The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras).  In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017.  The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.

The FTC also highlighted its advocacy efforts, workshops, and publications, many of which focus on what are likely future areas of FTC enforcement, such as privacy and security concerns with IoT devices, payment systems, artificial intelligence and blockchain technologies, connected cars, and student privacy.  One of the FTC’s new publications of note is its Stick with Security blog series, which offers periodic insights into key takeaways from recent law enforcement actions, closed investigations, and experiences of companies.  The FTC report also demonstrated that the agency is attempting to be flexible in light of the changing nature of identity theft, informational injuries, and modern technologies while remaining vigilant in its mission to protect consumers.  Companies should similarly remain cognizant of the FTC’s role as “one of the most active privacy and data security enforcers in the world.”

On Thursday, December 14, the Federal Communications Commission voted 3-2 to reverse its 2015 order classifying the provision of broadband internet access services as a “telecommunication service” subject to Title II of the Communications Act of 1934, and restoring the classification of broadband internet access services as an “information service” under Title I of the Communications Act.  This reclassification moves the provision of broadband internet services from treatment as a utility (with greater governmental oversight over the provision of the utility’s services) to treatment as another offering by a telecommunications service provider.

The December 14 Order consequentially rescinds the rules prohibiting blocking of lawful internet content and applications, throttling or degrading lawful internet traffic, and paid prioritization of certain internet traffic.  These three prohibitions form the core of the “net neutrality” rules – essentially, the rules that required all internet traffic to be treated equally.

The FCC reversal on net neutrality could impact consumer payments in a couple of ways.  First, fintech companies (generally speaking, young companies with fewer resources whose business models are supported by fast, cheap internet access) which find their internet speeds either throttled or more costly may be outcompeted by larger, more established businesses which can more easily pay for higher internet speeds.  This may result in fewer fintech companies bringing new ideas and products to market.

A more direct impact may be felt in peer to peer payment platforms.  One could imagine two or three reasonably similar mobile device based payment applications, which have purchased (or can afford) varying degrees of internet access.  If one P2P platform takes 1-2 seconds to transact, while another takes 10-15, from a user experience perspective it is reasonable to assume the slower platform will quickly be abandoned in favor of the quicker platform.  Again, this favors providers with either larger margins or deeper pockets that can afford to pay for faster internet access, or a model that introduces tiered pricing for speeds.  One can imagine P2P platforms offering free and premium versions of their platform, with a premium version introducing higher access and settlement speeds.

Relatedly, the FCC and the Federal Trade Commission signed a memorandum of understanding on December 14 in which the FTC agreed to monitor the broadband market, and investigate and take enforcement actions against internet service providers for unfair or deceptive acts or practices (using the FTC’s authority under Section 5 of the FTC Act).  While the FTC is focused on UDAP issues with respect to the provision of internet services, might the CFPB look at internet speeds (and their disclosure) in connection with consumer financial services and identify potential issues for purposes of its authority to prohibit unfair, deceptive, or abusive acts or practices?  For example, would banks or platform providers need to disclose their internet speed, and could they face a UDAAP challenge if their transactions failed to meet such speeds?

Following the FCC’s vote, New York Attorney General Eric Schneiderman announced his plans to “lead a multistate lawsuit to stop the rollback of net neutrality.”  According to media reports, nearly 20 states, including Massachusetts, Mississippi, Hawaii, Maine, Vermont, and Illinois, have indicated that they intend to participate in Mr. Schneiderman’s lawsuit.

Richard Moseley Sr., the operator of a group of interrelated payday lenders, was convicted by a federal jury on all criminal counts in an indictment filed by the Department of Justice, including violating the Racketeer Influenced and Corrupt Organizations Act (RICO) and the Truth in Lending Act (TILA).  The criminal case is reported to have resulted from a referral to the DOJ by the CFPB. The conviction is part of an aggressive attack by the DOJ, CFPB, and FTC on high-rate loan programs.

In 2014, the CFPB and FTC sued Mr. Mosley, together with various companies and other individuals.  The companies sued by the CFPB and FTC included entities that were directly involved in making payday loans to consumers and entities that provided loan servicing and processing for such loans.  The CFPB alleged that the defendants had engaged in deceptive and unfair acts or practices in violation of the Consumer Financial Protection Act (CFPA) as well as violations of TILA and the Electronic Fund Transfer Act (EFTA).  According to the CFPB’s complaint, the defendants’ unlawful actions included providing TILA disclosures that did not reflect the loans’ automatic renewal feature and conditioning the loans on the consumer’s repayment through preauthorized electronic funds transfers.

In its complaint, the FTC also alleged that the defendants’ conduct violated the TILA and EFTA.  However, instead of alleging that such conduct violated the CFPA, the FTC alleged that it constituted deceptive or unfair acts or practices in violation of Section 5 of the FTC Act.  A receiver was subsequently appointed for the companies.

In November 2016, the receiver filed a lawsuit against the law firm that assisted in drafting the loan documents used by the companies.  The lawsuit alleges that although the payday lending was initially done through entities incorporated in Nevis and subsequently done through entities incorporated in New Zealand, the law firm committed malpractice and breached its fiduciary obligations to the companies by failing to advise them that because of the U.S. locations of the servicing and processing entities, the lenders’ documents had to comply with the TILA and EFTA.  A motion to dismiss the lawsuit filed by the law firm was denied.

In its indictment of Mr. Moseley, the DOJ claimed that the loans made by the lenders controlled by Mr. Moseley violated the usury laws of various states that effectively prohibit payday lending and also violated the usury laws of other states that permit payday lending by licensed (but not unlicensed) lenders.  The indictment charged that Mr. Moseley was part of a criminal organization under RICO engaged in crimes that included the collection of unlawful debts.

In addition to aggravated identity theft, the indictment charged Mr. Moseley with wire fraud and conspiracy to commit wire fraud by making loans to consumers who had not authorized such loans and thereafter withdrawing payments from the consumers’ accounts without their authorization.  Mr. Moseley was also charged with committing a criminal violation of TILA by “willfully and knowingly” giving false and inaccurate information and failing to provide information required to be disclosed under TILA.  The DOJ’s TILA count is particularly noteworthy because criminal prosecutions for alleged TILA violations are very rare.

This is not the only recent prosecution of payday lenders and their principals. The DOJ has launched at least three other criminal payday lending prosecutions since June 2015, including one against the same individual operator of several payday lenders against whom the FTC obtained a $1.3 billion judgment.   It remains to be seen whether the DOJ will limit prosecutions to cases where it perceives fraud and not just a good-faith disclosure violation or disagreement on the legality of the lending model.  Certainly, the offenses charged by the DOJ were not limited to fraud.

The FTC has announced that it will host a workshop on December 12, 2017 in Washington, D.C. to examine consumer injury in the context of privacy and data security.

In the workshop, the FTC plans to examine questions about the injury consumers suffer when information about them is exposed or misused such as “how to best characterize these injuries, how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries.”

The types of consumer harm that flow from data security and privacy breaches has significant implications both for government enforcement and private actions.  With regard to government enforcement actions, in remarks given in February 2017 soon after her appointment by President Trump as Acting FTC Chairman, Maureen Ohlhausen observed that a focus on consumer injury is important both in deciding what cases to bring and in determining what remedy to seek.  She stated that the FTC can best use its limited resources “by focusing on practices that are actually harming or likely to harm consumers” and used recent privacy and data security actions as examples of situations where the FTC “strayed from a focus on actual harm.”  She also criticized the FTC’s pursuit of disgorgement  that was “disproportionate to any consumer harm” and stated that she intended to “work to ensure that our enforcement actions target behaviors causing concrete consumer harm, and that remedies are tied to consumer harm.”

With regard to private actions, the issue of what types of consumer injury will satisfy Article III standing under the U.S. Supreme Court’s Spokeo decision continues to be litigated.  In Spokeo, the Supreme Court held that a plaintiff alleging a violation of the Fair Credit Reporting Act does not have Article III standing to sue for statutory damages in federal court unless the plaintiff can show that he or she suffered “concrete,” “real” harm as a result of the violation.

In advance of the workshop, the FTC is seeking comment by October 27 on the issues to be covered by the workshop, including the following questions:

  • What are the qualitatively different types of injuries from privacy and data security incidents?  What are some real life examples of these types of informational injury to consumers and to businesses?
  • What frameworks might we use to assess these different injuries?  How do we quantify injuries?  How might frameworks treat past, current, and potential future outcomes in quantifying injury?  How might frameworks differ for different types of injury?
  • How do businesses evaluate the benefits, costs, and risks of collecting and using information in light of potential injuries?  How do they make tradeoffs? How do they assess the risks of different kinds of data breach?  What market and legal incentives do they face, and how do these incentives affect their decisions?
  • How do consumers perceive and evaluate the benefits, costs, and risks of sharing information in light of potential injuries?  What obstacles do they face in conducting such an evaluation?  How do they evaluate tradeoffs?

The FTC has launched a new page on its website dedicated to its Military Task Force.  According to the FTC, it created the Task Force “to focus on identifying the particular needs of military consumers and developing initiatives to empower servicemembers, veterans, and their families more effectively.”  The Task Force consists of representatives of different FTC divisions.

The new webpage includes links to resources for servicemembers and veterans, workshops, related FTC cases and other initiatives, and congressional testimony.

 

On July 17th, the Federal Trade Commission (FTC) announced reforms to its civil investigative demand (CID) process designed to streamline information requests and improve transparency in FTC investigations.  The process reforms that will be implemented for consumer protection cases include:

  • Providing plain language descriptions of the CID process and developing business education materials to help small businesses understand how to comply;
  • Adding more detailed descriptions of the scope and purpose of investigations to give companies a better understanding of the information the agency seeks;
  • Where appropriate, limiting the relevant time periods to minimize undue burden on companies;
  • Where appropriate, significantly reducing the length and complexity of CID instructions for providing electronically stored data;
  • Where appropriate, increasing response times for CIDs (for example, often 21 days to 30 days for targets, and 14 days to 21 days for third parties) to improve the quality and timeliness of compliance by recipient; and
  • Ensuring companies are aware of the status of investigations by adhering to the current practice of communicating with investigation targets concerning the status of investigations at least every six months after they comply with the CID.

The reforms are part of the FTC’s broader initiative to implement Presidential directives aimed at eliminating wasteful, unnecessary regulations, and processes.  The FTC had previously announced other efforts that are already underway:

  • Forming new groups within the Bureau of Competition and the Bureau of Consumer Protection working to eliminate unnecessary costs to companies and individuals who receive CIDs.
  • Reviewing FTC dockets and closing older investigations, where appropriate.
  • Working to identify unnecessary regulations that are no longer in the public interest.
  • The FTC Bureau of Consumer Protection is actively reviewing closed data security investigations to extract key lessons for improved guidance and transparency.
  • The FTC Bureaus of Consumer Protection and Economics are working together to integrate economic expertise earlier in FTC investigations to better inform agency decisions about the consumer welfare effects of enforcement actions.
  • Acting Chairman Ohlhausen has established a new capability within her office to collect and review ideas on process streamlining and operational efficiency opportunities from across the agency.

The CFPB, which originally modeled many of its own investigatory processes on the FTC model, should consider whether any of these reforms make sense for its own CIDs, which have been frequently criticized as being expansive in scope, vague, and unduly burdensome.

As part of its “Class Action Fairness Project,” the FTC is seeking comment on its plans to use an Internet panel to conduct research on class action notices.  According to the FTC’s Federal Register notice, the project “strives to protect injured consumers from settlements that provide them with little to no benefit and to protect businesses from the incentives such settlements may create for the filing of frivolous lawsuits.”  Actions taken by the FTC as part of the project include monitoring class actions and filing amicus briefs or intervening in appropriate cases; coordinating with state, federal, and private groups on important class action issues; and monitoring the progress of legislation and class action rule changes.  Comments in response to the FTC’s notice will be due on or before August 17, 2017.

In 2015, the FTC announced its plans to study whether consumers receiving class action notices understand the process and implications for opting out of a settlement, the process for participating in a settlement, and the implications for doing nothing (Notice Study).  It also announced that it planned to conduct a study to determine what factors influence a consumer’s decision to participate in a class action settlement, opt out of a class action settlement, or object to the settlement (Deciding Factors Study).

In the new notice, the FTC states that as part of the Notice Study, it proposes to conduct an Internet-based consumer research study to explore consumer perceptions of class action notices.  Using notices sent to class members in various nationwide class action settlements and “streamlined versions designed by the FTC staff,” the study will focus on notices sent to individual consumers via email and will examine whether variables such as the sender’s email address and subject line impact a consumer’s perception of and willingness to open an email notice.  The FTC plans to send an Internet questionnaire to participants drawn from an Internet panel with nationwide coverage maintained by a consumer research firm that operates the panel.

While the FTC plans to assess consumer comprehension of the options conveyed by the notice, including the process for participating in the settlement and the implications of consumer choice, in the Notice Study, it no longer plans to examine whether consumers understood the implications of opting out of a settlement,  According to the FTC, it has determined that the opt-out issue is more appropriately addressed in the Deciding Factors Study.

In November 2015, the FTC issued orders to eight claims administrators requiring them to provide information on their procedures for notifying class members about settlements and the response rates for various methods of notification.  While the FTC notes that it has used data obtained through the orders to inform the Notice Study and that such data will also be used to inform its Deciding Factors Study, it does not provide any information about what such data revealed.  We had commented that the response rate data provided to the FTC by the claims administrators was expected to show extremely low response rates (i.e., less than 5 percent) in most cases, providing support for critics of the CFPB’s proposed rule to prohibit providers of certain consumer financial products and services from using a pre-dispute arbitration agreement that contains a class action waiver.

That rule has now been finalized and like the CFPB’s proposed rule, is based on the CFPB’s view that consumers obtain more meaningful relief through class actions than in arbitration.  Low average response rates would be further evidence that the CFPB’s premise is incorrect and arbitration is more beneficial to consumers than class actions.

 

 

 

 

 

The Federal Trade Commission (“FTC”) released an updated version of its guidance on complying with the Children’s Online Privacy Protection Act (“COPPA”) on June 21, 2017. Companies that collect personal information from children under 13 years of age need to comply with COPPA. To help companies with COPPA compliance, the FTC’s guidance presents a six-step plan:

  • Step 1: Determine whether your company is a website or online service that collects personal information from kids under 13;
  • Step 2: Post a privacy policy that complies with COPPA;
  • Step 3: Notify parents directly before collecting personal information from their kids;
  • Step 4: Get parents’ verifiable consent before collecting personal information from their kids;
  • Step 5: Honor parents’ ongoing rights with respect to personal information collected from their kids; and
  • Step 6: Implement reasonable procedures to protect the security of kids’ personal information.

The updated guidance makes two important changes. First, the FTC clarifies that “website or online service” includes Internet of Things devices as well as connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.

Second, the updated guidance provides two additional methods by which businesses can obtain verifiable consent from parents to collect personal information from children:

  • Parents can answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or
  • Parents can provide a picture of a driver’s license or other photo ID which is then compared to a second photo submitted by the parent using facial recognition technology.

On July 19, the Federal Trade Commission will hold a workshop in San Antonio titled the “2017 Military Consumer Financial Workshop: Protecting Those Who Protect Our Nation.” The FTC has uploaded an agenda and list of panelists for the workshop. Acting FTC Chairman Maureen K. Ohlhausen will be in attendance and deliver the event’s opening remarks. Describing the focus of the forum, Ohlhausen commented that “[h]elping servicemembers and veterans avoid fraud, learn about their legal rights and remedies, and find resources that protect them in the financial area is a top priority.”

Topics to be discussed include auto finance, student lending, installment credit practices, debt collection, legal rights and remedies, financial literacy, and identity theft. The FTC expects the workshop to draw participants from a wide range of spheres, including all service branches, military consumer advocates, consumer groups, legal services providers and clinics serving the military, and representatives from government and industry.  The event, which is free and open to the public, will also be tweeted live from the FTC’s Military Consumer Twitter account (@Milconsumer) using the hashtag #MilFinancial Workshop.

An Illinois federal judge ordered Dish Network to pay the federal government $168 million for violating the FTC’s Telephone Sales Rule (“TSR”).  The judgment is the largest civil penalty ever obtained for a violation of the TSR.  The remainder of the civil penalty was awarded to the states of California, Illinois, North Carolina, and Ohio for violations of the Telephone Consumer Protection Act (“TCPA”) and various state statutes.  In addition to permanently blocking Dish from making calls in violation of the do-not-call laws, the order requires Dish to undergo substantial long-term compliance monitoring.  Among the many costly provisions of the compliance monitoring component of the order, Dish is required to hire a telemarketing-compliance expert to prepare policies and procedures to ensure that Dish and its primary retailers continue to comply with the injunction and the telemarketing laws.

The decision follows a five week bench trial that commenced in January 2016.  A number of factors were central to the district judge’s 475-page opinion.  Significantly, the calls were placed to individuals whose numbers were listed on the National Do Not Call Registry and to individuals who informed Dish that they did not want to receive calls from them.  Notably, the court ruled in favor of the federal government on all of the TSR counts and found more than 66 million TSR violations.  It further chastised Dish for employing call centers without any vetting or meaningful oversight.  The court also admonished Dish for its refusal to take responsibility for the actions of its call centers and retailers.  Such remarks represent a growing trend of courts scrutinizing companies over their monitoring of third-party vendors and their practices.  Just last month, a North Carolina federal judge presiding over a TCPA class action, found Dish vicariously liable for its vendor’s willful and knowing violations of the TCPA and trebled the damages to $1,200 per call—more than $61 million in total.

A Dish spokesman said that Dish “respectfully disagrees” with the Illinois decision and plans to appeal.