Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.”  Pahl emphasized that the FTC is “the enforcement leader in the privacy and security arena” and that the FTC will continue to “focus the national conversation on keeping consumer privacy and data security front and center as new technologies emerge.”

Pahl’s blog posting supports recent statements by FTC Acting Chairman Maureen Ohlhausen, who recently testified before Congress that, “the FTC is committed to protecting consumer privacy and promoting data security in the private sector.”

Companies should not expect the FTC to reduce its enforcement activities relating to privacy and data security issues, but companies can expect the FTC to shift away from bringing cases based on novel legal theories.  Ohlhausen is committed to re-focusing the FTC’s efforts on “bread-and-butter” enforcement.  Ohlhausen has spoken openly in opposition to recent enforcement actions brought under the Obama Administration that were based on speculative injury or subjective types of harm rather than concrete consumer injury.

Furthermore, companies should expect further guidance from the FTC relating to privacy and data security expectations to help reduce unnecessary regulatory burdens and provide additional transparency to businesses on how they can remain compliant and avoid engaging in unfair or deceptive acts of practices.  Under Ohlhausen’s leadership, companies should be watching closely for FTC guidance laying out what they should do to protect consumer privacy and ensure proper data security, rather than just waiting to find out what they should not do from FTC enforcement actions.

On September 15th, the FTC will hold a workshop to examine the testing and evaluation of disclosures that companies make to consumers about advertising claims, privacy practices, and other information.  The FTC’s workshop will explore how to test the effectiveness of these disclosures to ensure consumers notice them, understand them, and can use them in their decision-making.  Companies should incorporate the principles articulated during the workshop by federal regulators such as the FTC and the CFPB into the development of their own consumer disclosures, especially relating to e-commerce and mobile initiatives.

The “Putting Disclosures to the Test” workshop will explore ways to improve the evaluation and testing of consumer disclosures by industry, academics, and the FTC related to:

  • Disclosures in advertising  designed to prevent ads from being deceptive;
  • Privacy-related disclosures, including privacy policies and other mechanisms to inform consumers that they are being tracked; and
  • Disclosures in specific industries designed to prevent deceptive claims.

Among the participants at the workshop will be Heidi Johnson, a research analyst from the CFPB Office of Research, who will present a case study entitled, “Disclosure Research in the Lab and Online.” The CFPB’s Decision Making and Behavioral Studies team is engaged in a strategic initiative to invest in research that explores the factors that influence a disclosure’s efficacy, how to use different methodologies to study disclosure, and the market effects of disclosure. Ms. Johnson’s work as a part of this team has included consumer research on overdraft and other financial products.

On July 1st, the CFPB proposed to amend Regulation P under the Gramm-Leach-Bliley Act (GLBA) to implement the statutory changes made by the Fixing America’s Surface Transportation Act (see prior post) that provided financial institutions that meet certain conditions with an exemption from the GLBA requirement to deliver annual privacy notices to customers.  The proposed changes would also establish timing requirements to begin re-delivering the annual privacy notices if a financial institution no longer qualifies for the exception.  Companies considering making changes to their privacy policies or practices should carefully assess the impact of the proposed rules.

The proposed rules would provide that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution:

  • Provides nonpublic personal information to nonaffiliated third parties only under one of the GLBA exceptions to the notice and opt-out requirements (§ 1016.13, § 1016.14, or § 1016.15); and
    Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent privacy notice provided to the customer.
  • The proposed rule would not affect the collection or use of consumers’ nonpublic personal information by financial institutions.  Nor does the new exception affect the requirement to deliver an initial privacy notice, so all consumers will continue to receive such initial notices describing the privacy policies of any financial institutions with which they do business.  Furthermore, financial institutions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under the Fair Credit Reporting Act, which can generally be provided in the initial notice.

The CFPB is also proposing to remove its 2014 rule (as described in our prior post) that established an alternative delivery method for GLBA annual privacy notices. Because financial institutions that meet the conditions in Regulation P to use the alternative delivery method also would meet the conditions for the new statutory exemption, the CFPB has concluded that the alternative delivery method is no longer necessary as the CFPB believes that a financial institution that has both options available to it would choose not to send the annual privacy notice at all, rather than to deliver it pursuant to the alternative delivery method.  However, the CFPB notes that financial institutions that qualify for the new exemption may still choose to post privacy notices on their websites or deliver privacy notices to consumers who request them.

While a positive step forward in regulatory reform, the CFPB could have done this years ago during its 2014 rulemaking process.  However, an act of Congress was required to push the CFPB into making this common-sense change.

An amendment creating an exception to the annual privacy notice delivery requirement for financial institutions has been signed into law by President Obama as part of the “Fixing America’s Surface Transportation Act” (FAST Act).

Section 75001 of the FAST Act, signed into law on December 4, 2015, amends Section 503 of the Gramm-Leach-Bliley Act (GLBA) to add an exception to the annual notice delivery requirement for any financial institution that (1) only shares nonpublic personal information (NPI) as permitted by the GLBA without providing consumers with notice and opt-out rights, and (2) has not changed its policies and practices with regard to disclosing NPI since its most recent disclosure sent to consumers.

Since the CFPB (as well as other federal agencies including the FTC) have issued GLBA regulations, those regulations will need to be amended to reflect the exception created by the FAST Act.  Nevertheless, the exception created by the amendment is effective immediately.

For more on the amendment, see our legal alert.

A new lawsuit filed by the CFPB in a California federal district court alleges that the defendants, a company and its individual owner, are engaged in a nationwide student financial aid scam.  In addition to injunctive relief, the complaint seeks redress for harmed consumers and civil money penalties.

According to the CFPB’s complaint, the defendants contacted students and their families using letters and envelopes with images intended to create the false impression that the defendants were affiliated with the federal government or a college.  The letters were accompanied by a form to be completed by the student or the student’s family to apply for financial aid and returned to the defendants with a processing fee.  (The CFPB claims that the form looked visually similar to the Department of Education’s Free Application for Federal Student Aid and used similar terms.)

The defendants allegedly promised to use the information provided on the form to conduct extensive searches to match students with financial aid opportunities.  The CFPB claims that, in exchange for sending the form and fee, consumers received “absolutely nothing” or received only “a generic booklet that is not tailored to the consumers’ circumstances.”  It also claims that the defendants created an artificial sense of urgency by telling consumers that they would lose their opportunity to receive student financial aid unless they returned the form and paid the fee by a specified deadline.

The CFPB alleges that the defendants’ conduct violated the CFPA’s UDAAP prohibition.  It also alleges that by accepting a fee from a consumer, the defendants established a customer relationship that triggered the obligation to send an initial privacy notice under Regulation P but failed to provide such notice.


The Office of the Inspector General (OIG) has released the “2015 list of major management challenges” faced by the CFPB that the OIG believes will hamper the CFPB’s ability to accomplish the CFPB’s strategic objectives.  Like the 2014 list, one of the challenges identified by the OIG is the need to ensure that the CFPB has an effective information security program.  Due to the advanced persistent threats faced by the federal government, the OIG concluded that the CFPB needs to strengthen its defenses against attacks from outside governments, organized groups, and other threats.  The OIG identified four high-priority security risk areas for CFPB improvement:

  • Continuous monitoring to assess security controls and system configurations
  • Configuration management of CFPB systems
  • Role-based security training for individuals with significant security responsibilities
  • Incident response and reporting

The OIG applauded the CFPB’s efforts to build out its Cybersecurity Program Management Office, but the OIG recommended that the CFPB should continue improving its information security program, overseeing the security of contractor-operated information systems, transitioning IT resources from the Treasury Department, and ensuring that personally identifiable information (PII) is properly protected, including the PII that the CFPB receives from consumer complaints about credit card accounts, mortgage loans, and other consumer financial products and services.

The FTC recently proposed amendments to its Gramm-Leach-Bliley Act (GLBA) rules requiring motor vehicle dealers to send their customers an annual privacy notice.  The amendments would allow motor vehicle dealers to notify their customers that a privacy policy is available on their website, subject to certain conditions.  Comments on the proposal are due on or before August 31, 2015.

While Dodd-Frank transferred primary jurisdiction over the GLBA to the CFPB, the FTC retained authority over motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both.  The FTC’s proposal  closely reflects the final rule issued last year by the CFPB for financial institutions subject to the CFPB’s GLBA rulemaking authority.

For more on the FTC’s proposal, see our legal alert.

Democrats on the Senate Banking Committee have released a regulatory relief bill intended to be an alternative to the bill released by Senator Richard Shelby.  While Senator Shelby’s bill is entitled the “Financial Regulatory Improvement Act of 2015,” the alternative bill is entitled the “Community Financial Institution Regulatory Relief and Consumer Protection Act of 2015.”

The bill released by Democrats includes the same provision as Senator Shelby’s bill directed at the annual financial privacy notice required by the Gramm-Leach-Bliley Act (GLBA).  Like Senator Shelby’s bill, the alternative bill would amend the GLBA to create an exception under which a financial institution would not have to deliver an annual financial privacy notice if it satisfied certain conditions. Key among such conditions is that the institution has not changed its policies and practices with respect to sharing nonpublic personal information from those disclosed in its most recent annual financial privacy notice.

The alternative version would also amend the Consumer Financial Protection Act to add various provisions of the Servicemembers Civil Relief Act to the “enumerated consumer laws” that can be enforced by the CFPB.  In addition, it would amend the TILA ability to repay provision by creating a safe harbor for mortgage loans that meet certain conditions and are held in portfolio by banks and credit unions with less than $10 billion in assets.  This safe harbor is substantially narrower than the safe harbor that Senator Shelby’s bill would create.

Senator Shelby’s bill is scheduled for markup on May 21, 2015.

In addition to the numerous mortgage-related provisions in Senator Shelby’s regulatory reform bill entitled the “Financial Regulatory Improvement Act of 2015,” the bill contains a provision directed at the annual financial privacy notice required by the Gramm-Leach-Bliley Act (GLBA), which is implemented by Regulation P.  In October 2014, a CFPB amendment to Regulation P became effective that allows financial institutions that meet certain requirements to deliver annual financial privacy notices to their customers using an alternative online delivery method.

Section 101 of the regulatory relief bill would go a step further by amending the GLBA to create an exception under which a financial institution would not have to deliver an annual financial privacy notice if it (1) does not share nonpublic personal information (NPPI) with nonaffiliated third parties in a manner that triggers GLBA opt-out rights, (2) has not changed its policies and practices with respect to sharing NPPI from those disclosed in the most recent annual privacy notice, and (3) otherwise provides customers access to the institution’s most recent annual privacy notice in electronic or other form permitted by regulations.

Earlier this week, the House of Representatives, in bipartisan votes, passed the following regulatory reform bills:

  • The “Eliminate Privacy Notice Confusion Act, H.R. 601, would create an exemption from the Gramm-Leach-Bliley Act’s annual notice requirement for institutions that have not changed their privacy policies since their most recent annual notice and only share personal information within the statutory exceptions.  In October 2014, the CFPB issued a final rule that amended Regulation P to allow a financial institution that meets certain requirements, including generally having no change in its most recent privacy notice, to deliver annual privacy notices to their customers using an alternative online delivery method.  The bill would eliminate the annual notice requirement entirely for institutions that qualify for the exemption.
  • The “Helping Expand Lending Practices in Rural Communities Act,” H.R. 1259, would direct the CFPB to establish an application process to apply for an area to be designated as a rural area if the CFPB has not already been designated it as such.  The CFPB has created exemptions from certain mortgage rules, including the qualified mortgage rule, for small banks that operate primarily in rural or undeserved areas.
  • The “Federal Advisory Committee Act,” H.R. 1265, would apply the requirements of the Federal Advisory Committee Act to the CFPB.  While the CFPB reversed its closed-door policy to make meetings of its advisory boards and councils open to the public, the bill would mandate that such meetings be open to the public, subject only to the exceptions allow by the FACA.
  • The ‘‘SAFE Act Confidentiality and Privilege Enhancement Act,’’ H.R. 1480, would amend the S.A.F.E. Mortgage Licensing Act of 2008 to allow information provided to the Nationwide Mortgage Licensing System and Registry to be shared with state and federal regulatory officials with financial services oversight authority (such as the Fed) without  loss of privilege or confidentiality protections provided by federal and state laws.  Currently, the privilege and confidentiality protections only apply to information shared with state and federal regulatory officials with mortgage industry oversight authority.

All of the bills were supported by the American Bankers Association.