information was submitted without first giving notice to users and receiving their permission. The FTC alleged that the privacy policy was deceptive because, without user notice or consent, Myspace provided advertisers with certain user information that allowed the advertisers to identify additional personal information. Under the terms of the settlement, Myspace must (i) establish a comprehensive privacy program, (ii) obtain biennial independent privacy program assessments, and (iii) avoid misrepresenting the scope of its privacy policy protections.
FTC Announces First Actions Against Auto Loan Modification Schemes
On April 4, the FTC released complaints filed recently against two operations allegedly engaged in deceptive auto loan modification schemes. According to the FTC, the two companies and several related individuals instructed consumers to stop paying their auto loans and promised to lower their monthly payments in exchange for up-front payment of fees, but then did not provide promised refunds when they failed to obtain car loan modifications. The FTC complaints detail the companies’ Internet and other marketing efforts and alleged false promises of lower monthly payments and money-back guarantees. These are the first auto loan modification cases filed by the FTC, which has been actively pursuing allegations of similar mortgage loan modification schemes. Concurrent with these announced cases, the FTC released an alert for consumers seeking assistance in managing their auto loans. The FTC also recently closed out a year of seeking public input on consumer protection issues that arise in auto sales, financing, and leasing.
FTC Files Case Against Tribe-Affiliated Payday Lenders
On April 2, the FTC announced that it filed a complaint in the United States District Court for the District of Nevada against a payday lending operation that allegedly charged undisclosed and inflated fees, and collected on loans illegally by threatening borrowers with arrest and lawsuits. The FTC alleges that the operation, consisting of numerous defendants including three Internet-based lending companies, seven related companies and numerous individuals (i) violated the FTC Act by making misrepresentations and false threats, (ii) violated TILA by failing to accurately disclose APR and other loan terms, and (iii) violated the Electronic Fund Transfer Act by requiring consumers to preauthorize electronic fund transfers from their accounts. According to the FTC, the defendants have claimed in state court that they are immune from legal action because of their affiliation with Native American tribes. The FTC argues that notwithstanding any such affiliation, the defendants are still subject to federal law. This is the second time in seven months that the FTC has brought suit against a payday lender that has used a tribal affiliation defense against actions by state authorities.
Federal Appeals Court Limits Review of FTC Interpretation of FCRA
Recently, the U.S. Court of Appeals for the District of Columbia Circuit held that the FTCs interpretation of a Fair Credit Reporting Act (FCRA) provision is not subject to direct review by the federal appeals court. Natl Auto. Dealers Assoc. v. FTC, 670 F.3d 268 (D.C. Cir. 2012). In July 2011, the FTC promulgated a rule to implement changes made by the Dodd-Frank Act to FCRAs risk-based pricing protections. Those protections entitle consumers to a notice when they are offered credit at materially less favorable terms based on information contained in their credit reports. As part of the July 2011 rule, the FTC provided supplementary information that included an interpretation of the scope and applicability of the rule, stating that automobile dealers are subject to the rule, even when dealers rely on third-party financing sources and not directly on credit reports obtained from a consumer reporting agency. The National Association of Automobile Dealers (NADA) filed a petition asking the appeals court to review the FTCs interpretation. NADA concurrently filed a complaint in district court seeking a review of the rule under the Administrative Procedures Act. The appeals court held that direct appellate review of an agency action is only permissible when a statute unambiguously grants such a review. In this case, the direct review provision of the FTC Act is not ambiguous and clearly does not apply to the FCRA interpretation at issue. Under the FTC Act, direct review is only available for challenges to trade regulation rules and substantive amendments thereto. NADA is not challenging a substantive amendment, but rather an interpretation, and in any case the FCRA interpretive statement is not related to a trade regulation rule. Therefore, the appeals court dismissed the petition without prejudice to the parallel district court action.
FTC Finalizes Consumer Privacy Recommendations, Notes Mobile Issues
On March 26, the FTC released an anticipated report on consumer privacy, calling on all companies to adopt certain practices to protect consumers’ private information. The final report outlines three basic principles: (i) “privacy by design”, (ii) simplified choice, and (iii) increased transparency. Though the report and recommended practices do not carry the force of law, the FTC encourages adoption of the recommendations to support innovation and commerce while improving consumer protection. The report also serves as a blueprint for what the FTC is seeking in federal privacy legislation. Pending congressional action, the FTC will continue to employ its existing enforcement authority to address unfair or deceptive practices, including practices that violate self-regulatory programs. Further, the FTC intends to support implementation of the framework by focusing on several substantive topics and stakeholder groups, including (i) do not track, (ii) mobile services, (iii) data brokers, (iv) large platform providers, and (v) industry codes of conduct. For example, the FTC will focus on mobile services by updating guidance about online advertising disclosures, including holding a workshop on model mobile disclosures on May 30, 2012. It also calls on mobile service providers to establish industry standards that address data collection, transfer, use, and disposal, particularly for location data.
CFPB Submits First Annual FDCPA Report to Congress
On March 20, the CFPB submitted to Congress its first annual report on the administration and enforcement of the Fair Debt Collections Practices Act (FDCPA). The CFPB inherited the annual reporting function as part of the Dodd-Frank Act’s transfer to the CFPB of the primary regulatory responsibility for the FDCPA. Prior to this report, the FTC prepared the annual report, and this year it submitted a letter to the CFPB detailing its efforts under the FDCPA. The report, as informed by the FTC letter, provides (i) a brief background on the FDCPA, (ii) a summary of consumer complaints about the debt collection industry, (iii) a description of the CFPB’s FDCPA supervision authority, including its rulemaking to expand that authority by defining “larger participant” nonbanks, (iv) an outline of recent FTC and CFPB enforcement activity and amicus briefs filed against entities engaged in debt collection, including ongoing non-public investigations of debt collection practices, and (v) each regulator’s FDCPA-related research and policy initiatives.