Editor's Note
The following document provides a monthly roundup summarizing enforcement actions, guidance, rulemakings, and other public statements from the Consumer Financial Protection Bureau, the Federal Trade Commission, and the occasional state regulator regarding the prohibition on unfair, deceptive, or abusive acts or practices (UDAAP) in the marketplace for consumer financial services.
Regulatory Developments
- The White House. Data Security Executive Order. On February 28, 2024, the White House announced Executive Order 13873, to protect Americans' sensitive personal data from exploitation by countries of concern. The EO directs DOJ to issue regulations to prohibit large-scale transfers of Americans' sensitive personal data to countries of concern, among many other line items. The EO also enhances DOJ's existing authority to address data-security risks, including with respect to telecommunications infrastructure, the healthcare market, and consumer protection. Finally, the EO encourages the CFPB to protect consumers and military personnel from data brokers that are illegally assembling and selling extremely sensitive data.
Enforcement and Litigation
- Federal Trade Commission. Lax Cybersecurity Practices. On February 1, 2024, FTC announced that Blackbaud Inc. will be required to delete personal data that it does not need to retain as part of a settlement over charges that the company's lax security allowed a hacker to breach the company's network and access the personal data of millions of consumers, including Social Security and bank account numbers. FTC claims the company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen, incorrectly telling customers they did not need to take any action in response to the breach.
- Federal Trade Commission. Sensitive Geolocation Data. On February 3, 2024, a federal district court ruled that FTC could proceed with its lawsuit seeking to halt Kochava, Inc.'s sale of sensitive geolocation data and requiring the company to delete the sensitive geolocation information it has collected. FTC first filed suit against Kochava in August 2022, but the court dismissed the case without prejudice. On June 5, 2023, FTC filed an amended complaint, which Kochava sought to dismiss, unsuccessfully arguing FTC had not "cured the deficiencies" identified in the court's dismissal of the original complaint. Kochava's data can reveal people's visits to politically and personally sensitive locations, and FTC alleges that Kochava's sale of this data can lead to threats of stigma, stalking, discrimination, job loss, and physical violence.
- Federal Trade Commission. Sale of Browsing Data to Third Parties. On February 22, 2024, FTC announced it would require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. FTC also charges that Avast deceived users by claiming that the software would protect consumers' privacy by blocking third-party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data.
- Federal Trade Commission. AI E-Commerce Money-Making Scheme. On February 27, 2024, FTC announced that the owners of a money-making scheme that claimed to use artificial intelligence to boost earnings for consumers' e-commerce storefronts have agreed to a stipulated and suspended judgment in excess of $21 million and to surrender millions in assets to settle FTC's case against them, with the suspension lifted if any assets were not fully disclosed and surrendered. The FTC alleged that the defendants offered consumers high returns from profitable e-stores; however, the vast majority of the defendants' clients did not make the promised earnings or even recoup their sizable investment. Instead, most lost significant amounts of money, and major e-commerce sites routinely suspended, blocked, or terminated the stores that defendants operated for their clients for repeated policy violations.
Research and Analysis
- Consumer Financial Protection Bureau. Credit Card Data. On February 16, 2024, CFPB reported on the first set of results from the newly updated "Terms of Credit Card Plans" survey. The survey data reveals that large banks are offering worse credit card terms and interest rates than small banks and credit unions, regardless of credit risk
Rulemaking Updates
- Federal Trade Commission. Impersonation of Businesses, Governments, and Individuals. On February 15, 2024, FTC announced publication of final rule at 16 CFR Part 461, which prohibits the impersonation of governments, businesses, and their officials or agents in interstate commerce. The rule prohibits: the use of government seals or business logos when communicating with consumers by mail or online; spoofing government and business emails and web addresses; and falsely implying government or business affiliation. In a joint statement, FTC Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro M. Bedoya wrote, "This final rule marks the first time since 1980 that the Commission has finalized a brand-new trade regulation rule prohibiting an unfair or deceptive practice." FTC has proposed expanding the rule to prohibit the impersonation of all individuals, as discussed in DWT's recent blog post.
Other News of Note
- Consumer Financial Protection Bureau. Unlawful Fees in the Mortgage Market. On February 27, 2024, CFPB and FTC filed an amicus brief in the Eleventh Circuit in Glover and Booze v. Ocwen Loan Servicing, LLC, in support of plaintiffs-appellees. CFPB and FTC argued that the Fair Debt Collection Practices Act bars debt collectors from collecting pay-to-pay or "convenience" fees—fees imposed for making a payment online or by phone—unless the agreement creating the debt expressly authorizes such fees, or a law affirmatively authorizes them.
- Department of Financial Protection & Innovation. Fraudulent Website. On February 7, 2024, DFPI issued a Consumer Alert warning consumers that the website grandvacap.com is marketing itself as a licensed Investment Adviser but is not associated with any actual licensed Investment Adviser. The imposter site may be trying to pose as Grandva Capital LLC, which is a California licensed Investment Adviser. The DFPI urges consumers to exercise extreme caution before responding to any solicitation offering investment or financial services and to check whether an investment or financial service provider is licensed in California by going to the DFPI website at www.dfpi.ca.gov.
Jonathan Cristol is a regulatory analyst with Davis Wright Tremaine LLP.