Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap select enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
To subscribe to this newsletter, click here.
Regulatory Announcements
FTC Hosts Virtual Tech Summit on AI. On January 25, the FTC held a half-day Tech Summit focused on competition and consumer protection issues related to the growth of artificial intelligence (AI). FTC Chair Lina Khan and Commissioners Rebecca Slaughter and Alvaro Bedoya delivered remarks at the Tech Summit, which featured three panels with a range of speakers, including government representatives, industry representatives, civil society representatives, and journalists. Both the Commissioners and panelists discussed competition in the chip, cloud, and AI development markets, as well as management and use of large amounts of data to train AI models. On the same day, the FTC announced that it is conducting a Section 6(b) study on investments and partnerships involving AI developers and cloud computing and their potential impact on competition.
FTC Issues NPRM Proposing Changes to Its Oversight of HISA. On January 29, the FTC issued a Notice of Proposed Rulemaking (NPRM) laying out a number of proposed changes to the agency’s oversight of the Horseracing Integrity and Safety Authority (HISA). Among other things, the NPRM would require HISA to submit annual financial and performance reports to the FTC, and to submit a multi-year strategic plan. The NPRM would also require HISA to, among other things, prevent conflicts of interest, waste, fraud, embezzlement, and abuse, and hire a third-party auditor to annually evaluate its overall information technology security program and practices. Comments on the NPRM are due 60 days after publication in the Federal Register.
Select Enforcement Actions
FTC Settles With Financial Services Company for Allegedly Deceptive Marketing Practices. On January 22, the FTC filed an order against an online financial services platform and its cofounders, under Section 5 of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), and the Equal Credit Opportunity Act (ECOA). As relevant here, Section 4 of ROSCA generally prohibits charging consumers for goods or services sold in online transactions through a negative option feature unless the seller (1) clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information, (2) obtains the consumer’s express informed consent before making the charge, and (3) provides a simple mechanism to stop recurring charges. In the complaint, the FTC defines a “negative option” as “an offer in which the seller treats a consumer’s silence — their failure to reject an offer or cancel an agreement — as consent to be charged for goods or services.” The FTC alleges that the defendants misrepresented consumers’ ability to receive “free” cash advances, made it difficult for consumers to cancel their membership fee, and discriminated against consumers whose income was derived from public assistance programs. The defendants have agreed to provide $3 million in consumer refunds and institute a fair lending program, in addition to injunctive relief.
FTC Issues Order Against Tax Filing Software Company for Allegedly Deceptive Advertising. On January 19, the full Commission issued an opinion and order against a tax filing software company for allegedly engaging in deceptive advertising for “free” tax products and services for which many consumers were ineligible. In September 2023, FTC Chief Administrative Law Judge D. Michael Chappell had issued an opinion concluding that the company had engaged in deceptive advertising, which the Commission order upheld.
FTC Settles With Tractor Manufacturer For Alleged Misuse of “Made in the USA” Label. On January 22, the FTC filed a complaint in the U.S. District Court for the Northern District of Texas against a tractor manufacturer for alleged violations of the FTC Act and “Made in USA” Labeling Rule. The FTC specifically alleges that the defendant incorrectly labeled certain replacement parts as “Made in USA.” On January 25, the FTC filed a stipulated order in which the defendant agree to pay a $2 million civil money penalty in addition to injunctive relief.
FTC Wins Monetary Judgment Against Telemarketing Company and its Owners for Violations of the Telemarketing Sales Rule. On January 23, a Northern District of Illinois judge issued an order for civil penalties against a telemarketing company and its owners after granting the FTC’s motion for summary judgment on September 1. In March 2019, the FTC alleged that the defendants initiated millions of unsolicited calls to consumers on the Do Not Call Registry and assisted other telemarketers in similar efforts in violation of the Telemarketing Sales Rule (TSR). The court previously found that the defendants knowingly violated the TSR and is now ordering the defendants to collectively pay $28.7 million in civil penalties in addition to injunctive relief.
FTC Finalizes Order Against Online Retailer for Allegedly Deceptive Marketing. On January 23, the FTC finalized an order against an online retailer and its owner for engaging in allegedly deceptive marketing in violation of the FTC Act and “Made in USA” Labeling Rule. The FTC filed its complaint against the defendants in December 2023, alleging that the defendants incorrectly labeled products as “Made in the USA” and misled consumers to believe that it was a veteran-operated business that donated a percentage of sales to military service charities. The defendants agreed to a monetary judgment of $4,572,137, in addition to injunctive relief.
FTC Settles with Software Company for Allegedly Insufficient Data Safeguards. On February 1, the FTC filed a complaint and order against a computer software company for alleged violations of Section 5 of the FTC Act. The FTC specifically alleges that the company did not have sufficient data protection safeguards, including sufficient data encryption policies, in place to prevent a recent data breach that occurred, and made inaccurate statements in its breach notification. The company has agreed to injunctive relief and to implement an information security program.
Upcoming Comment Deadlines and Events
FTC Seeks Comment on ‘Junk Fees’ and Proposes Fee Disclosure Requirements. Comments are due February 7, 2024 (extended from January 8, 2024) on the FTC’s Trade Regulation Rule on Unfair or Deceptive Fees NPRM. The NPRM broadly addresses two practices: (1) fee disclosures after a consumer sees an initial base price; and (2) “practices that misrepresent the nature and purpose of fees or charges.” The proposed rule would define both as unfair and deceptive practices, which would enable the FTC to seek civil penalties for violations. Among other things, the NPRM proposes to require businesses to disclose a “Total Price” in any offer, display, or advertisement that contains an amount a consumer must pay and do so more prominently than other pricing information. It also proposes a preemptive disclosure requirement which would require businesses to disclose, clearly and conspicuously and before the consumer consents to pay, the nature and purpose of any amount the consumer may pay that is excluded from the “Total Price,” including shipping charges, government charges, optional fees, voluntary gratuities, and invitations to tip.
FTC to Hold Informal Hearing on Reviews and Testimonials NPRM. The FTC will hold a virtual Informal Hearing on February 13, 2024 at 10 a.m. ET on the agency’s NPRM that, if adopted, would classify certain consumer review and testimonial practices as unfair or deceptive practices under Section 5 of the FTC Act. The hearing will be open to the public, and will feature oral statements from three interested parties—the Interactive Advertising Bureau, the Fake Review Watch, and a group of academic researchers—addressing issues raised during the rulemaking process.
FTC Seeks Research Presentations for PrivacyCon 2024. The FTC will hold PrivacyCon 2024 on March 6, 2024. The event will be particularly focused on automated systems and AI, health-related “surveillance,” children’s and teens’ privacy, deepfakes and voice clones, worker “surveillance,” and advertising practices. The agenda for PrivacyCon 2024 will be posted here prior to the event. Members of the public wishing to attend the event may visit the FTC’s website at www.ftc.gov to access the live webcast.
FTC Seeks Comment on Its Proposed Revisions to the COPPA Rule. Comments are due March 11, 2024 on the agency’s COPPA Rule NPRM. The COPPA Rule “imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.” If adopted, the NPRM’s proposals would place new restrictions on covered operators’ use and disclosure of the personal information of children, and further limit the ability of covered operators to condition access to services on sharing data with third parties including for advertising purposes. Specifically, the NPRM’s proposals would, among other things, require separate parental consent for sharing children’s data in addition to obtaining consent for collection; allow text messages as a means to obtain parental consent; expand the definition of “personal information” to include biometric information; require covered operators to develop written information security programs as well as retention policies, and follow data minimization practices; and codify schools’ ability to authorize collection of children’s data for limited educational purposes.
CFPB Seeks Comment on Proposed Rule to Prohibit NSF Fees for Instantaneously Declined Transactions. Comments are due March 25, 2024 on the CFPB’s Proposed Rule to prohibit “covered financial institutions,” as the term is defined in Regulation E, from charging nonsufficient funds (NSF) fees on transactions that are declined instantaneously or near-instantaneously for insufficient funds. According to the Proposed Rule, a declination occurs instantaneously or near-instantaneously “when the transaction is processed in real time and there is no significant perceptible delay to the consumer when attempting the transaction.” The proposed prohibition would cover transactions involving debit cards, ATMs, and person-to-person (P2P) payment applications. If adopted, the Proposed Rule would make charging such NSF fees an abusive practice under the Consumer Financial Protection Act.
FTC Extends Deadline to Consider COPPA Parental Consent Mechanism That Uses Machine Learning Technology. The FTC announced that it extended by 60 days the January 29, 2024 deadline to consider whether to approve a June 2, 2023 Application to use “Privacy-Protective Facial Age Estimation” technology to obtain parental consent under the Children’s Online Privacy Protection Act (COPPA) Rule. Public comments on the Application were due August 21. The COPPA Rule permits parties to file written requests for FTC “approval of parental consent methods” not listed in the COPPA Rule. The new deadline for the FTC to consider the Application is now March 29, 2024.
CFPB Proposes Rule to Target Certain Overdraft Fees Charged by Large Financial Institutions. Comments are due April 1, 2024 on the CFPB’s Proposed Rule to amend Regulation E, implemented under the Electronic Fund Transfer Act, and Regulation Z, implemented under the Truth in Lending Act, to update regulatory exceptions for overdraft credit provided by financial institutions with assets of $10 billion or more. Among other things, the Proposed Rule would, if adopted, preserve courtesy overdraft loan services provided by these financial institutions, but would limit the fees charged on such loans to only the financial institutions costs and losses. Specifically, the Proposed Rule would permit financial institutions to calculate their own costs using either a “breakeven standard” or rely on a “benchmark fee” set by the CFPB. Under the “breakeven standard,” the Proposed Rule would allow financial institutions to charge fees to recover both losses the financial institutions incur when they write off overdrawn account balances not returned to positive, and any direct costs that are traceable to the provision of overdraft services. Under the “benchmark fee” approach, financial institutions would be permitted to charge a fixed fee set by the CFPB.
More Analysis from Wiley
Wiley Promotes Megan Brown and Duane Pozza to Co-Chairs of Privacy, Cyber & Data Governance Practice
Podcast: AI in 2024: What Comes Next?
CES 2024: FTC Commissioner Slaughter Discusses New Rules, Competition, and AI
State Privacy Update: New Jersey Becomes 13th State to Pass a Consumer Privacy Bill
Heading into 2024, Federal AI Activity Ramps Up After AI Executive Order
AI Around the Globe: What to Know in 2024
Cybersecurity in 2024: Ten Top Issues to Consider
New AI Executive Order Outlines Sweeping Approach to AI
California Previews Draft Regulations for Automated Decision-Making Technology, Promising More to Come in 2024
Annual Updates to Privacy Policies Reminder and Looking Ahead to 2024
Congress Ramps Up Its Focus on Artificial Intelligence
FCC and FTC Launch Inquiries on AI and Voice Cloning
FCC Expands Privacy and Data Protection Work with States to Increase Investigations
State Regulation of AI Use Should Give Political Campaigns Pause
OMB Proposes Far-Reaching AI Risk Management Guidance Following AI Executive Order
New Executive Order Signals Companies Should Reassess AI Security
AI Use is Promising Yet Risky for Government Subpoenas and CIDs
DOJ Must Help in Fighting Illegal Robocalls, Lawyers Say
CFPB Poised to Significantly Expand the Reach of the Fair Credit Reporting Act
FTC and HHS Caution Hospitals and Telehealth Providers on Tracking Tech
Podcast: The “Wild West” of AI Use in Campaigns
Cracks in the State Privacy Law Foundation: State Privacy Law Challenges See Success in District and State Courts
SEC Cyber Reporting Mandates: How to Request a National Security or Public Safety Delay
Coming Soon: New Cyber Labeling Program for IoT Devices
Podcast: What could AI regulation in the U.S. look like?
FTC Issues Policy Statement on Biometric Information, Signaling a New Enforcement Priority
Podcast: AI Risk Management: A Discussion with NIST’s Elham Tabassi on the NIST AI Risk Management Framework
Generative AI Policies: Five Key Considerations for Companies to Weigh Before Using Generative AI Tools
U.S. State Privacy Law Guide
[View source.]