Wiley Consumer Protection Download (September 20, 2022)
*Originally published September 20, 2022
Regulatory Announcements
Significant Enforcement Actions
Upcoming Comment Deadlines and Events
More Analysis from Wiley
Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and ground-breaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
To subscribe to this newsletter, click here.
Regulatory Announcements
FTC Holds September Open Commission Meeting and Votes to Approve Government and Business Impersonation Fraud NPRM, Gig Work Policy Statement, and Dark Patterns Report. On September 15, the FTC held a virtual Open Commission Meeting. During the meeting, the agency considered and voted on: (1) the Notice of Proposed Rulemaking (NPRM) on Government and Business Impersonation; (2) the Policy Statement on Enforcement Related to Gig Work (the Policy Statement); and (3) the Staff Report on Dark Patterns (the Staff Report).
The FTC voted unanimously to approve both the NPRM and the Staff Report. The NPRM, which the agency approved after no commenter opposed the agency’s Government and Business Impersonation Fraud Advance Notice of Proposed Rulemaking, proposes a rule that would allow the FTC to obtain penalties against fraudsters impersonating companies, non-profit organizations, and government agencies. Comments will be due 60 days after Federal Register publication.
The Staff Report on dark patterns, among other things, identifies four categories of practices which may violate the FTC Act: (1) design elements that induce false beliefs; (2) design elements that hide or delay disclosure of material information; (3) design elements that lead to unauthorized charges; and (4) design elements that obscure or subvert privacy choices. The Staff Report defines “dark patterns” as “practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm.” The Staff Report follows the agency’s April 2021 Bringing Dark Patterns to Light Workshop.
Finally, the FTC voted to approve the Policy Statement on gig work by a 3-2 party-line vote. The Policy Statement commits that the FTC will “use the full portfolio of laws it enforces to prevent unfair, deceptive, anticompetitive, and otherwise unlawful practices affecting gig workers.” While Chair Khan and Commissioners Slaughter and Bedoya expressed strong support for the Policy Statement, arguing that it will help to safeguard protections for gig workers, Commissioners Phillips and Wilson voted against the Policy Statement, contesting that aspects of it exceeded the FTC’s jurisdiction.
CFPB Issues Study on BNPL Services. On September 15, the CFPB issued a report on the growth of “Buy Now, Pay Later” (BNPL) services, which the agency characterizes as “a form of interest-free credit that allows a consumer to fully purchase a product, and then pay back the loan over four installments, with the first installment typically being a down payment on the purchase.” According to the CFPB, “[m]ost Buy Now, Pay Later loans range from $50 to $1,000, and are subject to late fees if a borrower misses a payment.” In the report the CFPB claims that there are several potential harms associated with BNPL, including a lack of standardized consumer protections, data collection and monetization, and debt accumulation and overextension.
CFPB and FTC Submit Amicus Brief in Ingram v. Experian FCRA Case. On September 14, the CFPB and the FTC submitted an amicus brief to the U.S. Court of Appeals for the Third Circuit in the Ingram v. Experian case. In that case, a consumer had made a request to a Fair Credit Reporting Act (FCRA) furnisher to remove a delinquent account from his credit report because he alleged that he was the victim of identity theft and had not opened the account. The consumer disputed the delinquent account with credit reporting agency (CRA) Experian, which sent the dispute to the debt collector, but the debt collector allegedly did not take further steps to verify the authenticity of the account beyond cross-checking the accountholder name and Social Security Number. The consumer then filed suit against the debt collector, asserting violations of the FCRA’s dispute provisions. The lower court ruled in favor of the debt collector, holding that FCRA only obligates a furnisher to investigate “bona fide” indirect disputes. In their amicus brief, the CFPB and the FTC argue that the lower court erred because FCRA requires furnishers to investigate all indirect disputes and entitles consumers to both be notified about the outcome of their disputes and to correct any problems with their dispute claims. The FTC voted 5-0 to file the joint amicus brief.
FTC Director of Bureau of Consumer Protection Warns Companies Not to Display Fake Product Reviews and Encourages Online Platforms to Eliminate Advertising for “Post-for-Pay” Reviews. On September 13, FTC Director of the Bureau of Consumer Protection Samuel Levine released a blog post warning companies that using “post-for-pay” providers to create fabricated product or service reviews constitutes a deceptive practice under Section 5 of the FTC Act. Levine’s blog post noted that the agency issued a Notice of Penalty Offenses to hundreds of advertisers last year that warned that use of certain deceptive reviews and endorsements can lead to financial penalties under the FTC Act (we summarized the Notice in greater detail here). The blog post identified search engines and social media sites as the entities in the best position to eliminate fabricated “post-for-pay” reviews because “they can hire more people, improve detection technology, share information appropriately on bad actors and fraud patterns, be more transparent with the public, and provide more access to outside researchers.” Levine stated that search engines and platforms currently lack the “will and incentive” to crack down on fake reviews because the Communications Decency Act protects these entities from FTC enforcement actions for hosting post-for-pay providers. However, he encouraged consumers and businesses to “report specific problems” because the platforms “can’t later say they didn’t know about it.”
FTC Hosts Public Forum on Commercial Surveillance and Data Security ANPR. On September 8, the FTC hosted a Commercial Surveillance and Data Security Public Forum (Public Forum) following the agency’s release of its Advance Notice of Proposed Rulemaking (ANPR) titled “Trade Regulation Rule on Commercial Surveillance and Data Security,” which we explained in greater detail here. During the Public Forum, Chair Khan and Commissioners Slaughter and Bedoya explained the rulemaking process and encouraged all interested parties to submit comments on the ANPR. The Public Forum also included two panels – one featuring industry representatives and one featuring consumer advocacy groups – as well as a public comment period. While the industry panelists and public commenters mostly favored a more incremental approach to the FTC rulemaking and largely encouraged the agency not to adopt “one-size-fits-all” rules, the consumer advocacy panelists and public commenters encouraged the FTC to take a broad and aggressive approach to the rulemaking. As the ANPR makes clear, any eventual rule on “commercial surveillance” and data security must be based in “unfair or deceptive acts or practices” as specified in Section 5 of the FTC Act. The Public Form represented the latest step in the rulemaking process for the FTC to gather data and evidence to support a rule. Comments on the ANPR are due October 21.
CFPB Issues Notification Letter and Circular Stating That Nursing Care Facilities May Not Require Third-Party Caregivers to Personally Guarantee the Payment of a Resident’s Bills. On September 8, the CFPB and the Centers for Medicare & Medicaid Services (CMS) issued a joint letter confirming that nursing care facilities may not require a third-party caregiver to personally guarantee payment of a nursing home resident’s bills as a condition of a resident’s admission because such conditions may violate the Nursing Home Reform Act and the Fair Debt Collection Practices Act (FDCPA). The Nursing Home Reform Act sets federal quality standards for nursing homes, and nursing homes are required to meet these standards if they receive Medicare or Medicaid.
The CFPB also issued a Consumer Financial Protection Circular on September 8 stating that certain practices involving the collection of nursing home debts can violate the FDCPA and the FCRA. Specifically, a debt collector may not misrepresent that “a consumer must pay a debt that arises from a contract provision that is illegal and unenforceable under federal or state law.” Accordingly, the CFPB states that “a debt collector . . . that represents that a third party must personally pay a nursing facility resident’s debt may violate the prohibition on misrepresentations where the debt is invalid under the Nursing Home Reform Act, its implementing regulation, or one of its state law analogues.” The Circular also states that a debt collector may violate the FCRA by reporting that a consumer owes a debt when the debt is based on a contract terms that is illegal, such as a term that would violate the Nursing Home Reform Act.
CFPB Releases Report on Finances and Debt in Rural Appalachia. On September 1, the CFPB released a report titled, “Consumer Finances in Rural Appalachia,” which is the first of a series of agency reports focusing on the finances of consumers living in rural communities. According to the report, consumers living in rural Appalachia earn less than consumers in other rural areas and have higher rates of subprime credit. The CFPB report specifically found that nearly 24% of rural Appalachians have medical debt collections, which is a 7% greater rate than the 17% national average. Rural Appalachians with medical debt collections also have over double the delinquency rates for other credit products compared to those without medical debt collections.
FTC Releases Second Report on U.S. E-Cigarette Sales and Advertising. On August 31, the FTC issued its Second E-Cigarette Report, which showed a notable increase in sales of flavored disposable e-cigarettes and menthol e-cigarette cartridges in 2020. The report covers sales and advertising data from 2019 and 2020, showing that total e-cigarette sales declined from $2.703 billion in 2019 to $2.24 billion in 2020. While total e-cigarette sales decreased from 2019 to 2020, the Second Report notes that the sale of disposable e-cigarettes increased substantially, with flavored disposable products making up 77.6% of all disposable e-cigarettes sold in December 2020. Additionally, the Second Report notes that spending on the sampling and distribution of free and discounted e-cigarettes doubled from 2018 to 2020. The Second Report comes after the release of the First E-Cigarette Report, which showed an increase in e-cigarette sales from $304.2 million to $2.06 billion between 2015 and 2018. The FTC voted 5-0 to release the Second E-Cigarette Report.
Significant Enforcement Actions
FTC Settles with Credit Karma for Alleged Misrepresentation in “Pre-Approval” Advertisements to Consumers. On September 1, the FTC announced that it issued a proposed administrative complaint against Credit Karma, as well as a proposed agreement containing a consent order, for the company’s use of “pre-approval” credit offers in mail, email, and online advertisements. Credit Karma provides services that allows consumers to (1) monitor their credit scores and (2) monitor their credit reports. Credit Karma sends its members who are enrolled in such services advertisements and recommendations for third-party credit products, such as credit cards. Some of the consumers who received advertisements for these financial products subsequently applied for offers and were not approved. In the complaint, the FTC alleges that Credit Karma violated Section 5(a) of the Federal Trade Commission Act (FTC Act) by falsely representing that (1) consumers were “pre-approved” and (2) consumers had “90% odds’ of approval.” The complaint claims consumers wasted time and suffered hard credit checks when applying for credit offers that were not accepted. The consent order requires Credit Karma to stop these advertisements and make a monetary payment of $3 million. The FTC will shortly publish a description of the consent agreement package for public comment in the Federal Register. Following a 30-day comment period, the FTC will decide whether to make the proposed order final.
FTC Brings Suit Against Rental Platform for Buying Fake Reviews and Charging for False Listings. On August 30, the FTC announced that the agency, along with the states of California, Colorado, Florida, Illinois, Massachusetts, and New York, filed suit under the FTC Act and state consumer protection laws against rental listing platform Roomster Corp. (Roomster) and Jonathan Martinez, doing business as AppWinn (Martinez). The complaint alleges that, although the company claimed that the rental listings on its platform are real, available, and verified, Roomster did not verify listings prior to posting, and that Roomster contracted with Martinez, who sold Roomster tens of thousands of fake reviews. Roomster then allegedly proceeded to “inundate[] the internet with tens of thousands of fake positive reviews[,]” as well as certain forms of advertisements, to bolster these claims and draw consumers to the platform. The complaint further alleges that Roomster advertised fake listings to induce consumers into paying for access to those listings on its platform. In addition to the complaint, the FTC and the states filed a proposed order settling claims with Martinez that: (1) requires him to notify app stores that Roomster paid him to post reviews, and identify fake reviews and the number of times they were posted; (2) prohibits him from selling reviews; and (3) requires him to pay $100,000 to the six states that brought the complaint.
FTC Issues Administrative Complaint Against, and Settles with, Heated Mattress Pad Marketer for False "Made in USA" Labels. On August 30, the FTC announced that it issued an administrative complaint against Electrowarmth Products, LLC (Electrowarmth)—a company that manufactures heated mattress pads for truckers—and its owner, alleging that the company falsely marketed and labeled its products as “Made in the USA” even though the products are produced in China with Chinese textiles. In the complaint, the FTC claims that, although Electrowarmth formerly manufactured its heating pads in the US with US materials, the company moved its manufacturing operations to China in 2019 without changing any of its labels. The complaint also alleges that Electrowarmth's actions violate (1) the Textile Act, which prohibits misbranding of textiles; and (2) the FTC’s Textile Rules, which were promulgated pursuant to the Textiles Act and require accurate disclosures when a product is not made in the US. The FTC further announced a proposed agreement containing a consent order that would require Electrowarmth to stop mislabeling its products, accurately identify the product's manufacturing origin, and pay a $815,809 monetary judgement. The FTC will publish a description of the consent order for public comment in the Federal Register, with a 30-day comment period.
FTC Sues Data Broker for Selling Geolocation Data. On August 29, the FTC announced that it filed suit under the FTC Act against data broker Kochava Inc. (Kochava) for selling geolocation data for “hundreds of millions of mobile devices[.]” According to the complaint, Kochava collects a range of information from consumers’ devices and provides data feeds that include, among other information, “timestamped latitude and longitude coordinates showing the location of mobile devices.” The FTC alleges that Kochava provided a free sample of its data—containing data from the previous seven days that corresponds to tens of millions of unique mobile devices—that can be obtained with relative ease, and thus, according to the FTC, failed to adequately protect this data from public disclosure. The FTC alleges that the data “may be used to track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.” Kochava filed a claim for declaratory judgement against the FTC on August 12, asking the U.S. District Court for the District of Idaho to rule that, among other things, “Kochava’s practice of data collection, specifically of latitude and longitude, IP address and MAID information associated with a consumer’s device is not an “unfair… act or practice” within the meaning of Section 5 of 15 U.S.C. § 45(a).”
Upcoming Comment Deadlines and Events
CFPB Solicits Comment on Employee Debt Obligations. Comments are due September 23 (extended from September 7) on the CFPB’s RFI seeking input regarding debt obligations incurred by consumers in the context of an employee or independent contractor arrangement. The RFI seeks information in a number of areas, including the prevalence of such debt obligations, “the pricing and other terms of the obligations,” disclosures, dispute resolution, and debt collection and servicing. The RFI suggests that such debt obligations may take two forms: (1) training repayment agreements, which require workers to pay employers or third-party providers for previously undertaken training if they terminate their employment within a certain time period; and (2) debt owed to an employer or third party for the purchase of equipment and supplies essential to their work or required by their employer. CFPB Director Chopra signaled that the applicability of the CFPA to training repayment agreements was a regulatory priority for the agency at the FTC’s Enforcers Summit in April. The agency also highlighted these kinds of agreements in a March blog post.
FTC Seeks Comment on Revised Endorsement Guides. Comments are due September 26 on the FTC’s Request for Public Comment on Amendments to the Guides Concerning the Use of Endorsements and Testimonials in Advertising (Request for Comment) that proposes a number of revisions to the FTC’s Endorsement Guides. Among other matters, the Request for Comment seeks input on treating the deletion of negative reviews or the decision not to publish negative reviews as a deceptive act or practice under Section 5 of the FTC Act; addresses endorsements made on social media posts; and solicits feedback on adding a section to the Endorsement Guides focused on advertising towards children. A summary of the Request for Comment is available here.
FTC Holding Virtual Event on ‘Stealth Advertising’ Toward Children. On October 19, the FTC will host a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media.” The event will examine evolving practices, such as the “kid influencer” marketplace, and the techniques being used to advertise to children over the internet. In conjunction with the virtual event, the FTC is seeking public comment on how children are impacted by certain digital marketing and advertising messages. Comments are due November 18.
FTC Requests Comment on ‘Commercial Surveillance’ and Data Security ANPR. Comments are due October 21 on the FTC’s Trade Regulation Rule on Commercial Surveillance and Data Security ANPR (which we summarized in greater detail here). The wide-ranging ANPR seeks feedback on dozens of questions regarding consumer privacy, data security, and algorithmic uses, and discusses a number of potential regulatory approaches to what the agency calls “commercial surveillance.” The agency defines “commercial surveillance” as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information,” and “data security” as “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.” The FTC issued the ANPR under its Section 5 FTC Act authority, which requires any eventual rule to be grounded in “unfair or deceptive acts or practices” as specified in the Act.
FTC Seeking Research Presentations for PrivacyCon 2022. Research presentations were due July 29 for PrivacyCon 2022, which will take place virtually on November 1. As part of the event, the FTC is seeking empirical research and presentations on topics including: algorithmic bias; “commercial surveillance” including workplace monitoring and “biometric surveillance”; new remedies and approaches to improve privacy and security practices; and the privacy risks posed by emerging technologies for children and teens.
More Analysis from Wiley
Duane Pozza Named a Cryptocurrency and Fintech ‘Trailblazer’ by The National Law Journal
FTC Pushing Ahead Toward Major Privacy Regulation
The Private Sector Should Watch NIST’s Broad Work on Privacy and Cybersecurity Guidance
California AG Issues First Fine for CCPA Violations
DHS CISA Kicks off Work to Regulate Critical Infrastructure Incident Reporting
Office of the National Cyber Director Remains Nascent, Evaluations to Come as Efforts Mature
CFPB Addresses Data Security Expectations for Financial Institutions
FTC Launches National Privacy Rulemaking
FTC Seeks Comment on Updating Endorsement Guides on Digital Advertising
New York State Department of Financial Services Proposes Updates to Cybersecurity Regulation
Property Rights in NFTs Are in the Spotlight
FTC Highlights Scrutiny of Health and Geolocation Data
West Virginia v. EPA and the Future of Tech Regulation
FTC Uses Enforcement Proceeding to Send Message on Account Security Practices
Top Developments to Watch at the FTC on Privacy
California Privacy Protection Agency Releases Draft CPRA Regulations
EU Institutions Reach Agreement on Landmark Regulations Targeting Big Tech
National Privacy Law: Bipartisan Proposed Legislation Regarding Privacy Released
Webinar: Transactional Due Diligence Related to Privacy and Cybersecurity
Webinar: FTC’s Revised Safeguards Rule: How to Navigate New Information Security Requirements
Podcast: Why the FTC Matters for Fintech
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.
Download Disclaimer: Information is current as of September 20, 2022. This document is for informational purposes only and does not intend to be a comprehensive review of all proceedings and deadlines. Deadlines and dates are subject to change. Please contact us with any questions.
