The Senate today confirmed Kathleen Kraninger as CFPB Director by a party-line, 50-49 vote, with Sen. Tillis abstaining.  Kraninger will replace current Acting Director Mick Mulvaney, who also currently oversees Kraninger at the Office of Management Budget (OMB) where she is associate director of general government and Mulvaney is Director. Kraninger is expected to continue deregulatory initiatives launched during Mulvaney’s tenure as Acting Director at the CFPB. 

Kraninger is set to serve a five-year term pursuant to the Dodd-Frank Act.  However, current litigation challenging the constitutionality of the CFPB’s structure raises questions as to whether Kraninger will ultimately serve the full five-year term, particularly if a Democratic president is elected in 2020.  As we previously discussed here, the D.C. Circuit initially ruled that the CFPB was unconstitutionally structured because its single director can only be removed for “inefficiency, neglect of duty, or malfeasance in office,” but subsequently reversed the holding in an en banc decision.  The constitutionality of the CFPB’s structure is also being challenged in the Second and Fifth Circuits – increasing the likelihood that the Supreme Court will take up the issue at some point soon.

 

Yesterday, Christine Wilson was sworn in as FTC Commissioner. Commissioner Wilson – the fifth and final Trump appointee – joins the FTC from Delta Airlines and assumes former Commissioner Maureen Ohlhausen’s seat. Commissioner Ohlhausen announced her departure on Tuesday – the day her term ended, concluding over six years of service as Commissioner, including a year-and-a-half as the agency’s Acting Chair before current Chair Joseph Simons assumed the role.

As we previously reported here, Commissioner Wilson overlapped with Chair Simons during his time as Director of the Bureau of Competition, while she served as Chief of Staff to then-Chair Timothy Muris. The FTC currently is in the middle of public hearings on consumer protection, privacy, and competition policy and enforcement, and we expect these hearings and the public comments received to help shape the Commission’s priorities going forward.

In June of this year, California passed the California Consumer Privacy Act (CCPA) giving California residents specific rights related to their online privacy, similar to those proscribed by GDPR. The law was passed hastily to avoid a stricter ballot measure on the subject, but Governor Brown recently signed a bill amending the law.

Many of the amendments clarify some of the CCPA’s “technical” errors, such as solidifying that the Act should not be enforced to contradict the California Constitution. The most significant change, however, deals with the enforcement of the Act. Although Section 1798.198 makes the Act operative on January 1, 2020, the newly-added Section 1798.185(7)(c) prevents the Attorney General from bringing an enforcement action under the Act until July 1, 2020, or six months after the final regulations made pursuant to the Act are published, whichever is sooner. Thus, although the effective date is January of 2020, the California Attorney General may not be able to bring enforcement actions until up to six months after the enactment date, depending on when the office promulgates regulations. The amendments also extend the date by which the Attorney General must promulgate regulations from January 1, 2020 to July 1, 2020.

Another point worth noting is that the amendments remove the requirement for a private plaintiff to inform the Attorney General of a claim he or she has brought to enforce his or her private cause of action under the Act. This eliminates the ability of the Attorney General to bring its own action in lieu of a private one.

Additional changes include specifying additional laws to which the Act does not apply, including: (1) the Confidentiality of Medication Information Act or regulations promulgated in response to HIPAA, or the Health Information Technology for Economic and Clinical Health Act; (2) the Federal Policy for Protection of Human Subjects; and (3) the California Financial Information Privacy Act. The amendments also limit the civil penalty to $2,500 per violation, or $7,500 for each intentional violation.

Although this bill has clarified some issues with the original law, this will likely not be the last set of amendments to the CCPA before it goes into effect. We will keep you posted.

 

Yesterday, the California legislature passed SB-327, a bill intended to regulate the security of internet-connected devices.  Unlike the California Consumer Privacy Act (CCPA), SB-327 is significantly more narrow.  As enacted, the bill is a “lighter” version of what was first introduced and amended in 2017 (which, at that time, would have included certain disclosure and consent requirements for connected devices).

At its core, SB-327 requires connected devices to be equipped with “reasonable security features” that are:

  1. appropriate to the nature and function of the device;
  2. appropriate to the information it may collect, contain, or transmit; and
  3. designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

Subject to the above, if a connected device is equipped with a means for authentication outside a local area network, this is considered a “reasonable security feature” if either: (a) the preprogrammed password is unique to each device manufactured; or (b) the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. These requirements, of course, are in addition to any duties or obligations imposed under other laws (i.e., CCPA).

The term “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Pretty much every device connected to the Internet is assigned either an IP address or Bluetooth address when it is connected. This can include, for example, anything from computers, tablets, and mobile devices, to smart watches, smart home hubs, or app-controlled toys.

The bill does not provide a private right of action. Only the Attorney General, a city attorney, a county counsel, or a district attorney can enforce the law, and the bill does not address (either directly or by implication) any specific penalties or remedies that may be sought by these entities. However, it’s possible that we see the requirement to implement reasonable security measures asserted as a basis for a legal duty in conjunction with other claims (either by the AG or consumers).

The bill was ordered to engrossing and enrolling. If signed by Governor Brown, the law would become effective on January 1, 2020 (same day as the CCPA).

The FTC announced yesterday that it will accept comments and hold a series of public hearings on consumer protection, privacy, and competition policy and enforcement.  The hearings will take place during fall and winter of this year and will evaluate whether recent changes in the economy, technology, or international landscape require adjustments to how the Commission approaches consumer protection, privacy, and competition issues.

The hearings are modeled off of hearings held in 1995 under then-Chair Robert Pitofsky.  Those hearings took place amidst the early growth of the internet and e-commerce, featuring panels such as, “The Newest Medium for Marketing: Cyberspace,” “Privacy in Cyberspace,” and “The Changing Role of the Telephone in Marketing.”  The 1995 hearings featured panelists from large companies including Walt Disney, General Electric, and Coca-Cola, along with consumer group representatives, regulators, academics, and attorneys from private law firms.  The hearings culminated in a two volume report on the state of consumer protection and competition policy.

In announcing the 2018 hearings, FTC Chair Joe Simons noted that “the FTC has always been committed to self-examination and critical thinking, to ensure that our enforcement and policy efforts keep pace with changes in the economy.”  Simons served as Director of the Bureau of Competition immediately after Pitofsky’s tenure as Chair under then-Chair Tim Muris – and alluded to Pitofsky, Muris and former Chair Kovacic in his statement announcing the hearings.  Simons’ statement also expressed his view that “[t]his project reflects the spirit, style, and, most importantly, broad scope of that effort,” and characterized the efforts as an “all-agency” project that will entail significant efforts from the Bureaus of Consumer Protection, Competition, and Economics, the Office of the General Counsel, the Office of International Affairs, as well as the Office of Policy Planning. Continue Reading FTC Examining How Consumer Protection and Privacy May Be Affecting Innovation and Competition; Seeking Input and Will Hold Policy Hearings to Address

If you follow our blog, you know that we often write about issues involving the FTC and the CPSC, but we usually do not write about both in the same post. Now those worlds have collided. The staff of the FTC’s Bureau of Consumer Protection (“BCP”), a prominent voice in the Internet of Things dialogue, recently filed comments in response to a CPSC request for information about the potential safety hazards linked to internet-connected products. The request follows a May 16 hearing that included speakers representing a variety of industries and organizations, such as Retail Industry Leaders Association, Underwriters Laboratories Inc., Consumer Reports, and the Electronic Privacy Information Center. The BCP staff’s comments specifically address the following topics:

  • Best practices for mitigating against safety hazards. The BCP staff’s comments placed security and safety hand in hand with the following recommendations for companies offering connected devices: (1) risk assessments to evaluate their security programs and pinpoint possible threats before launching a product; and (2) oversight of service providers, including the incorporation of security standards into contracts and ensuring that the providers are complying with applicable security standards.
  • Registration for safety alerts and information related to recalls. The BCP staff recommended implementing a process similar to the CPSC’s current protocol for alerts related to infant and toddler products, wherein manufacturers and retailers are required to provide a safety registration card with the product. Instead of requiring the consumer to mail-in a registration, however, a URL could be included for online registration.
  • The role of government in regulating IoT security. The BCP staff did not take a position on whether the CPSC should implement regulations specific to IoT device hazards, but suggested that, if the CPSC considers such regulation, it should take a technology-neutral approach so that any such regulation does not quickly become obsolete.

The CPSC continues to evaluate these issues while coordinating with other federal entities like the FTC and NIST, tracking state legislative developments, and exploring the role of voluntary standards. Any company that makes, imports, distributes, or sells a connected product should continue to watch for developments.

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country. Continue Reading SADDLE UP AMERICA: California Aims to Pass its Own GDPR Law

Andrew Smith was recently named Director of the FTC’s Bureau of Consumer Protection. With a strong background in financial matters, businesses can expect Smith to focus on issues affecting consumer financial services.

Smith is not a stranger to federal positions. Although most recently a Partner in the Regulatory and Public Policy Group at Covington & Burling LLP and Co-Chair of the firm’s Financial Services Group, Smith previously held roles as Senior Counsel and Acting Assistant General Counsel at the SEC from 1997 to 2000 and as the Assistant to the Director of the Bureau of Consumer Protection from 2001 to 2005. During Smith’s time at the FTC, he focused largely on consumer financial protection policy—mainly through enforcement and rulemaking. For example, while serving as the program manager for the Fair and Accurate Credit Transactions Act of 2003, Smith helped to draft ten rules and six studies.

Smith’s interest in financial services has followed him throughout his career. His practice at Covington focused specifically on financial privacy—including regulatory compliance, consumer financial services laws, and enforcement actions and investigations. He also serves as the Chair of the ABA’s Consumer Financial Services Committee.

Notably, in January of this year, Smith testified before the House of Representatives Subcommittee on Financial Institutions and Consumer Credit about fintech policy. His statements suggest that he is in favor of an increased role of fintech in the banking industry, although he proposes passing legislation that clarifies the role of banks as lenders, regardless of the vendor or service provider. Further indications of Smith’s interest in the fintech space come from an editorial he authored in The Hill in February of this year. He advocates collaboration between fintech and banks to offer the middle class more financial options, e.g., point-of-sale lending. In Smith’s words, “the future of banking is the internet, and brick-and-mortar is the past.” His piece supports the Modernizing Borrower Credit Opportunities Act of 2017, a bipartisan bill to regulate the fintech industry introduced in November of 2017.

Another indication of Smith’s likely priorities as Bureau Director may be the people he worked with during his prior stint at the FTC. For example, he worked closely with Howard Beales who served as the Director of the Bureau of Consumer Protection from 2001 to 2004. Regarding advertising specifically, Beales advocates for a flexible “reasonable basis” standard for substantiation requirements, as opposed to more stringent evidentiary standards. This position favors the view that consumers benefit from having access to information. Having served with Beales, Smith may take a similar approach to substantiation requirements as Director.

Despite Smith’s previous experience, however, his appointment has not been without controversy. While at Covington, Smith represented Facebook, Uber, and Equifax in both investigations and FTC settlements regarding data breaches. Although Smith plans to recuse himself from these high profile cases in his new role, opponents have noted that Smith’s representation of these companies may put him at odds with the FTC’s consumer protection mission. Senator Richard Blumenthal stated that he could “imagine worse choices [for Bureau Director], but not many,” noting that Smith was “on the wrong side of [the] issues” in his testimony on behalf of Equifax last fall. During that testimony, Smith indicated that credit bureaus should not have a fiduciary duty to consumers from whom they collect data, and that current industry regulations were satisfactory to protect consumers. Senator Elizabeth Warren called Smith’s appointment “corruption, plain and simple,” referring to him as “Equifax’s hired gun.” Further, David Vladeck, who was Bureau Director from 2009 to 2012, noted that Smith’s recusing himself from some of the agency’s most important cases is an unusual position for someone in his role and wondered “how far-reaching the recusals will be.”

The FTC’s newly-appointed Democratic Commissioners had similar concerns, turning a usually perfunctory vote into a point of contention. Rebecca Slaughter noted that appointing a Director “who is barred from leading on data privacy and security matters that affect so many consumers, command so much public attention, and implicate such key areas of the law potentially undermines the public’s confidence in the commission’s ability to fulfill its mission.” Rohit Chopra, a fellow Democrat, agreed, noting that Smith’s conflicts “[raise] many questions,” and would put Smith “on the sidelines” in some of the agency’s most important cases. He also noted that FTC Chairman Joe Simons made the pick without a Commission meeting. Simons, however, called the appointment a “source of unnecessary controversy,” indicating that “it is impossible to attract high caliber professionals to the FTC without encountering some conflicts,” and noting that the agency can readily handle recusals.

Although we may have some insight into Smith’s new role as Director, his position on consumer protection issues outside of the financial industry, and the effects of his recusals, are left to be seen. We can expect, however, that helping to regulate fintech, and other financial security issues, will likely be high on his list of things to do.

The Senate yesterday confirmed all five nominees to the Federal Trade Commission by voice vote, which means the five-person body will soon be restored to full capacity after over a year with only two Commissioners.  Current Chair Ohlhausen released a statement congratulating incoming Chair Joseph Simons and soon-to-be new Commissioners Noah Phillips, Becca Slaughter, Rohit Chopra, and Christine Wilson.

Ohlhausen’s statement suggests that she intends to remain at the Commission until confirmed by the Senate to her nomination as a Judge on the U.S. Court of Federal Claims – with Wilson set to fill Ohlhausen’s seat once she departs.  Current Commissioner McSweeny recently announced that she intended to depart the Commission tomorrow, April 27, and that she hoped the Senate would move expeditiously in the confirmation process.

As we previously discussed here and here, the new Chair and Commissioners will bring a breadth of knowledge and experience to the FTC.  While working in private practice for the majority of his career, incoming Chair Simons also has significant experience at the Commission, having served as Director of the Bureau of Competition from June 2001 to August 2003 and in other roles at the FTC in the late 1980s.  Wilson, currently a Senior Vice President at Delta Airlines, overlapped with Simons during his most recent stint at the Commission while Wilson served as Chief of Staff to then-Chair Timothy Muris.

The other three Commissioners have not previously served at the FTC, but have notable expertise and experience in other areas.  Chopra, the only non-lawyer of the bunch, comes most recently from the Consumer Federation of America and previously served as Assistant Director at the Consumer Financial Protection Bureau.  Phillips and Slaughter will be departing legal positions on the Hill – Phillips serving as Chief Counsel to Senator Cornyn and Slaughter as Chief Counsel to Senator Schumer.  As the fifth and final nominee, Slaughter was unanimously reported out of the Commerce Committee earlier this week.

The new slate of Commissioners is expected to shake things up at the FTC.  While generally avoiding firm policy positions or legal interpretations during the confirmation process, the appointees affirmed their commitment to vigorously enforcing consumer protection and antitrust laws and expressed distinct interests in specialized topics such as big data and interconnected devices.  Now that the confirmation process has run its course, the coming days are likely to shed more light on the key priorities for the new Chair and Commissioners.

The FTC today filed a complaint against Lending Club alleging that it deceived consumers by advertising loans with “no hidden fees” and subsequently concealing substantial loan origination fees.  The complaint points to consumer complaints and internal compliance documents as evidence that Lending Club knew that consumers were being misled and continued to misrepresent the loans anyway.

The complaint charges four distinct violations:

  • Deception regarding up-front fees.  While advertising loans with “no hidden fees,” the Commission alleged that Lending Club actually charged substantial loan origination fees (on average, about 5% of the loan amount) and failed to clearly and conspicuously disclose those fees – both in advertising and throughout the application and approval process.  The complaint provides screenshots of the consumer experience from advertisement to sign-up to approval.  In both the desktop and mobile environment, the FTC charged that consumers were deceived because they would need to do either of the following to learn about the fee: (1) hover over a hyperlink explaining advertised APR to learn that the represented rate includes the loan origination fee; or (2) scroll to the bottom of the loan approval page and notice the fee disclosure embedded in the middle of a text heavy page.  The FTC cited frequent consumer complaints and internal compliance documents referencing potential deception to argue that Lending Club knew it was deceiving consumers and decided to continue its practices anyway.
  • Deception regarding loan approval.  The complaint also alleges that Lending Club made deceptive representations that loans were “on the way” or were “100% backed,” notwithstanding that it knew that a more significant approval step had yet to be completed and many consumers would not ultimately obtain the allegedly approved loans.  According to the complaint, Lending Club uses a two-step “front-end” and “back-end” approval process and misleadingly suggested that consumers were approved after just the first step, despite knowing many consumers would be rejected after the “back-end” step.
  • Unfair billing practices.  The complaint also alleges that Lending Club engaged in unfair acts by withdrawing money from consumers’ bank accounts without authorization, or in amounts in excess from consumers’ authorizations.  Many of these unauthorized charges occurred after consumers had already paid off their loans with Lending Club, according to the complaint.
  • Gramm-Leach-Bliley Act (GLBA) violations.  Lastly, the complaint alleges that Lending Club violated GLBA by failing to deliver initial privacy notices to consumers as required under GLBA and FTC and CFPB implementing regulations.  The complaint explains that Lending Club was subject to GLBA because it is a financial institution under the Act in that it services loans, notwithstanding that the loans are actually made by a third-party bank.  The GLBA allegations are a good reminder that the definition of “financial institution” under GLBA is a tricky one that is distinct from similar definitions under other statutes.

The complaint was filed without a consent judgment in federal court in the Northern District of California, and was approved by both remaining Commissioners, Chair Ohlhausen and Commissioner McSweeny.  McSweeny recently announced that she will leave the Commission at the end of this week on April 27.  Five new Commissioners nominated by President Trump are presently awaiting a full Senate confirmation vote.