Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap select enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies.
Regulatory Announcements
CFPB Releases Updated Supervisory Designation Procedures. On April 16, the CFPB issued a procedural rule to update how the agency designates a nonbank for supervision. The updated process will conform to a recent organizational change re-assigning the duties of the Associate Director of the CFPB’s Division of Supervision, Enforcement, and Fair Lending to the Director, and will streamline future designation proceedings. The procedural rule took effect upon publication in the Federal Register on April 23.
In conjunction with the publication of the procedural rule, the CFPB also released a request for public comment seeking “additional data on estimates of staffing requirements and costs for compliance with supervisory activities.” Comments on this request are due May 23.
FTC Issues Final Rule to Ban Employee Non-Compete Clauses. On April 23, the FTC issued a final rule to generally prohibit non-compete agreements with workers, including senior executives. Specifically, the final rule announcement concludes that non-compete clauses negatively affect competitive conditions in labor and product and service markets and are a violation of Section 5 of the FTC Act (our summary of the final rule is available here). Under the final rule, existing non-competes for senior executives – defined as workers earning more than $151,164 annually and who are in policy-making positions – can remain in force. Additionally, employers will be required to provide notice to employees that existing non-competes will not be enforced against them in the future.
The Commission voted 3-2 to approve the publication of the final rule in the Federal Register, with Commissioners Melissa Holyoak and Andrew N. Ferguson issuing dissenting statements. Chair Lina Khan and Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter expressed support for the final rule, arguing that it will benefit competition in both labor and product and service markets. The dissents by both Commissioners Holyoak and Ferguson argued that the FTC does not have authority to promulgate the final rule under Section 5 or Section 6(g) of the FTC Act. The final rule will go into effect 60 days after its publication in the Federal Register.
CFPB’s Recent Supervisory Highlights Focuses on Mortgage Servicers. On April 24, the CFPB published an edition of its Supervisory Highlights describing the Bureau’s recent examinations focused on mortgage servicers. These examinations follow recent efforts by the Bureau to address what it characterizes as “junk fees,” and the Highlights found that certain servicers were allegedly engaged in unlawful practices including charging homeowners prohibited and unauthorized fees, failing to waive certain fees and penalties as required by certain COVID-19 processes, failing to make tax or insurance payments on behalf of borrowers in a timely manner, sending homeowners inaccurate notices, and failing to evaluate homeowners for repayment options, as required by the CFPB’s mortgage servicing rules. The Highlights note that, in response to these findings, mortgage servicers have taken corrective action including providing refunds to homeowners and changing their policies and procedures.
FTC Finalizes Changes to the Health Breach Notification Rule. On April 26, the FTC announced that it has finalized changes to the Health Breach Notification Rule (HBNR). Consistent with the revisions that the FTC proposed in the HBNR Notice of Proposed Rulemaking, the final rule will, once effective, clarify that the HBNR applies to mental health and other apps that collect certain data. The final rule also amends the HBNR’s “breach of security” definition to include the unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure, and therefore it would not limit reportable incidents to “cybersecurity intrusions or nefarious behavior.” Additionally, the final rule authorizes expanded use of email and other electronic means to provide notice of breach to consumers, expands the required content that must be provided in consumer notice, and specifies when the FTC must be notified under the rule.
The Commission voted 3-2 to approve the publication of the final rule in the Federal Register with Chair Lina Khan and Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter voting to approve the final rule and issuing a joint statement in support, asserting that the rule “ensures” that the HBNR’s “protections keep pace with the rapid proliferation of digital health records.” Commissioners Melissa Holyoak and Andrew N. Ferguson voted against the rule and issued a dissent. The dissent argues that the final rule “exceeds the Commission’s statutory authority, puts companies at risk of perpetual noncompliance, and opens the Commission to legal challenge that could undermine its institutional integrity.” The final rule will go into effect 60 days after its publication in the Federal Register.
Select Enforcement Actions
FTC Settles with Individual Running Debt Relief Service for Allegedly Deceptive Marketing Practices. On March 15, the FTC filed a stipulated order in the U.S. District Court for the Central District of California against an individual who operated debt relief services. Other defendants in this matter previously settled with the FTC on February 6, 2024 for $7.4 million and injunctive relief. The FTC filed a complaint against all defendants in August 2023 alleging that defendants falsely purported to be affiliated with the U.S. Department of Education and misrepresented the debt relief services that the company provided, in violation of the FTC Act, Telemarketing Sales Rule (TSR) and Gramm-Leach-Bliley Act (GLBA). The last individual defendant to settle has agreed to join the relief package of the other defendants and is subject to injunctive relief and the $7.4 million monetary judgment.
CFPB Settles with Vocational School and Its CEO for Allegedly Misrepresenting Student Loan Policies and Job Placement Rates. On April 17, the CFPB issued a consent order and stipulation against a for-profit vocational school and its CEO. The CFPB alleges that the school misled consumers by representing student loans as income-sharing agreements that were “risk-free” and did not carry a finance charge. Additionally, the CFPB alleges that the school misrepresented its job placement success. The defendants have agreed to a total of $164,000 in civil penalties in addition to ceasing collection on the “income share” loans.
FTC Settles with Telehealth Provider and Its CEO for Allegedly Misleading Data Privacy Practices. On April 12, the FTC filed a complaint in the U.S. District Court for the Southern District of Florida against a telehealth company and its CEO for alleged violations of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), and the Opioid Act. The complaint alleges that the company shared consumer browsing data with third parties without properly disclosing these practices to consumers or sufficiently anonymizing the data. The FTC also alleges that the company’s advertisements about its privacy protections were misleading. On April 15, the FTC filed a stipulated order against the defendants in which they agreed to $15.1 million in damages in addition to injunctive relief and implementation of a data security program which includes a data deletion schedule.
FTC Sues Bill Payment Company and Its Co-Founders for Allegedly Deceptive Marketing Practices. On April 25, the FTC filed a complaint in the U.S. District Court for the Western District of Washington against a bill payment company and its two co-founders for alleged violations of the FTC Act, ROSCA, and the GLBA. The FTC alleges that the company misled consumers by not fully disclosing the fees related to their bill payment services and misrepresenting their relationship with the billing companies. The FTC seeks monetary and injunctive relief.
FTC Settles with Kitchen and Home Retail Company for Alleged Misuse of “Made in the USA” Label. On April 22, the FTC filed a complaint in the U.S. District Court for the Northern District of California against a kitchen and home retailer for alleged violations of the FTC Act and “Made in USA” Labeling Rule. The FTC alleges that the defendant incorrectly labeled certain product parts as made or “crafted” in the United States. On April 25, the FTC filed a stipulated order in which the company agreed to pay a $3.175 million civil money penalty in addition to injunctive relief.
Upcoming Comment Deadlines and Events
FTC Issues SNPRM Seeking Comment on Prohibiting the Impersonation of Individuals. Comments are due April 30, 2024 on the FTC’s Supplemental Notice of Proposed Rulemaking (SNPRM) proposing to amend the newly-adopted Trade Regulation Rule on Impersonation of Government and Business to prohibit the impersonation of individuals. Specifically, and as we summarized here, the SNPRM proposes to revise the Rule to both add a prohibition on the impersonation of individuals, and extend liability for Rule violations to parties who provide goods and services with “knowledge or reason to know that those goods or services will be used in impersonations of the kind that are themselves unlawful under the Rule.”
FTC Seeks Comment on Amendments to the TSR. Comments are due June 17, 2024 on the FTC’s Notice of Proposed Rulemaking (NPRM) that proposes to amend the TSR to extend its coverage to inbound telemarketing calls involving technical support services. The TSR currently covers certain inbound calls, such as calls that consumers make to telemarketers. The NPRM would extend this coverage to technical support service calls.
More Analysis from Wiley
Federal Trade Commission Issues Final Rule Banning Most Non-Competes: What You Should Know
New Report from NTIA Calls for More AI Regulation
10 Things to Know About the APRA – the Latest Federal Privacy Law Effort
Utah Adopts New AI Disclosure Law that Goes Into Effect on May 1, 2024
FCC’s “Spring Cleaning” Initiative Signals More Robocall Enforcement Activity Ahead
Attorney: AI development will be shaped by OMB’s next steps on procurement
EU Adopts World’s First Comprehensive AI Regulation
Executive Order on Foreign Access to Sensitive Personal Data Will Increase U.S. Regulation of Cross-Border Data Transfers
7 Tips for Leveraging Artificial Intelligence While Managing Risks in Political Campaigns
DOJ Kicks Off Work to Regulate Foreign Access to Sensitive Personal Data Under New EO
State Privacy Law 2024: Major Enforcement and Compliance Activity Shows No Signs of Slowing Down
Start Here: Cyber Fundamentals for Public Policy Makers
NIST Cybersecurity Framework 2.0 Reveals Major Shifts in Federal Guidance
Federal Government Acts on Connected Vehicle Privacy and National Security Concerns
FCC Extends Regulatory Reach Over AI: Announces TCPA Restrictions Cover AI-Generated Voices in Outbound Calls
California Appeals Court Allows Immediate Enforcement of CPRA Regulations
DOJ Signals Tough Stance on Crimes Involving Misuse of Artificial Intelligence
5 questions for Duane Pozza (Politico)
Podcast: AI in 2024: What Comes Next?
CES 2024: FTC Commissioner Slaughter Discusses New Rules, Competition, and AI
Heading into 2024, Federal AI Activity Ramps Up After AI Executive Order
AI Around the Globe: What to Know in 2024
Cybersecurity in 2024: Ten Top Issues to Consider
Annual Updates to Privacy Policies Reminder and Looking Ahead to 2024
FCC Expands Privacy and Data Protection Work with States to Increase Investigations
AI Use is Promising Yet Risky for Government Subpoenas and CIDs
DOJ Must Help in Fighting Illegal Robocalls, Lawyers Say
CFPB Poised to Significantly Expand the Reach of the Fair Credit Reporting Act
FTC and HHS Caution Hospitals and Telehealth Providers on Tracking Tech
Podcast: The “Wild West” of AI Use in Campaigns
SEC Cyber Reporting Mandates: How to Request a National Security or Public Safety Delay
Podcast: What could AI regulation in the U.S. look like?
Podcast: AI Risk Management: A Discussion with NIST’s Elham Tabassi on the NIST AI Risk Management Framework
Generative AI Policies: Five Key Considerations for Companies to Weigh Before Using Generative AI Tools
U.S. State Privacy Law Guide
Wiley Promotes Megan Brown and Duane Pozza to Co-Chairs of Privacy, Cyber & Data Governance Practice
[View source.]
