CFPB and FTC take on a host of data practices | Cadwalader, Wickersham & Taft LLP


At the height of summer, the nation’s top consumer protection agencies issued startling and transformative statements and rules regarding the data practice.

  • First, the Consumer Financial Protection Bureau published a so-called “interpretative rule” (meaning that no one was informed in advance of the rule or given the opportunity to challenge the provisions of the rule) which concluded that digital marketing companies, especially those with major search engines on which Businesses may purchase advertising, are “Covered Persons” for purposes of the Consumer Financial Protection Act (“CFPA”). This rule means that these companies can, and are likely to be, liable for violations of consumer financial services laws for advertisements that do not contain proper information or for marketing tactics deemed unfair, misleading or abusive by the CFPB. Director Chopra noted in an accompanying speech that “the growing interest of Big Tech companies in finding new ways to harvest and monetize our personal financial data” was behind the rule, referring in particular to a HUD lawsuit filed against Facebook alleging violations of the Fair Housing Act because Facebook’s systems help advertisers limit the audience for ads and target specific groups of people, excluding protected classes.
  • Then the CFPB published a circular which reminded the consumer financial services industry of its obligations to protect data and ensure the security of sensitive consumer information. The circular is written in a question-and-answer format and includes the CFPB’s conclusion that failure to reasonably protect consumer information can and should constitute an unfair, deceptive, or abusive act or practice under the CFPA. Broadly referring to Federal Trade Commission (“FTC”) precedent, the CFPB has identified at least the following as building blocks for data protection (none of which are new): multi-factor authentication for customers access their data; proper management of passwords internally (that’s to say, requiring employees to change passwords regularly and use strong passwords); and timely software updates of all programs that access or process customer data.
  • Finally, on August 11, the FTC issued a Notice of Proposed Rulemaking (“ANPR”) regarding whether “new trade regulation rules or other regulatory alternatives regarding how companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer , share, sell, or otherwise monetize such data in an unfair or misleading manner” is required. The initial industry comment period to address 95 separate areas of investigation is sixty (60) days, and the FTC will hold a public forum September 8 to discuss ANPR.

About Author

Comments are closed.