InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC reveals rulemaking petition process
On September 15, the FTC announced significant changes in the agency’s rulemaking process that represent “a significant step to increase public participation and accountability around the work of the FTC.” According to the announcement, the Commission approved changes to the FTC’s “Rules of Practice,” which are “designed to make it easier for members of the public to petition the agency for new rules or changes to existing rules that are administered by the FTC.” The changes, which are a key part in the opening of the FTC’s regulatory processes to public input and scrutiny, is a departure from the previous practice where the Commission did not have an obligation to address petitions for agency action. The updates clarify the information that is required for petition submissions and notes the data that the Commission finds helpful in its review. In addition, the changes require that the Commission publish petitions for rulemaking in the Federal Register and solicit public comment for the same. Finally, under the new rules, the Commission must provide petitioners with a specific point of contact in the agency and must respond to petitioners to communicate its decision regarding the petition. The new changes will also apply to requests by certain parties for special exemption from FTC rules, as well as petitions related to industry guidance issued by the Commission.
FTC says health apps must comply with Health Breach Notification Rule
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPAA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
District Court reimposes $5 million restitution award in FTC action
On September 13, the U.S. District Court for the Northern District of Illinois reimposed a more than $5 million restitution award in an action dating back to 2018, this time under Section 19 of the FTC Act. The court originally granted the FTC’s motion for summary judgment against a credit monitoring service and its sole owner in an action filed under Section 13(b) of the FTC Act, after concluding that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge could occur without engaging in unfair or deceptive practices (covered by InfoBytes here). However, as previously covered by InfoBytes, in 2019, the U.S. Court of Appeals for the Seventh Circuit held that Section 13(b) does not grant the FTC authority to order restitution—a position that the U.S. Supreme Court ultimately agreed with when issuing its decision in AMG Capital Management, LLC v. FTC (which unanimously held that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement”—covered by InfoBytes here).
In its current ruling, the court agreed to reimpose the damages under the Restore Online Shopper Confidence Act (ROSCA) and Section 19. The court noted that because ROSCA incorporates all the enforcement tools of the FTC Act, the FTC could seek remedies using Section 19 of the FTC Act instead of relying on Section 18. Further, the court noted that the FTC indicated that the FTC may seek remedies under Section 19 when it brought the action under Section 5(a) of ROSCA, which the court ultimately agreed was correct. “The FTC has the better of this dispute,” the court wrote, adding, among other things, that “the court is unmoved by [the defendant’s] claims of unfair prejudice. Aside from the particular route to an award of restitution, nothing will materially change. The FTC seeks the same remedy, for the same reasons, and for the same victims under section 5(a) via section 19 as it did under section 13(b).”
FTC to use CIDs and subpoenas to streamline investigations
On September 14, the FTC voted 3-2, at the recommendation of the Bureau of Consumer Protection and Bureau of Competition, to approve a series of resolutions intended to streamline consumer protection and competition investigations in core FTC-priority areas over the next decade. At the recommendation of the Bureaus, the FTC authorized eight new compulsory process resolutions, which authorize the use of civil investigative demands and subpoenas when investigating the following areas: (i) acts or practices affecting U.S. servicemember and veterans; (ii) acts or practices affecting children under 18; (iii) algorithmic and biometric bias; (iv) deceptive and manipulative online conduct, including matters related to tech support scams, payment processing, marketing of goods and services, and user interface manipulation; (v) repair restrictions; (vi) intellectual property abuse; (vii) common directors and officers and common ownership; and (viii) monopolization offenses. According to the FTC, adopting these resolutions will enhance and streamline the ability of FTC investigators and prosecutors to obtain evidence in critical investigations relating to potential violations of the FTC Act. FTC Commissioner Rohit Chopra issued a statement following the vote, commenting that the adoption “will improve the agency’s ability to order documents and data in investigations and fills a notable gap in the Commission’s long list of enforcement authorizations developed over many years.”
Biden announces key FTC, CFTC nominations
On September 13, President Biden nominated Alvaro Bedoya for Commissioner of the FTC. Bedoya would replace FTC Commissioner Rohit Chopra, who was nominated as the permanent director of the CFPB (covered by InfoBytes here). Chopra currently awaits a Senate confirmation vote on his nomination to serve as the Bureau’s director.
Bedoya, a Georgetown University visiting professor of law, also founded the law school’s Center on Privacy & Technology. According to the administration’s announcement, Bedoya previously “co-led a coalition that successfully pressed an Internet giant to drop ads for online payday loans” and served as the first chief counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law. FTC Chair Lina M. Khan issued a statement following Bedoya’s nomination praising his “expertise on surveillance and data security.”
Additionally, Biden announced several CFTC Commissioner nominees: Kristin Johnson, Christy Goldsmith Romero, and Rostin Behnam, who currently serves as the agency’s acting chairman and has been nominated to be the permanent CFTC Chair. Behnam’s priorities include safeguarding customer protections, climate-related financial market risk, and diversity, equity, and inclusion in the financial markets.
FTC approves five FCRA rule changes for auto dealers
On September 8, the FTC announced it approved final revisions to rules that would implement parts of the FCRA in line with the Dodd-Frank Act. As previously covered by InfoBytes, the agency sought comment on the proposed rule changes in 2020. In separate notices, the FTC approved largely technical, non-substantive changes, clarifying five FCRA rules enforced by the FTC, which apply only to motor vehicle dealers. The changes affect the following rules:
- Address Discrepancy Rule, which requires users of consumer reports to implement policies and procedures for, among other things, handling notices of address discrepancy received from a nationwide consumer reporting agency (CRA) and furnishing an address for a consumer that a “user has reasonably confirmed as accurate to the CRA from whom it received the notice.”
- Affiliate Marketing Rule, which provides consumers the right to restrict a person from using certain information received from an affiliate to make solicitations.
- Furnisher Rule, which requires entities to implement policies and procedures regarding the accuracy and integrity of the consumer information they provide to a CRA.
- Pre-screen Opt-Out Notice Rule, which outlines requirements for those who use consumer reports to make unsolicited credit or insurance offers to consumers.
- Risk-Based Pricing Rule, which requires that persons who use information from a consumer report to offer less favorable terms are required to provide a risk-based pricing notice to consumers about the use of such data.
FTC bans respondents from surveillance business
On September 1, the FTC announced that a data monitoring application and its CEO (collectively, “respondents”) will be permanently banned from the surveillance industry for failing to provide reasonable data security for consumers’ personal information by allegedly “secretly harvesting and sharing data on people’s live location, web use, and online activities through their product’s hidden device hack.” The respondents allegedly sold real-time access to their surveillance system, which allowed stalkers and domestic abusers to “stealthily track” unknowing victims.
According to the complaint, the respondents violated Section 5 of the FTC Act by committing unfair or deceptive business practices in using unauthorized personal information and failing to secure such data in which “victims continue to experience substantial harm, including injury in the form of depression, anxiety, and ongoing fear for one’s safety,” even after the stalking or domestic abuse ended. The complaint detailed the covert monitoring products and services offered by respondents once their application is installed, including capturing and logging: email, SMS messages, call history, GPS location and live location, web history, contacts, pictures, calendar, video chats, files downloaded on the device, notifications, among other functions depending on cost.
Under the terms of the proposed settlement, the respondents are: (i) banned from offering, promoting, selling, or advertising any surveillance app, service, or business; (ii) required to delete any information illegally collected from their apps; and (iii) required to notify owners of devices that their devices might have been monitored and the devices may not be secure. This is the agency’s second case “brought against stalkerware apps, and the first where the FTC is obtaining a ban.” According to a statement released by FTC Commissioner Rohit Chopra, the agency is also “seeking public comment on banning [the defendants] from licensing, marketing, or offering for sale surveillance products,” which is “a significant change from the agency’s past approach.”
District Court denies request to set aside $120.2 million judgment in Belizean real estate scheme
On August 24, the U.S. District Court for the District of Maryland denied a request to set aside a more than $120.2 million judgment against several defaulted defendants involved in an international real estate investment development scheme. As previously covered by InfoBytes, the FTC initiated the action in 2018 against several individuals and corporate entities, along with a Belizean bank, asserting that the defendants violated the FTC Act and the Telemarketing Sales Rule by advertising and selling parcels of land that were part of a luxury development in Belize through the use of deceptive tactics and claims. In 2019, a settlement was reached with the Belizean bank requiring payment of $23 million in equitable relief, and in 2020, the district court ordered the defaulted defendants to pay over $120.2 million in redress and granted the FTC’s request for permanent injunctions (covered by InfoBytes here and here).
In their motion, the defaulted defendants argued that the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. FTC (which unanimously held that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement”—covered by InfoBytes here) nullified the judgment. The district court disagreed, stating that the AMG Capital decision does not render his judgments in the case void and that “[i]n its Opinion rendered before the Supreme Court reached its decision, the Court considered the effect that a decision in AMG Capital adverse to the FTC might have, reasoning that: ‘this Court’s findings of fact and determinations as to liability—including contempt of court and violations of the Telemarketing Services Rule []—would not be affected by a decision in AMG.’” Moreover, the court pointed out that immediate denial of the motion is also warranted because the defaulted defendants failed to comply with a local rule requiring submission of a memorandum of law in support of their motion. The court asked, “In failing to do so, they have skirted among other fundamental questions: What authority do they, as defaulted defendants, involved as part of a common enterprise with virtually all other [d]efendants, have to upset a final and valid judgment against them after willfully defaulting?”
DOJ, FTC comment on Fed’s proposed debit card interchange fees and routing changes
Recently, the DOJ and the FTC submitted comments on the Federal Reserve Board’s notice of proposed rulemaking (NPRM) on debit card interchange fees and routing. As previously covered by InfoBytes, the Fed’s NPRM would require banks to ensure that two unaffiliated payment networks are available on their debit cards for online purchases. Among other things, the proposed amendments to the commentary to Regulation II, which implements Section 920 of the EFTA, (i) “clarify that the requirement that each debit card transaction must be able to be processed on at least two unaffiliated payment card networks applies to card-not-present transactions”; and (ii) clarify requirements imposed “on debit card issuers to ensure that at least two unaffiliated payment card networks have been enabled for debit card transactions.”
On August, 11, the DOJ’s Antitrust Division filed a comment in support of the NPRM, “commend[ing] the Board for its efforts to promote competition in this important part of the debit card industry by ensuring that smaller debit networks will have a greater ability to compete for merchants’ business.” While offering support for the NPRM, the DOJ asked the Fed to “consider whether the proposal is drafted broadly enough to capture all card-not-present transactions,” adding that “incumbent industry participants may attempt to circumvent the proposed rule.” The DOJ encouraged the Fed to “actively assess additional ways the proposed rule may be enhanced to increase competition for debit payment processing.”
Also on August 11, the FTC submitted a comment letter urging the Fed to clarify and strengthen the implementation of debit card fee and routing reforms, stressing that the Fed should “prohibit debit card networks from paying incentives to an issuer based on how electronic debit transactions are routed by merchants using that issuer’s debit cards.” According to the FTC, “[e]liminating routing-based incentive programs will make it less likely that issuers will search for ways to circumvent Regulation II, whether by violating the rule (necessitating an enforcement action) or by finding a loophole (necessitating future revisions to Regulation II).”
FTC sues company for violating FTC Act
On August 11, the FTC filed an administrative complaint against a Georgia-based technology company and its CEO (collectively, “defendants”) for allegedly charging small business customers hundreds of millions of dollars in mystery fees associated with fuel cards. The FTC’s administrative complaint alleges that the defendants violated the FTC Act by falsely promising companies that they would save money, be protected from unauthorized charges, and have no set-up, transaction, or membership fees with the fuel cards. However, according to the defendant’s records, companies generally have not achieved the advertised fuel savings through utilization of the cards. In addition, the complaint alleges that the defendants, among other things: (i) falsely represented that the company’s fuel cards contained fraud controls to prevent unauthorized purchases; (ii) “billed consumers for fees, interest, and finance charges, and programs for which consumers have not provided express, informed consent”; and (iii) charged fees for set-up, transactions, or membership after claiming that they did not.
In December 2019, the FTC filed suit in federal court against the defendants, alleging that they charged hundreds of millions of dollars in hidden and undisclosed fees to customers after falsely claiming customers would save on fuel costs. However, in April, the Supreme Court ruled that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement” (covered by InfoBytes here). According to the FTC, “[i]n an effort to ensure that the agency’s case against the fuel card marketer is still able to recover money lost by consumers, the FTC has filed a new administrative complaint which alleges that [the defendants] violated section 5 of the FTC Act.”