InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
ISP pays $15 million to settle with two more states on hidden fees and false advertising
On January 9, the Minnesota attorney general announced that an internet service provider (ISP) agreed to pay nearly $9 million in order to resolve allegations that it overcharged customers for phone, internet and cable services. In a separate action, on December 10, the Washington attorney general’s office announced that it entered into a $6.1 million consent decree with the same ISP to resolve similar claims of deceptive acts and practices. As previously covered by InfoBytes, the ISP entered into settlements over the same alleged actions with the states of Colorado on December 19, and Oregon on December 31.
California outlines new data privacy rights
On January 6, the California attorney general issued an advisory explaining consumers’ rights under the California Consumer Privacy Act (CCPA), which took effect January 1. (See previous InfoBytes coverage on the CCPA here.) These rights include (i) the right to request from businesses what personal information they collect, use, share, or sell; (ii) the right to request that businesses and their service providers delete one’s personal information; (iii) the right to opt out of businesses’ disclosure of one’s personal information via “Do Not Sell” links on businesses’ websites and mobile apps; (iv) the right of children younger than 16 to have businesses disclose their personal information only after receiving the child’s opt-in consent (though parents or guardians may consent for children under 13); and (v) the right to non-discrimination should a consumer exercise his or her privacy rights under the CCPA.
In addition to enumerating these consumer rights, the advisory specifies the types of businesses subject to the CCPA, provides information on the state’s data broker registry, and describes consumers’ private right of action in the event of a data breach.
Missouri AG alleges housing nonprofit trust deceived members
On January 2, the Missouri attorney general filed a petition for preliminary and permanent injunction in Missouri Circuit Court against a nonprofit trust and its registered agent (the defendants) alleging the defendants deceived thousands of state residents by marketing memberships in the trust with the promise that the pooled resources would fund “to-be-completed homes.” The AG alleges that the defendants solicited consumers to attend meetings, purchase memberships, and pay monthly dues, and also asked members to provide additional funds to go towards appliances and other fixtures for the homes. However, the agent defendant allegedly admitted that none of the promised homes were constructed or otherwise provided to the members.
The AG further contends that “none of the solicited funds were ever used or invested towards providing a home to any of the members,” and were instead used to cover the trust’s operating expenses. According to the AG, the defendants’ actions violate state law and constitute false promises, omissions of material fact, and deception. The AG seeks injunctive relief “up to and including prohibiting and enjoining [d]efendants . . . from owning or operating organizations that sell or manage real estate that solicit upfront payments for goods or services, or that solicit charitable contributions.” The AG also seeks restitution for member losses, a fine equal to 10 percent of the restitution amount, a $1,000 fine per violation, and compensation for the state’s costs in pursuing the case.
District Court settles payday lending suit against investment firm in rent-a-tribe scheme
On December 31, the U.S. District Court for the Eastern District of Pennsylvania entered an order signing off on a settlement agreement between the state attorney general and an investment firm and its affiliates (the defendants) connected to a lender accused of using Native American tribes to circumvent the state’s usury laws. (See previous InfoBytes coverage here and here.) According to the court’s opinion, the defendants allegedly became involved in the “rent-a-bank” and “rent-a-tribe” schemes when they made “‘an initial commitment of at least $90 million to be used in funding [the] loans’ in exchange for a fixed 20 percent return on investment” guaranteed by the lender.
In the settlement agreement, the defendants agreed not to provide capital to any third-parties offering Pennsylvania consumers loans that carry an interest rate in excess of the state’s six percent limit on unsecured consumer loans under $50,000. The defendants also agreed to perform regulatory reviews and due diligence “at least once per full calendar year during the term of [a] transaction” involving consumer credit products or services offered to Pennsylvania consumers. While the defendants expressly deny any liability or wrongdoing, the parties agreed to enter into the agreement to “avoid the cost, expense and effort associated with continuing the dispute.” The AG states that the settlement agreement does not constitute an approval by the AG’s office of any of the defendants’ “products, marketing, business practices or website content, acts and/or practices.”Internet provider and states agree to nearly $12.5 million for false advertising, hidden fees
On December 19, the Colorado attorney general announced that an internet service provider (ISP) agreed to pay nearly $8.5 million in order to resolve allegations that it “unfairly and deceptively charg[ed] hidden fees, falsely advertis[ed] guaranteed locked prices, and fail[ed] to provide discounts and refunds it promised” to Colorado consumers in violation of the Colorado Consumer Protection Act. According to the announcement, in 2017 the AG’s office investigated the ISP and compiled information that the ISP had “systematically and deceptively overcharged consumers for services” since 2014 (see the complaint filed by the AG here). In the settlement, the ISP agreed to an order that requires it, among other things, to (i) refrain from making false and misleading statements to consumers in the marketing, advertising and sale of its products and services; (ii) accurately communicate monthly base charges as well as one-time fees, taxes, and other fees and surcharges to consumers; (iii) disclose any “internet cost recovery fee” or “broadband recovery fee” to consumers being charged the fees and allow the affected consumers to switch to different services if they wish to avoid the fees; (iv) refrain from charging an “internet or broadband cost recovery fee” on new orders; and (v) provide refunds to customers who were overcharged for services and to those customers who did not previously receive discounts that the ISP promised.
In a separate action, on December 31, the Oregon attorney general’s office announced that it entered into a $4 million Assurance of Voluntary Compliance with the same ISP to resolve similar claims of deceptive acts and practices in the advertising, sale, and billing of the ISP’s internet, telephone and cable services in violation of the Oregon Unlawful Trade Practices Act. According to the announcement, the Oregon DOJ started an investigation of the ISP in 2014 for allegedly “misrepresenting the price of services, failing to inform consumers of terms and conditions that could affect the price, and billing consumers for services they never received.” The ISP agreed to requirements that are very similar to those in the Colorado settlement. The announcement notes that the “Oregon DOJ will continue to lead a separate securities class action lawsuit arising from the same conduct.”
Pennsylvania reaches settlement with travel websites over data breach
On December 13, the Pennsylvania attorney general announced a settlement with two travel websites resolving allegations that a 2018 data breach may have exposed consumer data for more than 20,000 state customers, including 880,000 affected payment cards globally. According to the state’s investigation, a hacker bypassed security detection and built malware that targeted payment cards on one of the company’s platforms. The company was also notified by a business partner of potentially fraudulent point of purchase transactions related to the data breach. Under the terms of the Assurance of Voluntary Compliance—which alleges the company violated the state’s Unfair Trade Practices and Consumer Protection Law by misrepresenting safeguards for customer data in its privacy policy and failing to fully implement data security policies—the companies have agreed to pay $110,000, including a $80,000 civil penalty and $30,000 towards future public protection and education purposes. The company must also implement a number of security requirements, such as (i) implementing a comprehensive information security program on their travel website; (ii) conducting annual risk assessments; (iii) developing a program for implementing and operating safeguards; and (iv) complying with Payment Card Industry Data Security Standards.
States recommend FTC “significantly” strengthen COPPA
On December 9, a coalition of 25 state attorneys general responded to the FTC’s request for comments on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA). As previously covered by InfoBytes, the FTC released a notice in July seeking comments on all major provisions of COPPA, including definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and the safe harbor provision. In response the AGs strongly recommend that, while the FTC should “significantly” strengthen COPPA, any changes must be flexible and evolve to meet a rapidly-changing data landscape’s needs. Specifically, the AGs state that COPPA’s definition of “web site or online service directed to children,” as well as its definition of an “operator,” need to be modified, as many first-party platforms embed third parties who allegedly engage in the majority of the privacy-invasive online tracking. By expanding the definition of an operator, the AGs claim that COPPA would require compliance by companies that use and profit from the data as well as companies that collect the data. According to the AGs, COPPA, places a lower burden on third-parties and requires them to be bound by the rule only when they have “actual knowledge” that they are tracking children, even though these entities “are arguably as well-positioned as the operators of the websites and online services to know that they are tracking and monitoring children.”
The AGs also believe that the prong that “recognizes the child-directed nature of the content” should be strengthened, because companies that are able to identify and target consumers through sophisticated algorithms are often disincentivized to use the information to affirmatively identify child-directed websites or other online services. Among other things, the AGs also discuss the need for specifying the appropriate methods used for determining a user’s age, expanding COPPA to protect minors’ biometric data, and providing illustrative security requirements.
Kraninger discusses coordinated state supervision and enforcement efforts
On December 10, in a speech before the National Association of Attorneys General Capital Forum, CFPB Director Kathy Kraninger discussed partnership with the states, as well as recent efforts between the Bureau and states in the areas of supervision and enforcement, including innovation policies. Kraninger also discussed the Bureau’s small dollar and debt collection rules. Noting that the Bureau will “effectively enforce the law to fulfill our consumer protection mission … after thoroughly reviewing the facts,” Kraninger recapped FY 2019 enforcement actions and settlements, which have resulted in more than $777 million in total consumer relief, which included over $600 million in consumer redress and more than $174 million in other relief. These actions, Kraninger stated, have resulted in more than $185 million in civil money penalties, not taking into account suspended amounts. Kraninger also highlighted several joint efforts with states and other agencies over the past year, including (i) a multi-agency action resolving a 2017 data breach (InfoBytes coverage here); (ii) a joint action with the New York Attorney General against a network of New York-based debt collectors that allegedly engaged in improper debt collection tactics (InfoBytes coverage here); (iii) a coordinated action with the Minnesota Attorney General’s Office, the North Carolina Department of Justice, and the Los Angeles City Attorney concerning a student loan debt relief operation (InfoBytes coverage here); and (iv) an action with the South Carolina Department of Consumer Affairs against an operation that offered high-interest loans to veterans and other consumers in exchange for the assignment of some of the consumers’ monthly pension or disability payments (InfoBytes coverage here).
Kraninger also discussed the Bureau’s recently-announced American Consumer Financial Innovation Network (ACFIN), which is designed to enhance coordination among federal and state regulators to facilitate financial innovation. (InfoBytes coverage here). ACFIN currently includes nine state attorneys general and four state financial regulators. Kraninger noted that the Bureau is presently reviewing approximately 190,000 comments concerning proposed changes related to certain payday lending requirements and mandatory underwriting provisions (InfoBytes coverage here), as well as over 14,000 comments submitted in response to its Notice of Proposed Rulemaking issued in May concerning amendments to the debt collection rule (InfoBytes coverage here). Kraninger stressed that the Bureau plans to release a Supplemental Notice of Proposed Rulemaking “very early” in 2020, and will be “interested in practical and pragmatic ideas of how to make time-barred debt disclosures work.”
TRO issued against VoIP service provider in card interest reduction scam
On December 5, the FTC and the Ohio attorney general announced that the U.S. District Court for the Western District of Texas issued a temporary restraining order (TRO) against a VoIP service provider and its foreign counterpart for facilitating (or consciously avoiding knowing of) a “phony” credit card interest rate reduction scheme committed by one of its client companies at the center of a joint FTC/Ohio AG action. As previously covered by InfoBytes, the original complaint alleged that a group of individuals and companies—working in concert and claiming they could reduce interest rates on credit cards—had violated the FTC Act, the Telemarketing Sales Rule, and various Ohio consumer protection laws. In addition to obtaining a TRO against the most recent alleged participants, the FTC and Ohio AG amended their July complaint to add the telecom companies as defendants alleging the companies “played a key role in robocalling consumers to promote a credit card interest reductions scheme.”
New York considers privacy legislation broader than the CCPA
On November 22, the New York Senate’s Committee on Consumer Protection and Committee on Internet and Technology held a joint hearing titled, “Consumer Data and Privacy on Online Platforms,” which discussed the proposed New York Privacy Act, SB S5642 (the Act). The Act was introduced in May and seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York State or produce products or services that are intentionally targeted to residents of New York State. The Act contains different provisions than the California Consumer Privacy Act (CCPA), which is set to take effect on January 1, 2020 (visit here for InfoBytes coverage on the CCPA). Highlights of the Act include:
- Fiduciary Duty. Most notably, the Act requires that legal entities “shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” Specifically, the Act states that personal data of consumers “shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent.” The Act imposes a duty of care on every legal entity, or affiliate of a legal entity, with respect to securing consumer personal data against privacy risk and requires prompt disclosure of any unauthorized access. Moreover, the Act requires that legal entities enter into a contract with third parties imposing the same duty of care for consumer personal data prior disclosing, selling, or sharing the data with that party.
- Consumer Rights. The Act requires covered entities to provide consumers notice of their rights under the Act and provide consumers with the opportunity to opt-in or opt-out of the “processing of their personal data” using a method where the consumer must clearly select and indicate their consent or denial. Upon request, and without undue delay, covered entities are required to correct inaccurate personal data or delete personal data.
- Transparency. The Act requires covered entities to make a “clear, meaningful privacy notice” that is “in a form that is reasonably accessible to consumers,” which should include: the categories of personal data to be collected; the purpose for which the data is used and disclosed to third parties; the rights of the consumer under the Act; the categories of data shared with third parties; and the names of third parties with whom the entity shares data. If the entity sells personal data or processes data for direct marketing purposes, it must disclose the processing, as well as the manner in which a consumer may object to the processing.
- Enforcement. The Act defines violations as an unfair or deceptive act in trade or commerce, as well as, an unfair method of competition. The Act allows for the attorney general to bring an action for violations and also prescribes a private right of action on any harmed individual. Covered entities are subject to injunction and liable for damages and civil penalties.
According to reports, state lawmakers at the November hearing indicated that federal requirements would be “the best scenario,” but in the absence of Congressional movement in the area, one state senator noted that the state legislators must “assure [their] constituents that [the state legislature is] doing everything possible to protect their privacy.” Witnesses expressed concern that the Act would be placing too many new requirements on businesses that differ from what other states have already enacted, and encouraged more consistent baseline standards for compliance instead of a patchwork approach. Some witnesses expressed specific concern with the opt-in requirement for the collection and use of consumer data, noting that waiting on consumers to opt-in, as opposed to just opting-out, makes compliance difficult to administer. Lastly, many witnesses were displeased about the broad private right of action in the Act, but consumer groups praised the provision, noting that the state attorney general does not have the resources to regulate and enforce against all the data collection and sharing in the state.