Wiley Consumer Protection Download (May 31, 2022)
*Originally published May 31, 2022
Regulatory Announcements
Significant Enforcement Actions
Upcoming Comment Deadlines and Events
More Analysis from Wiley
Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and ground-breaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
To subscribe to this newsletter, click here.
Regulatory Announcements
CFPB Releases Guidance on ECOA Requirements for Algorithmic Credit-Related Decisions. On May 26, the CFPB published a Consumer Financial Protection Circular addressing creditors’ requirements under the Equal Credit Opportunity Act (ECOA) when using algorithms in connection with making credit decisions, including requirements to issue compliant adverse action notices. The Circular emphasizes a number of points, including that ECOA and its specific adverse action requirements apply even where creditors use complex algorithms to make lending decisions, which sometimes may create challenges in identifying the specific reasons for denying credit or taking other adverse actions.
CFPB Shifts its Innovation Office to a New “Office of Competition and Innovation.” On May 24, the CFPB announced that the Office of Competition and Innovation would replace its Office of Innovation, which was originally founded as “Project Catalyst” and which in recent years had focused on Sandbox, No-Action Letter, and other programs designed to promote innovation. In a press release, the agency described these previous initiatives as efforts to “confer special regulatory treatment on individual companies.” The new office will aim to increase competition by exploring ways to make it easier for consumers to switch service providers; research market-structure issues that may inhibit innovation; explore the effect of product offerings by larger companies on smaller competitors; continue to pursue rulemaking efforts under Section 1033 of the Consumer Financial Protection Act to “give consumers access to their own data”; and host events aimed at analyzing market barriers to entry.
FTC Publishes Blog Post on Incident Response, Stating That Failure to Disclose a Data Breach May Violate the FTC Act. On May 20, the FTC’s Chief Technology Office Team and the Division of Privacy and Identity Protection published a Blog Post on incident response and breach disclosure. The Blog Post states that “in some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.” The Post further states that “a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” The Blog Post cites the FTC’s settlement with CafePress, which we discussed in our March 28, 2022 Newsletter. There, the agency reached a settlement with CafePress after the entity allegedly failed to reasonably respond to security incidents by notifying customers after suffering multiple breaches.
FTC Holds May 2022 Open Commission Meeting and Releases Policy Statement on Education Technology and Request for Comment on Endorsement Guides. On May 19, the FTC held a virtual Open Commission meeting to consider: (1) a Policy Statement on Education Technology and the Children’s Online Privacy Protection Act (Policy Statement); and (2) a Request for Public Comment on Amendments to the Guides Concerning the Use of Endorsements and Testimonials in Advertising (Request for Comment). Both items were approved by 5-0 votes.
The Policy Statement notes that the agency will focus Children’s Online Privacy Protection Act (COPPA) enforcement actions on, among other things, violations on prohibitions against mandatory data collection as a condition of using educational technology (Ed Tech) services and other services directed towards children under the age of 13, and violations of COPPA’s rules on how companies that collect personal information from children can use that information. During the meeting, all five FTC Commissioners expressed strong support for the Policy Statement. Following the FTC’s approval of the Policy Statement on May 19, staff attorneys published a blog post warning Ed Tech companies that “they must follow the law, including by properly safeguarding [childrens’] personal information and, where a company relies on the school to provide consent, using kids’ information only for school-related purposes, not for things like marketing.”
The Request for Comment, meanwhile, proposes a number of revisions to the FTC’s Endorsement Guides. The Guides address the application of Section 5 of the FTC Act to the use of advertising endorsements and testimonials. Among other matters, the Request for Comment seeks input on treating the deletion of negative reviews or the decision not to publish negative reviews as a deceptive act or practice under Section 5 of the FTC Act; addresses endorsements made on social media posts; and solicits feedback on adding a section to the Endorsement Guides focused on advertising towards children.
FTC Chair Khan Testifies Before U.S. House Appropriations Subcommittee. On May 18, FTC Chair Lina Khan testified before the U.S. House Appropriations Subcommittee on Financial Services and General Government. During her testimony, Chair Khan highlighted the agency’s FY 2023 budget request of $490.0 million (a proposed increase from the FY 2022 request of $376.5 million). Chair Khan argued that the request to increase the FY 2023 budget by $113.50 million “will fund an additional 215 [full-time employees] and enable us to address in part the increased demand on agency staff and resources.” Chair Khan also stated that the agency “has seen a soaring number of reports about business imposters, substantial losses stemming from online shopping and undelivered merchandise, a rising number of cryptocurrency and other income scams, work-from-home scams, fake check scams, and deceptive online trading offers. Between 2019 and 2021, the number of consumer reports has increased by over 67 percent, from 3.4 million reports in 2019 to 5.7 million reports in 2021.” A recording of the hearing is located here.
Significant Enforcement Actions
FTC Reaches Settlement With Twitter for Allegedly Using Account Security Data for Targeted Advertising. On May 25, the FTC announced that it reached a settlement with Twitter, Inc., for alleged violations of a 2011 FTC order. The Commission voted 4-0 to refer the complaint and stipulated final order to the Department of Justice for filing. The complaint alleges that the company asked users to provide a phone number or email address to improve account security, including by allowing users to reset passwords, unfreeze accounts, and enable two-factor authentication, but it allegedly used that information to aid advertisers in conducting targeted advertising without adequate disclosure. Among other things, the proposed order provides injunctive relief and a $150 million penalty. The FTC released a blog post outlining key takeaways of the case.
FTC Announces Settlement with Substance Abuse Treatment Provider. On May 17, the FTC announced that it filed suit against and reached a settlement with Ft. Lauderdale, Fla.-based R360 LLC and its owner, Steven Doumar, for alleged violations of the Opioid Addiction Recovery Fraud Prevention Act of 2018, the first action taken by the FTC under the Act. The Commission voted 4-0 to approve the complaint and proposed order. The complaint alleges that the company misrepresented to consumers suffering from substance abuse that it would connect them with treatment centers that met their individualized needs and were selected through a rigorous evaluation process conducted by an expert in substance use disorders and addiction treatment, when the matches were in fact made by the owner, who lacked the requisite qualification to make those decisions. The proposed order provides injunctive relief, including prohibitions against misrepresenting any material fact about substance use disorder treatment products or services, and a civil penalty of $3.8 million, which is suspended based on inability to pay.
Upcoming Comment Deadlines and Events
CFPB Seeking Comment on Agency’s Supervisory Authority Over Nonbank Companies, Including Fintechs. Comments are due May 31 on a CFPB Procedural Rule to implement the agency’s announcement that it is invoking its supervisory authority over certain nonbank financial companies. As explained in the Procedural Rule, Section 1091 of the CFPA provides that the CFPB may supervise a nonbank entity that the agency “has reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity for such covered person to respond . . . is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” The invocation of this nonbank supervisory authority is not focused on any specific financial products and services offered to consumers and may potentially encompass many financial technology (fintech) companies. While the Procedural Rule took effect on April 29, the CFPB “welcomes comments on this rule” and the agency “may make further amendments if it receives comments warranting changes.”
FTC Seeks Comment on Horseracing Integrity and Safety Authority Registration Rule. Comments are due May 31 on the Horseracing Integrity and Safety Authority (HISA) proposed Registration Rule, which details which details which persons much register with HISA, and the applicable registration requirements. HISA, which was established following the implementation of the Horseracing Integrity and Safety Act of 2020, is charged with developing a horseracing anti-doping and medication control program and a racetrack safety program. The Registration Rule will only take effect if approved by the FTC.
FTC Solicits Feedback on Proposed Changes to Energy Labeling Rule. Comments are due July 11 on the FTC’s Notice of Proposed Rulemaking seeking comment on updates to the Energy Labeling Rule. The Energy Labeling Rule, which was originally promulgated in 1979 to implement the Energy Policy and Conservation Act, requires manufacturers to attach labels to home appliances and other consumer products that allow consumers to compare energy usage and competing model costs. The Notice of Proposed Rulemaking requests public feedback on updates to three consumer disclosures for covered products – 1) estimated annual operating cost, 2) a “comparability range” showing the highest and lowest energy consumption or efficiencies for all similar models, and 3) the product’s energy consumption or energy efficiency rating.
FTC Holding Virtual Event on “Stealth Advertising” Towards Children. On October 19, the FTC will host a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media.” The event will examine evolving practices, such as the “kid influencer” marketplace, and the techniques being used to advertise to children over the Internet. Research papers and written comments may be submitted to the FTC here by July 18.
FTC Seeking Research Presentations for PrivacyCon 2022. Research presentations are due July 29 for PrivacyCon 2022, which will take place virtually on November 1. As part of the event, the FTC is seeking empirical research and presentations on topics including: algorithmic bias; “commercial surveillance” including workplace monitoring and “biometric surveillance”; new remedies and approaches to improve privacy and security practices; and the privacy risks posed by emerging technologies for children and teens.
More Analysis from Wiley
And Then There Were Five: Connecticut Adopts Comprehensive State Privacy Law
Lawmakers Continue to Scrutinize Algorithm Use Directed at Youth
Webinar: Transactional Due Diligence Related to Privacy & Cybersecurity
Utah to Add Fourth Omnibus Privacy Law to the Growing State Patchwork
Federal Efforts Introduced to Protect Non-HIPAA Health Data
Webinar: FTC’s Revised Safeguards Rule: How To Navigate New Information Security Requirements
Industry Highlights NIST Cybersecurity Framework’s Value as NIST Weighs a Potential Update
CISA Signals Cyber Incident Report Requirements
‘An Avalanche of Rulemakings’ – The FTC Gears Up for an Active 2022
EU and U.S. Reach Agreement in Principle on New Data Privacy Framework for EU-U.S. Data Transfers
Steps to Take in 2022 To Prepare for New State Privacy Laws
The Top 5 Cyber Issues for 2022
Podcast: Ransomware, Geopolitical Tensions, and the Race to Regulate
2022 Cyber Watch List: A look at 2021 and What’s to Come in the Year Ahead
Podcast: Why the FTC Matters for Fintech
White House Seeks to Develop AI Bill of Rights and Calls for Feedback on Use of Biometric Data
Podcast: Cyber in 2022: What Happened and What is Coming
Podcast: Artificial Intelligence Can Do Really Dumb Things With Personal Information
American Bar Association Webinar: Crypto at a Crossroads: Crypto and Privacy
Data Transfers from the EU – Further Guidance Issued
Duane Pozza Discusses Emerging Regulatory Approach to Crypto and DeFi
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.
Download Disclaimer: Information is current as of May 31, 2022. This document is for informational purposes only and does not intend to be a comprehensive review of all proceedings and deadlines. Deadlines and dates are subject to change. Please contact us with any questions.