All mobile app developers need to know that the federal government is stepping up its regulation of data privacy and truth-in-advertising for mobile apps. The Federal Trade Commission is now actively monitoring mobile applications’ compliance with data privacy and truth-in-advertising regulations, and the House Committee on Energy and Commerce is considering a new mobile device privacy bill.
This month, the FTC published Marketing Your Mobile App: Get It Right From the Start, a short guide that provides guidance to mobile app developers concerning deceptive claims and privacy requirements. More broadly, the FTC’s focus on mobile app developers sends a message that all such developers or distributors will be subject to investigation, irrespective of how small their company is. As far as the FTC is concerned, “once you start distributing your app, you have become an advertiser,” and you will be regulated as such. The guide stresses the importance of clear and conspicuous communication to users and instructs app developers to consider the legitimacy of their statements “from the perspective of average users, not just software engineers and app experts.” It goes on to caution against burying important information behind “dense blocks of legal mumbo jumbo” and “vague hyperlinks.”
This guide can be seen as part of the FTC’s current initiative to address concerns regarding the unique ability of mobile apps to access a user’s personal information (i.e., automatically capturing their precise geospatial location, phone number, contact lists, call logs, and other unique identifiers, stored on mobile devices). In February, the agency issued a report looking specifically at apps offered for children. The report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, warned app stores, developers, and third-party service providers to be more transparent about the issues raised by such data collection, such as sharing with third parties, connections to social media, and targeted advertising.
Additionally, the FTC has already taken action to establish that data privacy and truth-in-advertising laws apply to mobile apps. Last August, an app developer was ordered to pay $50,000 to settle FTC charges that it violated the Children’s Online Privacy Protection Act (COPPA) by failing to require parental notice and consent before collecting and disclosing children’s personal information. The following month, the agency settled its first actions addressing health claims in the mobile application marketplace. The complaints were against AcneApp and Acne Pwner, both of which claimed to treat acne through lights emitted from the user’s smartphone. The cases ended in settlements for monetary damages and injunctive relief barring the companies from making health-related claims without the backing of “competent and reliable scientific evidence.”
In the new FTC Guide, the FTC recommends that developers:
• Tell the truth about what the app can do – both in marketing materials and within the app itself.
• Disclose key information clearly and conspicuously.
• Err on the side of caution, and implement meaningful privacy-protection policies from the start.
• Only collect the information that developers really want, and require affirmative consent before collecting sensitive information.
• Offer user -friendly choices. For example, use default settings that collect a limited amount of user information, and allow users to adjust settings for increased sharing and functionality.
• Protect kids’ privacy by requiring parental consent before their information is collected and shared.
• Incorporate security measures to protect user data, especially when collecting medical and financial information.
On September 12, a new bill – the Mobile Device Privacy Act – was referred to the House Committee on Energy and Commerce. The bill, introduced by Reps. Ed Markey (D -Mass.) and Diana DeGette (D –Colo.), requires merchants, mobile service providers, and manufacturers to disclose information about mobile tracking software to consumers and to obtain users’ express consent before the software is activated. Specifically, customers must be told that the software is installed, what type of data it is collecting, the identity of all persons to whom the data will be transmitted, how the data will be used, and how the user can limit collection and sharing. Disclosures must be clear and conspicuous, and consumers must be able to prohibit further collection and sharing at any time.
If passed, this law will also require all recipients of user information to establish and implement information security policies and procedures for data collection, retention, system monitoring, and destruction. Finally, the bill requires that companies file all agreements relating to the transmission of user information with the FTC and the Federal Communications Commission. In the bill’s current form, penalties will range from $1,000 to $3,000 per violation (i.e., per user affected). Hence, a single policy error could expose large vendors to liability well into the billions of dollars, and a similar misstep could put a startup out of business.
All mobile app developers – including large players and new entrants – should review their compliance with this new FTC guidance and their overall truth-in-advertising and data privacy policies. The FTC has made it clear that it will take enforcement actions against industry participants large and small. In particular, we believe those making health claims, targeting children, and transmitting user information to third parties will continue to face significant FTC scrutiny. In general, the more personal information that an app collects from individuals, the greater the need for significant privacy projections and disclosures.
The FTC recently sued satellite television service operator DISH Network in federal district court in Illinois for violations of the Telemarketing and Consumer Fraud and Abuse Act. The agency claims DISH violated “company-specific do-not-call rules” – in other words, the FTC claims that DISH called consumers who had previously asked DISH not to call them again. DISH disputes the FTC’s claims.
Under the FTC (and FCC’s) telemarketing rules, there are two do-not-call regimes. First is the national do-not-call registry. With certain exceptions, telemarketers and sellers may not telemarket to residential phone lines and wireless numbers unless they have first “scrubbed” their calling lists against the federal do-not-call registry. The exceptions include calling customers with whom an organization has an “existing business relationship” or who have given prior consent for the calls. However, even those customers to whom telemarketing calls might be permitted because of an existing business relationship or other reasons can always ask a telemarketer not to call again and to put the consumer on the company-specific do-not-call list. This company-specific request must be implemented promptly and maintained for five years.
This part of the federal telemarketing rules thus puts the power in the hands of the consumer who can decide if he or she wishes to receive telephone solicitations from a particular company. It does not matter if the consumer continues to do business with a particular seller – once the consumer asks not to be called again, telemarketing must cease.
The FTC’s complaint against DISH contends that, since September 2007, DISH had initiated – either on its own or through outside telemarketers working on its behalf –millions of outbound telephone calls to phone numbers of people who previously indicated that they did not want to receive telemarketing calls from DISH. The complaint seeks civil penalties and a permanent injunction to stop DISH from future violations of the telemarketing rules.
Indeed, the penalties could be steep. For violations before February 9, 2009, the specified penalties are $11,000 per violation. Those penalties were increased to $16,000 for each violation of the FTC’s Telemarketing Sales Rule occurring after that date. DISH is already litigating against the Department of Justice in another case for allegedly calling consumers on the national do-not-call registry or purportedly causing its dealers to make calls to those consumers. It was information developed in that litigation that led to this latest complaint, according to the FTC’s public statements.
Of course, various defenses are available to DISH and others facing similar lawsuits or enforcement actions. These defenses include the possibility that a number called was a business (rather than residential) telephone number; or that the company-specific do-not-call request had not been made to DISH in the first place. Written consent to receive telemarketing calls provided after a company-specific do-not-call request would also allow such calls prospectively (at least until the consent were revoked subsequently).
Companies engaging in telemarketing – either on their own or through outside telemarketing firms, affiliated dealers, or other third parties – should take note that the FTC is continuing to enforce its do-not-call rules. FTC Chairman Jon Leibowitz stated that the agency will continue to enforce the do-not-call rules “to protect consumers’ right to be left alone in the privacy of their own homes.”
While the FTC (and the FCC) have focused on compliance with the federal registry requirements, this latest case against DISH demonstrates that the agency will also initiate enforcement action against those it contends to be violating the “company-specific” do-not-call requirements. Companies using telemarketing should review their written and operational policies to ensure compliance with both the federal and company-specific do-not-call requirements. Customer service representatives, in particular, should receiving periodic training that when a consumer says, “No more calls,” no really does mean, “No more, Mr. Telemarketer, you’re done.”
In the past couple of years, a wide variety of computer viruses and other malware have allegedly been used by one nation against another. This secretive form of warfare even briefly plastered names like Stuxnet, Duqu, Flame, and Gauss across the front pages. In partial response to the threat posed to U.S. interests by hostile foreign countries and/or individuals, different cybersecurity bills are percolating through the halls of Congress, including the SECURE IT Act of 2012, the Cybersecurity Act of 2012, and others.
No one can dispute the very real danger posed by cybersecurity threats and the potentially disastrous results if they are unleashed upon a country or upon an industrial or financial system. In a recent Wall Street Journal op-ed, President Obama wrote that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.” The president also stated that “foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day.”
President Obama then pushed for the passage of the Cybersecurity Act of 2012, which would require the sharing of information between the private and public sector, develop cybersecurity standards, and other protections. In support of that bill, President Obama wrote that “Congress must pass comprehensive cybersecurity legislation” and that “We all know what needs to happen.”
However, in early August the U.S. Senate rejected cybersecurity legislation, with Republican members concerned that the bill would impose burdensome obligations on businesses.
The president has indicated that he is considering imposing the same cybersecurity measures by executive order.
“In the wake of Congressional inaction and Republican stall tactics, unfortunately, we will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have fixed,” Presidential press secretary Jay Carney said.
This possibility does concern us.
Although computer malware poses a real and credible danger to U.S. interests, we also need to discuss how cybersecurity is going to be achieved. The use of an executive order to bypass the legislative process is of questionable constitutionality because it may violate the separation of powers mandated by the Constitution.
A step that creates such an extensive public-private partnership and involves the government so much in private decisions to provide security at least deserves approval after full discussion by a majority of both houses of Congress. We hardly think that the threat has risen to the level of “war” that would permit the president to engage in unilateral emergency actions to protect national security.
As the tech editor of the Daily Caller wrote recently: “The failed cyber security bill, which could be revived by Sen. Majority Leader Harry Reid when the Senate comes back from recess in September, would have given federal agencies in charge of regulating critical infrastructure industries like power companies and utilities the ability to mandate cybersecurity recommendations … An executive order would be another action from the Obama administration to extend executive branch authority over a largely free and open Internet.”
On August 9, 2012, the Federal Trade Commission announced that Google has agreed to pay a $22.5 million penalty to settle the FTC’s charges that it violated a consent order regarding consumer privacy. This is the largest civil penalty that the FTC has ever exacted for a violation of one of the agency’s orders, and it has understandably garnered a great deal of attention.
Specifically, Google was accused of using “cookies” to track the online activities of people who use Apple’s Safari Web browser. Cookies are small segments of computer text that are used to collect information from computers and that can be used to target advertising to consumers.
Google, according to the FTC, had told Safari users on a Web page that because the Safari browser is set by default to block third-party cookies, the users needed to do nothing to prevent the use of the cookies. In fact, Google did place some cookies on the users’ computers. There was no allegation that any consumers actually received unwanted ads.
The settlement has received mixed reviews. Some commentators argue that the agreement is not tough enough on Google, which after all was already under a consent order barring it from engaging in this type of behavior. FTC Commissioner J. Thomas Rosch, who dissented from the Commission’s decision to accept the settlement, is one of the critics.
Commissioner Rosch wrote in a dissenting statement, “[i]t may be asserted that a denial of liability is justified by the prospect of a $22.5 million civil penalty. But $22.5 million represents a de minimis amount of Google’s profit or revenues.”
Some critics have contended that the settlement may be too tough in the sense that it will discourage pro-competitive behavior in the form of disclosures to consumers. For example, Ed Black, the president and CEO of the Computer & Communications Industry Association, wrote on August 13 that although Google was clearly at fault for not making it clear to the public what its precise privacy rules were, “it is fair to ask if the FTC’s enforcement action is out of proportion to the harm caused, and if it runs a very real risk of disincentivizing voluntary privacy disclosures in the future.”
Our view is that this consent order is indeed strong enough to send the message to Internet companies that the FTC is carefully scrutinizing the privacy protections that they provide and the statements that they make about them, and that they need to continue to be vigilant to adhere to the statements and promises they make in their privacy policies, web pages, and elsewhere.
On August 1, 2012, Illinois Governor Pat Quinn signed a bill into law (HB 3782) that prohibits employers from requesting or requiring employees or prospective employees to provide their Facebook or other social networking website passwords. With the new law, effective on January 1, 2013, Illinois becomes the second state (Maryland was the first) to bar employers from seeking social network passwords. Employers are still free to access employees’ social network sites (and the information, photos, videos and other content) that are publicly available.
While dubbed the “Facebook password law” in many news reports, the law covers all “social networking websites.” The term “social networking website” includes Internet-based services that allow individuals to: construct a public or semi-public profile within a system, created by the service; create a list of other users with whom they share a connection within the system; and view and navigate their list of connections and those made by others within the system. An employer’s asking for passwords to a prospective or current employee’s Facebook, Linkedin, Twitter, and other similar services would be covered by the new law.
The Illinois legislature passed the law in response to complaints from graduating college students and others that they had been denied employment based upon their refusal to provide passwords, or they felt the need to deactivate their accounts during the job search process. One study found that 75 percent of employers require their human resources departments to review online profiles before offering an applicant a job (with one-third of employers turning down applicants based on those searches). Sponsors of the bill also contend that access to social profiles can lead to unlawful discrimination, as information such as age, race, sexual orientation, political affiliations, and even disabilities can be gleaned from social network profile pages.
The new legislation specifically affirms that employers may obtain information that is in the “public domain” (such as any information on Facebook that is open to viewers rather than restricted) and general Google or other similar searches on an employee. Further, employers may continue to maintain workplace policies addressing workplace Internet use, social networking site use, and use of email. The law specifically does not cover an employer’s monitoring of electronic mail (as long as the employer does not request or demand an employee’s password for a social networking site).
Several other states and Congress are considering similar legislation. Facebook declares that employers asking for passwords violates its “Statement of Rights and Responsibilities,” along with sharing a password. Employers should review their social media policies, employment forms, interview processes and ongoing human resources operations if they operate in Illinois or Maryland and should not request password or other account information (including whether an individual even participates in social networking) in those states.
With other states and perhaps the U.S. Congress following suit, these restrictions are likely to become the law of the land sooner rather than later.
Of course, as the law states, if an employer wishes to Google an employee, troll for public Facebook, Twitter, or other public social networking information, it may do so. So, college graduates and others, you may want to double check your Facebook privacy settings so Mr. Human Resources doesn’t see your Spring Break photo adventures.
On August 1, 2012, the Federal Trade Commission announced that is issuing a Supplemental Notice of Proposed Rulemaking to modify certain of its rules under the Children’s Online Privacy Protection Act (COPPA). Industry has been waiting on FTC action regarding COPPA, as the agency previously undertook a COPPA rulemaking in September 2011 and proposed modifying certain COPPA rules to account for changes in technology, particularly mobile technology.
The FTC received over 350 comments during that time. After reviewing those comments, the FTC has decided to propose certain additional changes to its COPPA rule definitions.
In summary, COPPA gives parents control over the information websites can collect from their kids. It applies to websites designed for children under 13 – or those that have reason to know they are collecting information from a child. It requires a specific privacy notice and that consent be obtained from parents in many circumstances before children’s information may be collected and/or used.
The FTC has proposed several changes that are of interest. Some are meant to “tighten” the COPPA rule, others are meant to provide some additional flexibility to operators.
• The proposed change would make clear that an operator that chooses to integrate the services of third parties that collect personal information from visitors (like ad networks or plug-ins) would itself be considered a covered “operator” under the Rule.
• The FTC is also proposing to allow websites with mixed audiences (e.g., parents and over 13) to age-screen visitors to provide COPPA’s protections only to those under 13. However, kid-directed sites or services that knowingly target under-13s as their primary audience or whose overall content is likely to attract kids under that age could not use that method.
• Also, the FTC has proposed modifying the definition of what constitutes “personal information” relating to children to make it clear that a persistent identifier falls within that definition if it can be used to recognize a user over time or across different sites or services. The FTC is considering whether activities like site maintenance and analysis, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual ads, and protecting against fraud and theft should not be considered the collection of “personal information” as long what’s collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising.
Comments on the FTC’s proposed rule changes are due by September 10, 2012.
For-profit education institutions may have breathed a sigh of relief on June 30, 2012, when a federal judge struck down most of the Department of Education’s Gainful Employment rule. The decision came none too soon, as the U.S. District Court for the District of Columbia issued the ruling literally on the eve of the day the regulations were slated to take effect. But these colleges and universities should not rest on their laurels. While the court sided with the private sector in this instance, the judge’s opinion keeps the door open for more and similar regulation.
To address concern over the seeming disconnect between debt burden and employment prospects of graduates of for-profit colleges and universities, the DOE last year published its Gainful Employment rule. The rule was instituted to test schools’ compliance with the Higher Education Act’s requirement that certain institutions must “prepare students for gainful employment in a recognized occupation” in order to qualify for federal funds. To accomplish this, the rule set forth three tests, one or more of which a school would need to meet, to qualify for federal funds. The tests required that:
1. At least 35 percent of graduates must be repaying their loans,
2. The median graduate’s estimated annual loan payments must not exceed 12 percent of earnings, or
3. The median graduate’s estimated annual loan payments must not exceed 30 percent of discretionary income.
The rule further required that subject schools make certain disclosures to prospective students and obtain DOE approval for new programs.
The Gainful Employment rule stirred up consternation in the for-profit world, as concerns mounted over the costs of compliance. The Association of Private Sector Colleges and Universities, the main association representing the for-profit education industry (with over 1800 members), challenged the rule in court.
The APSCU argued that the Gainful Employment rule exceeded statutory authority by stretching the meaning of the term “gainful employment.” The court squarely sided with the DOE on its authority, noting that “gainful employment” is not an unambiguous term and that the DOE has the authority to assess whether educational programs prepare students for gainful employment. The only question, according to the court, was whether the DOE had reasonably promulgated rules to test programs’ ability to prepare students.
Working through an analysis of the rules, the court ultimately determined that the debt repayment standard (No. 1 above) “was not based upon any facts at all. No expert study or industry standard suggested that the rate selected by the Department would appropriately measure whether a particular program adequately prepared its students, the court wrote. The reason: The rule was solely based upon statistics that at the 35 percent rate, roughly 25 percent of schools subject to the rule would fail, i.e. the rate was set because it would knock out the bottom quarter of schools.
The judge rightly ruled that this basis — merely picking a compromise figure — “is not reasoned decisionmaking.” Since the other standards were so intertwined with the debt repayment test, the judge struck them down as well, leaving remaining only the disclosure provisions of the rule.
The APSCU and the for-profit industry have hailed the judge’s decision as a victory. But the industry needs to understand that it may be just the first of a series of regulatory battles. The court’s opinion read largely like an opinion favoring the DOE. Notably, the judge stated that “the Department has gone looking for rats in ratholes — as the statute empowers it to do.” And the court squarely upheld the DOE’s regulatory authority to go about enforcing something just like the Gainful Employment rule, so long as the basis is grounded in sufficiently reasoned standards.
It is not clear yet how the DOE will proceed, and whether it will go about another round of rulemaking. But the court’s opinion provides ample incentive for the administration to take another turn at Gainful Employment.
After nearly a decade of persuading hundreds of thousands of parents that their babies were geniuses, the popular company, Your Baby Can Read, is shutting its doors. Its demise is the result of an FTC investigation prompted by the Campaign for a Commercial-Free Childhood advocacy group, which challenged claims by the company that newborns have the ability to absorb reading and spelling skills when they are as young as three months old. According to the company’s website, the cost of fighting these legal battles has left the company with no option but to close.
Your Baby Can Read consists of interrelated videos, flash cards and books designed to teach infants as young as three months old to read. Developed in the late 1990s by Robert Titzer, an educator with a Ph.D. in human performance from Indiana University, the product claims that babies have a small window in which they absorb spelling at an extraordinary pace. Although these claims have never been substantiated through any kind of credible research, fans of the products, which are priced at $200, have given them glowing reviews. More than a million families have used the products, which the company extensively advertised on TV, at exhibitions, and on its own website, Facebook page and YouTube channel.
In April 2011, a class of consumers who purchased the educational programs filed a class action complaint against the company in California challenging the effectiveness of the product. Additionally, the Boston-based Campaign for a Commercial-Free Childhood (CCFC) filed a complaint against the company with the FTC, leading the way for a series of campaigns against what critics call the “genius baby” industry. The national watchdog group previously successfully campaigned against the way that the “Baby Einstein” program marketed its products. In its complaint with the FTC, CCFC argued that Your Baby Can Read’s claims of teaching infants to read lacked scientific support. The group requested that the FTC stop the company from continuing its allegedly deceptive marketing practices and that the company offer full refunds to “all parents who have been duped.” According to CCFC director Dr. Susan Linn, the company “exploited parents’ natural tendency to want what’s best for their children” by making grandiose promises that find no support in science.
The problem with these types of educational products appears to be twofold. First, doctors and scientists who have tested the products have reportedly found that infants using the products are not reading, but rather are memorizing the shapes of the letters presented. Second, as the CCFC points out, the program can actually be harmful to children, as it encourages them to sit in front of television screens and computer monitors, getting them “hooked on screens” too early in life. In fact, the group notes that if parents follow the “Your Baby Can Read” instructions, by nine months, babies would have spent more than a full week of 24-hour days in front of a screen.
Although the company is going out of business, the FTC will not automatically cease its investigation. The FTC says it aims to protect the most vulnerable classes in society — and perhaps none are more vulnerable than young children, or, in this case, their overachieving parents who just want their bragging rights. It will be interesting to see which group of consumers will come out on top in the FTC investigation – the thousands of parents who were satisfied with the product or the class-action parents whose children were perhaps not as smart as they believed them to be.
Michelle Cohen recently joined Ifrah Law as a partner. Here is an edited transcript of a recent interview with Ms. Cohen.
Question: What are some of your legal experiences and strengths that you’d like to highlight?
Answer: I have many years of experience representing clients engaged in various industry sectors before state attorney generals, the FTC and the FCC, particularly in investigations and enforcement matters. I have a deep knowledge of marketing law and have counseled and defended clients in dozens of matters involving the Telephone Consumer Protection Act, the federal Can Spam Act, and state and federal telemarketing laws and regulations. I also sat for and passed the Certified Information Privacy Professional examination administered by the International Association of Privacy Professionals. This demonstrates my broad capabilities in the field of privacy law.
Some recent matters of note include managing a data loss incident for a client that entailed notifications to several state attorney generals’ offices, assisting the client with remediation and public relations management, and reviewing existing data retention policies, as well as a follow-up investigation at the state level. The client was able to move forward without any enforcement activity.
On the Telephone Consumer Protection Act side, I have supervised teams of attorneys in defending class and individual actions and resolved FCC enforcement matters (including without any penalties).
My training as both a litigator and a regulatory/corporate advisor allows me to offer a wide range of services to clients. I take great pride in knowing that my regulatory advice to clients in how to craft their business practices and establish meaningful policies has resulted in these clients avoiding enforcement actions and litigation.
Question: There has been a lot of publicity these days about data breaches that have caused serious harm to a number of retailers, credit card companies, banks, and others. Do you think there has been a real uptick in the number of such breaches, and if so, why has it occurred?
Answer: I think the increased publicity stems more from the growing awareness on the part of companies and the press that there are various types of data breaches and data losses that are covered by federal and state laws and that need to be reported and remediated. Some years back, if a laptop containing sensitive information was stolen from an employee’s car, the company might disable the account and report the theft, but the event did not necessarily trigger potentially thousands of notices to those affected, state attorney generals and consumer protection offices, publicity (via news reports and blogs that cover daily breaches) and possible lawsuits and enforcement activity. Today, that one event can result in all of those actions occurring.
Question: What is your advice to companies that may someday face a data breach?
Answer: A couple of months ago, I wrote an article regarding data breaches. The central point was that no organization should consider itself immune. Rather, a data breach (in the form of a bad actor) or a data loss (for instance, by negligent but unintentional employee action) WILL occur, no matter how many precautions a company takes. The key is to have policies in place regarding data security, to train employees in an effort to prevent negligent actions, and to be prepared for actions that will need to be taken when an event occurs. Organizations should have a team in place (human resources, legal, public relations, etc.) for dealing with these types of problems. Data loss events require swift, but considered action. In particular, some of the state breach laws have deadlines, and companies have found themselves under investigation (or involved in litigation) when their responses to a breach have been too slow or failed to meet the requirements of the law. These legal ramifications, combined with the negative publicity that WILL follow, can often be much worse than the actual data loss event.
Question: Are some companies failing to put the best safety provisions in place?
Answer: Most large companies have incorporated data safety policies; however, many medium size and smaller businesses have not done so. In addition, I think that many companies, both large and small, do not realize the scope and applicability of many of the laws. For example, consider a large company based in Texas, with most of its employees in that state. Its managers may not realize that if the company has three employees in Massachusetts, they are covered by Massachusetts’ data protection law. This statute has very specific requirements, including a requirement for a Massachusetts-specific information security plan. Let’s say the Texas company has a data loss and has to notify the Massachusetts employees and the Massachusetts Attorney General’s office along with all of its other employees. The company may get a follow-up inquiry from the Massachusetts AG asking for a copy of that company’s Massachusetts-compliant written information security policy. If the company does not have one, because it never realized it fell within that state’s law, it may find itself in some hot water there.
Accordingly, all organizations need to be proactive in their data security planning and must provide continuing updates to their policies, training, and understanding of what federal, state, and international laws may apply to their operations.
The barely year-old Consumer Financial Protection Bureau came out of the gate this week with its first enforcement action. Capital One has the dubious honor of being CFPB’s premier target under the bureau’s authority to take action against entities that it believes engage in unfair, deceptive, or abusive practices in the offering of consumer financial products and services. Congress created the CFPB as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. That law broadly empowers the CFPB to supervise and enforce the nation’s consumer financial laws.
The CFPB claimed that Capital One’s telemarketing vendors used certain deceptive marketing practices to pressure or mislead consumers into paying for “add-on” products such as payment protection and credit monitoring. The practices of particular concern to the CFPB included:
• Misleading consumers about the benefits of the products – for instance that the product would improve credit scores when that was inaccurate
• Deceiving consumers about the nature of the products – CFPB claims some consumers were told the products could be cancelled, while canceling was difficult to accomplish
• Taking orders from ineligible consumers and then denying claims later based upon eligibility
• Leading consumers to believe the products were free when they were not
• Enrolling consumers without the consumer’s express consent
Capital One agreed to a consent order, in which the bank neither admits nor denies the allegations. The consent order provides for refunds to two million consumers of at least $140 million and a $25 million penalty. The consent decree also places additional restrictions and oversight on Capital One, including a requirement that it stop the marketing of these products until it has presented an acceptable compliance plan to ensure these acts do not recur. Capital One must also submit to an independent audit to determine if it has met the conditions of the consent decree, and it must ensure the refunds are automatic so that consumers do not have to take any action to obtain their refunds.
In addition to the consent order and the associated press release, the CFPB also issued a compliance bulletin stressing that institutions will be held liable for actions by third-party vendors operating on their behalf. The agency stressed certain proactive actions that companies should take to ensure that marketing materials and customer service interactions do not violate the law. Among these practices are the review of scripts, ads, radio and TV commercials to make sure they reflect the actual terms of the products and are not deceptive or misleading. The CFPB also cautioned that employee incentive and compensation programs tied to add-on products should require that employees adhere to guidelines and not create incentives for employees to provide inaccurate information.
Those familiar with FTC enforcement will note many similarities, as the CFPB has stated it will follow FTC precedent on “unfair” and “deceptive” practices. The CFPB has also made clear that service providers and others who “knowingly or recklessly provide substantial assistance to a covered person or service provider” may face the CFPB’s wrath.
While this is the first CFPB action, others are sure to follow as the CFPB is engaged in ongoing examinations and has issued subpoenas. The CFPB is also working closely with state attorneys general and the FTC, sharing information on potential violations and coordinating enforcement actions. We expect to see several additional CFPB actions as the new agency flexes its enforcement muscles, particularly in the mortgage, credit card, educational and “pay day” loan arenas.