Welcome to Wiley's update on recent developments and what's next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and ground-breaking technologies. Please reach out if there are other topics you'd like to see us cover or for any additional information.

Regulatory Announcements

FTC Launches Long-Anticipated Trade Regulation Rulemaking on 'Commercial Surveillance' and Data Security. On August 11, the FTC issued an Advance Notice of Proposed Rulemaking (ANPR), titled "Trade Regulation Rule on Commercial Surveillance and Data Security" (which we summarized in greater detail here). The wide-ranging ANPR seeks feedback on dozens of questions regarding consumer privacy, data security, and algorithmic uses, and discusses a number of potential regulatory approaches to what the agency calls "commercial surveillance." The agency defines "commercial surveillance" as the "collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information," and "data security" as "breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices." The FTC issued the ANPR under its Section 5 FTC Act authority, which requires any eventual rule to be grounded in "unfair or deceptive acts or practices" as specified in the Act. Comments on the ANPR are due October 21.

FTC Publishes Strategic Plan and Performance Report and Performance Plan. On August 26, the FTC published its FY 2022-2026 Strategic Plan and its FY 2021-2023 Performance Report and Performance Plan pursuant to the GPRA Modernization Act of 2010. The FY 2022-2026 Strategic Plan sets the agency's priorities for the next five years, the FY 2021 Performance Report documents the FTC's performance during 2021 based on the Strategic Plan for FY 2018-2022, and the FY 2022-2023 Annual Performance Plan establishes both strategies and targets based on the new FY 2022-2026 Strategic Plan. The FY 2022-2026 Strategic Plan sets three goals: (1) to protect the public from unfair or deceptive acts or practices in the marketplace; (2) to protect the public from unfair methods of competition in the marketplace and promote fair competition; and (3) to advance the agency's effectiveness and performance. The FTC voted 3-1-1 to publish the documents, with Chair Khan issuing a statement joined by Commissioners Slaughter and Bedoya. Commissioner Wilson dissented, and Commissioner Phillips did not participate.

CFPB Releases Circular on Data Security Expectations for Financial Institutions. On August 11, the CFPB published a Circular stating that the failure of financial institutions, including non-bank financial companies, to implement sufficient data security measures to safeguard consumer financial data may constitute a violation of the Consumer Financial Protection Act of 2010 (CFPA). The CFPA prohibits financial institutions from engaging in unfair, deceptive, and abusive acts or practices. The Circular specifically focuses on a number of security measures, including (1) multi-factor authentication (MFA); (2) password management; and (3) timely software updates. For more on the CFPB's recent data security Circular, read our summary of the item here.

CFPB Issues Interpretive Rule Regarding the Applicability of Consumer Financial Protection Law to Digital Marketing Providers. On August 10, the CFPB issued an Interpretive Rule – Limited Applicability of Consumer Financial Protection Act's "Time or Space" Exception with Respect to Digital Marketing Providers – clarifying when the exception applies to digital marketers. Section 1002 of the CFPA defines the term "service provider," and if a digital marketing provider is deemed a "service provider," the provider is subject to the CFPB's supervisory and enforcement authority under the CFPA. However, Section 1002 sets forth two exceptions to the "service provider" definition under the CFPA. One of those exceptions applies to companies that offer or provide covered entities under the CFPA time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media. The Interpretive Rule, however, states that where a digital marketing company is providing "time or space" for a covered person under the CFPA and is also providing targeted advertising services – including algorithmic models or other analytics – the digital marketer will generally not be able to avail itself of the "time or space" exception and will be subject to the CFPA as a service provider.

Significant Enforcement Actions

FTC and Department of Justice Bring and Settle Suit Against COVID-19 PPE Marketer for Allegedly False 'Made in USA' Claims. On August 9, the FTC announced that the U.S. Department of Justice, upon the FTC's referral, filed suit against and reached a settlement with Adam J. Harmon and his two companies – Axis LED Group, LLC and ALG-Health LLC – under the COVID-19 Consumer Protection Act, the Made in USA Labeling Rule, and the FTC Act. The complaint alleges that the defendants falsely claimed that personal protective equipment (PPE) that they sold at the onset of the COVID-19 pandemic: (1) was made in the United States, even though their products were imported or contained major imported components; and (2) provided superior protection from COVID-19. According to the complaint, the defendants' claims – including that the products were certified by the National Institute for Occupational Safety – violated the COVID-19 Consumer Protection Act. The complaint further alleges that the defendants similarly marketed light fixtures as being made in the United States when that was not the case. Under the proposed order, Harmon and his companies would be prohibited from making deceptive U.S.-origin labeling and advertising claims, and would be required to substantiate all Made in USA and COVID-19-related claims and pay a $157,683.37 civil penalty. The defendants are also subject to a $2.8 million redress judgment, which has been suspended due to the defendants' inability to pay.

FTC Settles with Healthcare Company for Allegedly Making False Claims and Charging Excess Fees. On August 8, the FTC announced that it reached a settlement with Benefytt Technologies (Benefytt) and two of its subsidiaries under the FTC Act, the Telemarketing Sales Rule (TSR), and the Restore Online Shoppers Confidence Act (ROSCA). Benefytt is a Florida-based company that sells association memberships and other healthcare-related products, often using telemarketers and lead generators. According to the FTC's complaint – filed against two of Benefytt's former officers, in addition to Benefytt and its two subsidiaries – Benefytt and its partners operated a series of deceptive websites aimed at consumers who were looking for comprehensive health insurance plans that qualified under the Affordable Care Act (ACA). However, the complaint alleges that Benefytt's plans did not qualify under the ACA. The complaint also alleges that consumers were often charged hundreds of dollars per month for these products and services, and that Benefytt bundled unwanted products like life or accident insurance with its health plans and made it difficult for consumers to cancel. Under the proposed order, Benefytt and its two subsidiaries are required to pay a $100 million fine to the FTC and implement certain injunctive relief.

CFPB Fines Fintech Company $2.7 million for Allegedly Misleading Consumers About Its Savings Tool. On August 10, the CFPB announced that it issued a consent order against Hello Digit, LLC (Hello Digit), a fintech company whose core service is an automated savings tool. According to the CFPB, Hello Digit uses an algorithm to automatically transfer funds from a consumer's checking account, called "auto-saves," to an account in Hello Digit's name. The consent order alleges that Hello Digit represented that its service "never transfers more than you can afford," made a "no overdraft guarantee," and represented that, if there were to be an overdraft, Hello Digit would reimburse consumers, but that it "routinely caused overdrafts" and the company sometimes failed to reimburse these consumers. The CFPB further alleges that Hello Digit misled consumers by claiming that it would not keep any interest earned on consumer funds, when the company did keep a considerable amount of interest earned. Under the order, Hello Digit is enjoined from making misrepresentations about its savings tool and required to pay $68,145 in redress to consumers and a $2.7 million penalty to the CFPB.

Upcoming Comment Deadlines and Events

CFPB Solicits Comment on Employee Debt Obligations. Comments are due September 7 on the CFPB's RFI seeking input regarding debt obligations incurred by consumers in the context of an employee or independent contractor arrangement. The RFI seeks information in a number of areas, including the prevalence of such debt obligations, "the pricing and other terms of the obligations," disclosures, dispute resolution, and debt collection and servicing. The RFI suggests that such debt obligations may take two forms: (1) training repayment agreements, which require workers to pay employers or third-party providers for previously undertaken training if they terminate their employment within a certain time period; and (2) debt owed to an employer or third party for the purchase of equipment and supplies essential to their work or required by their employer. CFPB Director Chopra signaled that the applicability of the CFPA to training repayment agreements was a regulatory priority for the agency at the FTC's Enforcers Summit in April. The agency also highlighted these kinds of agreements in a March blog post.

FTC Seeks Comment on Proposed Motor Vehicle Dealers Trade Regulation Rule. Comments are due September 12 on a NPRM seeking comment on a proposed trade regulation rule that would: (1) prohibit automotive dealers from making certain representations while selling, leasing, or arranging for the financing of motor vehicles; (2) require pricing disclosures in automotive dealers' advertising and sale discussions; (3) obligate automotive dealers to obtain consumer express informed consent for charges; (4) prohibit the sale of add-on products or services that confer no benefit to the consumer; and (5) require automotive dealers to retain records of advertisements and customer transactions. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 authorizes the FTC to promulgate certain rules related to automotive dealers.

FTC Seeks Comment on Revised Endorsement Guides. Comments are due September 26 on the FTC's Request for Public Comment on Amendments to the Guides Concerning the Use of Endorsements and Testimonials in Advertising (Request for Comment) that proposes a number of revisions to the FTC's Endorsement Guides. Among other matters, the Request for Comment seeks input on treating the deletion of negative reviews or the decision not to publish negative reviews as a deceptive act or practice under Section 5 of the FTC Act; addresses endorsements made on social media posts; and solicits feedback on adding a section to the Endorsement Guides focused on advertising towards children. A summary of the Request for Comment is available here.

FTC Holding Virtual Event on 'Stealth Advertising' Toward Children. On October 19, the FTC will host a virtual event "to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media." The event will examine evolving practices, such as the "kid influencer" marketplace, and the techniques being used to advertise to children over the internet. In conjunction with the virtual event, the FTC is seeking public comment on how children are impacted by certain digital marketing and advertising messages. Comments are due November 18.

FTC Seeking Research Presentations for PrivacyCon 2022. Research presentations were due July 29 for PrivacyCon 2022, which will take place virtually on November 1. As part of the event, the FTC is seeking empirical research and presentations on topics including: algorithmic bias; "commercial surveillance" including workplace monitoring and "biometric surveillance"; new remedies and approaches to improve privacy and security practices; and the privacy risks posed by emerging technologies for children and teens.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.