Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB, FTC to conduct inquiry into high housing costs for renters

    Federal Issues

    On July 25, CFPB Director Rohit Chopra shared prepared remarks for the Community Table on a White House Blueprint for a Renters Bill of Rights to address high housing costs for renters. Chopra raised concerns about corporate investors imposing high rents and charging renters with what the director described as “junk fees and other aggressive tactics.” He mentioned that corporate investor owners, including private equity firms, are more likely to evict tenants, even when controlling for other factors, and that corporate investor ownership of rental units has risen to over 45 percent. Chopra also emphasized the growing use of artificial intelligence and social scoring in the rental process, stating that such changes can lead to rent hikes and denials of housing due to an algorithm's definition of "high-quality tenants." The remarks suggested that tenants are not being given appropriate opportunity to correct inaccurate information in their background checks, despite the legal requirement for companies to inform consumers when using such information for adverse rental decisions. The speech also stressed the CFPB's commitment to identifying inaccurate AI and illegal practices that lead to misleading data and clarified that name-only matching, a common but illegal practice in screening, can result in inaccurate information, disproportionately affecting individuals with common last names. To address these issues, Chopra announced a joint inquiry with the FTC, to collect feedback from the public about their experiences with tenant screening.

    Federal Issues CFPB FTC Consumer Finance Artificial Intelligence Landlords

  • FTC, HHS say tracking technology may impermissibly disclose personal health data

    Privacy, Cyber Risk & Data Security

    On July 20, the FTC and U.S. Department of Health and Human Services for Civil Rights issued a joint letter cautioning hospitals and telehealth providers of the risks related to the use of online tracking technologies within their systems that may impermissibly disclose consumers’ personal data to third parties. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said “when consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties.” According to the letter, recent research has highlighted concerns about the use of technology to track users’ online activities and sensitive data including, health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. The FTC warned that the impermissible disclosures of personal data can result in identity theft, financial loss, discrimination, and more. The letter included a reminder that under the FTC Act and the FTC Health Breach Notification Rule, even if they are not covered by HIPAA, hospitals and telehealth providers remain obligated to protect against impermissible disclosures of personal health information.

    Privacy, Cyber Risk & Data Security Federal Issues FTC FTC Act Consumer Protection Health Breach Notification Rule Department of Health and Human Services

  • E-commerce company fined $25 million for alleged COPPA violations

    Federal Issues

    On July 19, the DOJ and FTC announced that a global e-commerce tech company has agreed to pay a penalty for alleged privacy violations related to its smart voice assistant’s data collection and retention practices. The agencies sued the company at the end of May for violating the Children’s Online Privacy Protection Act Rule and the FTC Act, alleging it repeatedly assured users that they could delete collected voice recordings and geolocation information but actually held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. (Covered by InfoBytes here.)

    The stipulated order requires the company to pay a $25 million civil money penalty. The order also imposes injunctive relief requiring the company to (i) identify and delete any inactive smart voice assistant children’s accounts unless requested to be retained by a parent; (ii) notify parents whose children have accounts about updates made to its data retention and deletion practices and controls; (iii) cease making misrepresentations about its “retention, access to or deletion of geolocation information or voice information, including children’s voice information” and delete this information upon request of the user or parent; and (iii) disclose its geolocation and voice information retention and deletion practices to consumers. The company must also implement a comprehensive privacy program specific to its use of users’ geolocation information.

    Federal Issues Privacy, Cyber Risk & Data Security DOJ FTC Enforcement COPPA FTC Act Consumer Protection

  • FTC proposal would allow facial recognition for consent under COPPA

    Agency Rule-Making & Guidance

    On July 19, the FTC announced it is seeking public feedback on whether it should approve an application that proposes to create a new method for obtaining parental consent under the Children’s Online Privacy Protection Act (COPPA). The new method would involve analyzing a user’s facial geometry to confirm the individual’s age. Under COPPA, online sites and services directed to children under 13 are required to obtain parental consent before collecting or using a child’s personal information. COPPA provides a number of acceptable methods for obtaining parental consent but also allows interested parties to submit proposals for new verifiable parental consent methods to the FTC for approval.

    The application was submitted by a company that runs a COPPA safe harbor program, along with a digital identity company and a technology firm that helps companies comply with parental verification requirements. Specifically, the FTC’s request for public comment solicits feedback on several questions relating to the application, including: (i) whether the proposed age verification method is covered by existing methods; (ii) whether the proposed method meets COPPA’s requirements for parental consent (i.e., can the proposed method ensure that the person providing consent is the child’s parent); (iii) does the proposed method introduce a privacy risk to consumers’ personal information, including their biometric information; and (iv) does the proposed method “pose a risk of disproportionate error rates or other outcomes for particular demographic groups.” Comments are due 30 days after publication in the Federal Register.

    Agency Rule-Making & Guidance Federal Issues Privacy, Cyber Risk & Data Security Consumer Protection FTC COPPA

  • Feds, states launch “Operation Stop Scam Calls”

    Federal Issues

    On July 18, the FTC, along with over 100 federal and state law enforcement partners nationwide, including the DOJ, FCC, and attorneys general from all 50 states and the District of Columbia, announced a new initiative to combat illegal telemarketing calls, including robocalls. The joint initiative, “Operation Stop Scam Calls,” targets telemarketers and the companies that hire them, lead generators that provide consumers’ telephone numbers to robocallers and others who falsely represent that consumers consented to receive the calls. The initiative also targets Voice over Internet Protocol (VoIP) service providers that facilitate illegal robocalls, many of which originate overseas.

    In connection with Operation Stop Scam Calls, the FTC has initiated five new cases against companies and individuals allegedly responsible for distributing or assisting in the distribution of illegal telemarketing calls to consumers across the country. According to the announcement, the actions reiterate the FTC’s position “that third-party lead generation for robocalls is illegal under the Telemarketing Sales Rule (TSR) and that the FTC and its partners are committed to stopping illegal calls by targeting anyone in the telemarketing ecosystem that assists and facilitates these calls, including VoIP service providers.” The announcement also states that more than 180 enforcement actions and other initiatives have been taken by 48 federal and 54 state agencies as part of Operation Stop Scam Calls.

    Among the new actions announced a part of Operation Stop Scam Calls is a complaint filed against a “consent farm” lead generator, which allegedly uses “dark patterns” to collect consumers’ broad agreement to provide their personal information and receive robocalls and other marketing solicitations through a single click of a button or checkbox via its websites. Under the terms of the proposed order, the defendant would be required to pay a $2.5 million civil penalty and would be banned from engaging in, assisting, or facilitating robocalls. The defendant would also be required to implement measures to limit its lead generation practices, establish systems for monitoring its own advertising and that of its affiliates, comply with comprehensive disclosure requirements concerning the collection of consumers’ consent to the sale of their information, and delete all previously collected consumer information.

    Other actions were taken against a California-based telemarketing lead generator, a telemarketing company that provides soundboard calling services to clients who use robocalls to sell a range of products and services, a New Jersey-based telemarketing outfit that placed tens of millions of calls to consumers whose numbers are listed on the National Do Not Call Registry, and Florida-based defendants accused of assisting and facilitating the transmission of roughly 37.8 million illegal robocalls by providing VoIP services to over 11 foreign telemarketers.

    Federal Issues State Issues Courts FTC Enforcement Robocalls Consumer Protection State Attorney General TSR Telemarketing Lead Generation DOJ FCC

  • FTC fines company $7.8 million over health data and third-party advertisers

    Federal Issues

    On July 14, the FTC finalized an order against an online counseling service, requiring it to pay $7.8 million and prohibiting the sharing of consumers’ health data for advertising purposes. The FTC alleged that the respondent shared consumers’ sensitive health data with third parties despite promising to keep such information private (covered by InfoBytes here). The FTC said it will use the settlement funds to provide partial refunds to affected consumers. The order not only bans the respondent from disclosing health data for advertising and marketing purposes but also prohibits the sharing of consumers’ personal information for re-targeting. The order also stipulates that the respondent must now obtain consumers’ affirmative express consent before disclosing personal information, implement a comprehensive privacy program with certain data protection measures, instruct third parties to delete shared data, and adhere to a data retention schedule.

    Federal Issues Privacy, Cyber Risk & Data Security FTC Enforcement Consumer Protection Telehealth FTC Act Deceptive Advertisement Third-Party

  • 9th Circuit denies en banc hearing on COPPA preemption question

    Courts

    On July 13, a panel of the U.S. Court of Appeals for the Ninth Circuit entered an order amending an opinion filed on December 28, 2022 and denied a petition for rehearing en banc in a putative class action accusing a multinational technology company and search engine and its affiliated video-sharing platform of collecting children’s data and tracking their online behavior surreptitiously without parental consent in violation of state law and the Children’s Online Privacy Protection Act (COPPA). The panel unanimously voted against defendant’s en banc rehearing request, commenting that no other 9th Circuit judge has requested a vote on whether to consider the matter en banc.

    Claiming the defendant used “persistent identifiers” — which the FTC’s regulations define as information “that can be used to recognize a user over time and across different Web sites or online services” — class members alleged state law claims arising under the constitutional, statutory, and common laws of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee. Last December, the three-judge panel reversed and remanded the district court’s dismissal of the suit, disagreeing that the allegations were squarely covered, and preempted, by COPPA (covered by InfoBytes here.) On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. The panel determined that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The panel further noted that the U.S. Supreme Court and others have long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted.”

    The panel, however, amended its prior opinion to note that the FTC supports its conclusion that COPPA does not preempt the asserted state law privacy claims on the basis of either express preemption or conflict preemption. At the end of May, at the 9th Circuit’s request, the FTC filed an amicus brief (covered by InfoBytes here) arguing that COPPA does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The panel concluded that neither express preemption nor conflict preemption bar the plaintiffs’ claims.

    Courts Privacy, Cyber Risk & Data Security Appellate Ninth Circuit COPPA State Issues Class Action FTC Preemption

  • Agencies charge crypto platform and former executives

    Federal Issues

    On July 13, the FTC announced a proposed settlement to resolve allegations that a crypto platform engaged in unfair and deceptive acts or practices in violation of the FTC Act. The FTC also alleges that the defendants violated the Gramm-Leach-Bliley Act by acquiring customer information from a financial institution regarding someone else by providing false or misleading statements. The New Jersey-based crypto company offers various cryptocurrency products and services to customers, such as interest-bearing accounts, personal loans backed by cryptocurrency deposits, and a cryptocurrency exchange. On the heels of its bankruptcy filing in July 2022, the FTC lodged a complaint in federal court alleging that three former executives falsely promised that deposits would be “safer” than bank deposits and always available for withdrawal, and that the platform posed “no risk” or “minimal risk.”

    The proposed stipulated order imposes a $4.72 million judgment against the corporate defendants, which is suspended based on their financial condition. The order also bans the corporate defendants from, among other things, “advertising, marketing, promoting, offering, or distributing, or assisting in the advertising, marketing, promoting, offering, or distributing of any product or service that can be used to deposit, exchange, invest, or withdraw assets, whether directly or through an intermediary.” 

    Other agencies also took action against the company and its former CEO on the same day, including the SEC, which alleges the company sold unregistered crypto asset securities in one of its program offerings. The SEC’s complaint further alleges the company made false and misleading statements and engaged in market manipulation. Additionally, the DOJ unsealed an indictment charging the former CEO and the company’s former chief revenue officer with conspiracy, securities fraud, market manipulation, and wire fraud for illicitly manipulating the price of the company’s token. Additionally, the CFTC filed a civil complaint charging the company and former CEO with fraud and material misrepresentations in connection with the operation of the company’s digital asset-based finance platform. The CFTC alleges the company operated as an unregistered commodity pool operator (CPO), and its former CEO operated as an unregistered associated person of a CPO. The complaint also accuses the former CEO of violating the Commodity Exchange Act and CFTC regulations, among other things. According to the press release, the company agreed to resolve the complaint, while the former CEO is continuing litigation.

    Federal Issues Digital Assets Securities Fintech Cryptocurrency FTC FTC Act Gramm-Leach-Bliley Enforcement Consumer Protection Deceptive SEC CFTC DOJ

  • European Commission approves transatlantic data-transfer framework

    Privacy, Cyber Risk & Data Security

    On July 10, the European Commission adopted an adequacy decision as part of the EU-U.S. Data Privacy Framework, concluding that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework.” In the announcement, European Commission President Ursula von der Leyen stated that the “new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.” She explained that with the new adequacy decision, personal data can now be transferred securely from the EU to U.S. companies participating in the framework without having to implement additional data protection safeguards. The framework will be administered by the Department of Commerce. Compliance by U.S. companies with their obligations under the framework will be enforced by the FTC.

    As previously covered by InfoBytes, Presidents von der Leyen and Biden announced in March 2022 that they had reached an agreement in principle on a new transatlantic data flows framework to foster cross-border transfers of personal data from the EU to the U.S. Under the framework, the U.S. agreed to implement reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement followed negotiations that began after the Court of Justice of the EU issued an opinion in the Schrems II case in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.

    The DOJ released a statement welcoming the European Commission’s adoption of the adequacy decision and expressing its eagerness to collaborate with the Commission, along with representatives from European data protection authorities, to ensure the ongoing implementation of data privacy safeguards.

    Privacy, Cyber Risk & Data Security Federal Issues Of Interest to Non-US Persons EU Consumer Protection Biden EU-US Data Privacy Framework Department of Commerce FTC

  • FTC bans operators of auto-warranty scam

    Agency Rule-Making & Guidance

    On July 6, the FTC announced that it reached an agreement on a stipulated order to resolve a lawsuit against the operators of a telemarketing scam that pitched “extended automobile warranties” to hundreds of thousands of consumers nationwide.  The stipulated order, which has been approved by the U.S. District Court for the Southern District of Florida, imposes a lifetime ban against a consulting group and its owner from any outbound telemarketing business and any involvement with extended automobile warranty sales. In February 2022, the FTC sued several companies—including the consulting group and its owner—in connection with their alleged involvement in the telemarketing scam, alleging that they had defrauded consumers out of millions of dollars. The complaint alleged that the companies made numerous unsolicited calls, falsely claiming to be affiliated with vehicle manufacturers and inaccurately promoting their products as offering comprehensive “bumper-to-bumper” protection.  

    In addition to the lifetime ban, the stipulated order includes a monetary judgment of $6.5 million, which is partially suspended based on the defendants’ alleged inability to pay. The FTC reached a separate settlement with three of the other original defendant companies and their owners in March 2023.

    Agency Rule-Making & Guidance FTC Telemarketing Consumer Protection Deceptive

Pages

Upcoming Events