Federal Trade Commission (FTC)

The FTC issued a press release last week seeking comment on proposed changes to two rules under the Gramm-Leach-Bliley Act of 1999 (the “GLBA Act”) to increase data security for financial institutions and better protect consumers. 

The Commission has sought comment on the Safeguards Rule and the Privacy Rule under the GLBA Act. The Safeguards Rule, which went into effect in 2003, requires financial institutions to develop and maintain a comprehensive data security program. The FTC’s proposed amendment to this Rule will require U.S. financial institutions to encrypt all customer data. It will also require financial institutions to use multifactor authentication to access customer data and implement controls to prevent unauthorized access to customer information. To encourage compliance, the amendment will require companies to submit periodic reports to their board of directors regarding the fulfillment of these directives. 

Under the Privacy Rule, which went into effect in 2000, financial institutions are required to inform customers about their information-sharing practices and allow customers the right to opt out of the sharing of their information with third parties. The passage of the Dodd-Frank Act in 2010 transferred the majority of the FTC’s rulemaking authority for the Privacy Rule to the Consumer Financial Protection Bureau, leaving the FTC authority over certain motor vehicle dealers. The FTC’s proposed amendment to the Privacy Rule includes clarification about the application of the Rule’s privacy notice requirements to motor vehicle dealers. 

The FTC has also sought to increase the scope of the definition of “financial institution” in both Rules to include so called “finders” – entities that charge a fee to connect consumers who are looking for loans to lenders. The director of the FTC’s Bureau of Consumer Protection, Andrew Smith, commented that these proposals “are informed by the FTC’s almost 20 years of enforcement experience” and reflect the Commission’s desire to exercise rulemaking authority “to keep up with marketplace trends and respond to technological advancements.” 

The FTC will soon publish notices seeking comment on these proposed changes in the Federal Register, with comments to be received for 60 days after publication. 

Troutman Sanders will continue to monitor the FTC’s proposed amendments to the Gramm-Leach-Bliley Act and other issues related to data security for financial institutions.

Requiring an employee or consumer to submit any dispute to binding arbitration as a condition of employment or purchase of a product or service is commonly referred to as “forced arbitration.”  Many times, the employee or consumer is required to waive their right to sue or to participate in a class action lawsuit.  Critics argue that these arbitration agreements disempower the middle class and some in Congress have taken notice.

Last Thursday, Congressman Jerrold Nadler (D-N.Y.) and Sen. Richard Blumenthal (D-Conn.) announced a package of bills at a press conference that could end the practice of forced arbitration.

“One of the systems that is truly rigged against consumers and workers and the American people is our current system of forced arbitration,” Blumenthal said while introducing the Forced Arbitration Injustice Repeal Act.  Under the bill, companies would no longer be able to enforce arbitration agreements in consumer, employment, civil rights, or antitrust disputes.  The Democrats also introduced the Ending Forced Arbitration of Sexual Harassment Act which would eliminate arbitration in disputes that involve sexual harassment.

According to Nadler, the goal of these proposals is to help workers and consumers obtain justice.  “All Americans deserve their day in court,” Nadler said.  “We make a mockery of this principle when we allow individuals to be forced to take their claims to private arbitration.”

These lawmakers aim to reverse the Supreme Court’s ruling in Epic Systems Corp. v. Lewis – that employers may require employees to settle collective disputes in individual arbitration, thereby barring them from banding together in class-action lawsuits against employers.  Justice Neil Gorsuch wrote the decision for the majority.  The ruling was a contentious 5-4 decision along party lines.

Blumenthal believes that the bills will pass because Democrats have a majority in the House of Representatives.  However, it is unclear whether these bills are dead-on-arrival in the Republican-controlled Senate.  Furthermore, it appears unlikely that President Trump will sign a bill reversing the decision written by his first nomination to the Supreme Court.  Therefore, it appears that, notwithstanding the present legislation, the enforceability of arbitration provisions is here to stay for the time being.

Troutman Sanders will continue to monitor and report on important developments involving the changing landscape of arbitration.

On February 25, the Federal Trade Commission announced that it had finalized a consent order settling its claims against online lender SoFi in connection with SoFi’s allegedly misleading advertising of its student loan refinancing products.   

The FTC issued a complaint in October 2018 alleging that SoFi, for more than two years, had overstated the average amounts that borrowers could save through its student loan refinance products in its mail, television, and online advertising.  According to the FTC, the “average” refinance savings that SoFi conspicuously advertised were calculated by using only a select group of consumers who would have the most savings, while several other groups of consumers not included in the calculations would have only minimal savings or would ultimately end up paying more over the life of the loan if they refinanced.   

At least some of SoFi’s advertising included a disclaimer explaining how the average savings were calculated, but the FTC contended that this “fine print” information was “buried” behind terms and conditions.  The disclaimer did not mitigate the more prominent advertising claims.  The FTC instead used the disclaimer’s explanation against SoFi as evidence in support of its deceptive advertising claim.  

The settlement does not include financial penalties, but prohibits SoFi from misrepresenting the amount of savings consumers could obtain through its credit products unless it has “competent and reliable” evidence to back up the claims.  The consent order, applicable for a twenty-year period, also includes regulatory oversight provisions requiring SoFi to maintain records, submit compliance reports upon request, and ensure that its marketing staff and principals are aware of the consent order’s requirements.  

Due to limits on the FTC’s authority, it was unable to impose any monetary penalties.  However, the FTC did note that any future violations of the consent order would be subject to enforcement by the Consumer Financial Protection Bureau or state attorneys general, and that such enforcement could include financial penalties.  

The consent order was unanimously approved by all five FTC commissioners.

On February 25, the Federal Trade Commission and the Consumer Financial Protection Bureau reauthorized their Memorandum of Understanding, or “MOU.”

The MOU, which governs the FTC’s and CFPB’s joint operations, focuses on five key areas of cooperation:

  • Joint law enforcement efforts – The agreement requires one agency to give notice to the other prior to commencing an investigation. Both agencies are required to give the other details about the proceedings they are initiating, including the court in which the proceeding is being brought, the alleged facts surrounding the case, and the agency’s requested relief. Importantly, the agreement also allows either agency to intervene in any action commenced by the other agency, as long as the intervening agency shares jurisdiction.
  • Joint resolution efforts One agency must also notify the other prior to proposing or entering into any consent decree or settlement with an MOU Covered Person. Each agency must also notify the other prior to issuing no-action letters, warning letters, or closing letters.
  • Joint rulemaking efforts – The agencies must consult and notify one another prior to issuing proposed rules or agency guidance under statutes such as the Omnibus Appropriations Act of 2009, the Fair Debt Collection Practices Act, the Fair Credit Reporting Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and UDAAP.
  • Supervisory Information and Examination Schedules – The CFPB must provide, and the two agencies must confer as to, the CFPB’s plans to examine MOU Covered Persons, and the CFPB must provide the FTC with Confidential Supervisory Information relating to MOU-covered persons subject to FTC jurisdiction, upon request from the FTC.
  • Consumer Complaints – Under the agreement, the agencies are to direct consumers to the agency best suited to resolve their complaints and are to make consumer complaints available to one another.

According to the FTC, the MOU is an agreement for “ongoing coordination between the two agencies under the terms of the Consumer Financial Protection Act,” aiming to avoid duplication of law enforcement and rulemaking efforts between the FTC and CFPB.  The full MOU is available here

A federal bankruptcy court for the Southern District of Florida has ruled that the owner of a computer-financing scheme cannot hide behind a bankruptcy filing to shield himself from complying with a contempt order that required him to pay $13.4 million for violating an FTC order.

Joseph K. Rensin founded BlueHippo Funding, LLC and its subsidiary BlueHippo Capital, LLC (collectively “BlueHippo”) in the early 2000s and was the CEO and sole owner.  BlueHippo marketed computers by targeting customers with poor credit histories.  By 2008, BlueHippo agreed to settle FTC charges for failing to deliver computers to expectant customers and failing to disclose the details of its store credit policy.

In 2016, a federal court found Rensin and BlueHippo in contempt for operating the deceptive computer financing scheme in violation of a federal court order.  The court entered a $13.4 million judgment against Rensin and BlueHippo for the harm consumers suffered related to the scheme.

When Rensin refused to pay the $13.4 million contempt judgment, the FTC sought to have him jailed until he paid the amount owed.  Determined to evade the judgment, Rensin filed for bankruptcy.

The bankruptcy court for the Southern District of Florida, West Palm Beach Division, held that the 2016 contempt judgment could not be discharged because Rensin “was at the helm of and guided BlueHippo in its every action in connection with this fraud.”

“In this case, the fraudster tried to avoid justice by declaring bankruptcy,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, in an FTC press release.  “When the FTC gets a judgment against a proven wrongdoer, we will not stop until our work is complete, no matter how many legalistic tricks and loopholes the scammer tries to employ.”

The Supreme Court agreed to hear a consumer’s appeal from the Third Circuit’s ruling that his claims under the Fair Debt Collection Practices Act were time-barred despite being brought within one year of discovering the violation.  The circuits have been split on whether the one-year statute of limitations under the FDCPA begins to run when an alleged violation takes place or when it is discovered.  The split has caused a lot of uncertainty about potential liability under the FDCPA and, on February 26, the Supreme Court granted certiorari in a case squarely presenting the issue.

We previously reported on Kevin Rotkiske v. Paul Klemm, et al., No. 16-1668 (3d Cir. May 15, 2018).  There, Kevin Rotkiske sued Paul Klemm, claiming that a judgment obtained by Klemm against Rotkiske in 2009 violated the FDCPA.  However, Rotkiske did not file his FDCPA claims until 2015 – five years outside of the FDCPA’s one-year statute of limitations.  In response to Klemm’s motion to dismiss, Rotkiske asserted that his FDCPA claims were timely because he did not find out about the judgment until 2014.  The trial court dismissed Rotkiske’s claims and he appealed.

The Third Circuit affirmed the dismissal and held that the plain language of the statute controls.  In particular, the FDCPA requires that actions for violations of the statute must be brought “within one year from the date on which the violation occurs.”  15 U.S.C. § 1692k(d).  Although the language leaves no room for argument, the plaintiff’s bar has claimed over the years that the discovery rule should apply.  The Fourth Circuit and the Ninth Circuit have agreed.  On the other hand, the Eighth Circuit, Eleventh Circuit, and now Third Circuit have rejected this reading of the statute and have held that the one-year statute of limitations begins to run from the time of the alleged violation, not its discovery.

In his petition to the Supreme Court, Rotkiske argued that the result reached by the Third Circuit was unjust and “absurd.”  In response, Klemm emphasized that courts could prevent any unfairness by applying the doctrine of equitable tolling in FDCPA cases involving a defendant’s fraudulent or concealed conduct which would effectively stop the statute of limitations from accruing until the violation is discovered.

It is hoped that a Supreme Court decision in this case will bring long-awaited certainty to the issue of the FDCPA’s statute of limitations.

On February 13, the Federal Trade Commission issued its annual report for fiscal year 2018 and announced that enforcement actions from July 2017 through June 2018 yielded more than $2.3 billion in refunds to allegedly defrauded U.S. consumers.  To put the total sum in perspective, the $2.3 billion figure was almost eight times the FTC’s annual budget for the fiscal year ($306 million).

The figure also includes refunds from the FTC’s much-publicized settlement with Volkswagen that required the company to offer a buyback program for owners of diesel cars fitted with illegal emissions defeat devices.

Of the $2.3 billion, $122 million was mailed directly by the FTC to approximately 2.2 million consumers.  Those direct checks were generated by more than 38 separate enforcement actions.  More than two-thirds of the consumers who were mailed checks actually cashed them.  In some cases, the FTC was able to administer additional mailings using money left over from uncashed checks.  Administrative costs associated with mailing refunds accounted for five percent of the money collected in these cases.

Troutman Sanders will continue to monitor and report on developments involving the FTC.

The Federal Trade Commission has announced that it is retaining the CAN-SPAM Rule as is, deciding to keep the Rule unchanged as a result of a regulatory review. Hence, any business that sends marketing email must redouble efforts to comply with the CAN-SPAM Rule.

What is the CAN-SPAM Rule?

The CAN-SPAM Rule establishes requirements for unsolicited commercial e-mail messages and provides consumers with the right to opt out of receiving those e-mail messages. The Rule requires businesses to use accurate header and subject lines in e-mails, identify the message as an advertisement, include a valid physical address, and offer consumers a way to discontinue receiving messages in the future. The CAN-SPAM Rule preempts conflicting state laws, establishing uniform federal requirements.

What are the CAN-SPAM requirements?

At a high level, CAN-SPAM’s requirements fit into three buckets:

  • First, the message must accurately identify the sender both in header information and in the body of the message.
  • Second, the message must accurately identify the subject matter of the email, including that it is an advertisement.
  • Third, the message must provide recipients with the ability to opt-out of receiving future communications.

What did the FTC review?

The FTC sought public comment on the Rule in June 2017 as part of its regular review of all rules and guidance. The FTC specifically asked the public for commentary on whether the Rule is still necessary, the costs and benefits of the Rule, and whether changes needed to be made to the Rule to respond to technological and economic developments. The Commission also requested comments on whether the FTC should change the categories of messages categorized as “transaction or relationship messages,” shorten the time period for businesses to address opt-out requests, or specify additional activities or practices that the FTC might consider as aggravated violations of the Rule.

What was the decision?

Of the 92 comments the FTC received, virtually all were in favor of keeping the Rule. In its review, the FTC found that the Rule benefits consumers and does not impose a substantial economic burden on businesses. Consequently, the Commission decided to keep the Rule as-is, without any changes. All Commissioners voted in favor of publication of the Rule’s confirmation in the Federal Register.

Practical Implications

While CAN-SPAM issues do not generally trigger consumer litigation, lack of compliance can lead to complaints filed by consumers, agency action by the FTC, and be a trigger point for litigation and other consumer issues. The most important rule for CAN-SPAM is to have an active and easy to use unsubscribe link for your consumers to opt out of commercial emails.

Troutman Sanders regularly advises consumer-facing clients on an array of regulatory and compliance issues, including CAN-SPAM and other technology focused issues. We will continue to monitor these regulatory developments.

In a recent ruling, the Second Circuit Court of Appeals affirmed the district court’s $10 million disgorgement order assessed jointly and severally not only against collection agencies but also their individual owners.  The Second Circuit’s decision can be found here.

This case involved thirteen debt collection companies that operated pursuant to the same strategy: employee collectors would contact debtors or even their family and friends and identify themselves as “processors,” “officers,” or “investigators” from a “fraud unit” or “fraud division.”  The collectors would accuse debtors of a crime, such as check fraud, and threaten them with criminal prosecution if they did not pay their debts.  All the companies were owned by two individuals: Mark Briandi and William Moses.  After receiving a litany of consumer complaints, the Office of the New York State Attorney General stepped in and its investigation resulted in Briandi and Moses entering, on behalf of themselves and their companies, into an Assurance of Discontinuance, or “AOD.”  Nonetheless, shortly after the AOD, the same unlawful practices continued.

Ultimately, the Federal Trade Commission brought an action against the thirteen companies, Briandi, and Moses under the Federal Trade Commission Act (“FTCA”) and the Fair Debt Collection Practices Act (“FDCPA”).  The trial court granted the FTC’s motion for summary judgment and ordered disgorgement of $10,852,396 against the corporate defendants, as well as Briandi and Moses personally.  Both individuals appealed, but Moses’ appeal was dismissed for failure to submit a brief.  Accordingly, the Second Circuit’s decision focused on Briandi.

The record before the Court showed that Briandi was responsible for the banking side of the business, personnel matters, maintenance of phone systems and websites, and receipt of payments from consumers, and that he was also in charge of the entity that purchased consumer debts.  Briandi’s main defense was that, shortly after signing the AOD, his involvement in the businesses diminished because he decided to become a pastor.  He admitted to being physically present in his office but claimed that he spent much of his time praying and taking online Bible classes.  Briandi also acknowledged that he would step out on the collection floor and take “hostile” consumer calls, and his employees testified that he had a workspace in the call center and would sometimes spend half the day there.

The Second Circuit analyzed Briandi’s personal liability under the FTCA standard which the Court found applicable to the FDCPA claims as well.  In particular, the Court concluded that an individual may be liable under both statutes if he has knowledge of the violations and either participates directly in the practices or has authority to control them.  The Court also found that knowledge could be established by a showing that the individual was recklessly indifferent to the deceptive nature of the practices and intentionally avoided learning the truth.  The Court rejected Briandi’s argument that he did not exercise control over the corporate defendants’ operations because he was focused on his religious practices.  The dispositive issue was whether he possessed authority to control the operations, not whether he actually exercised it.  The Court also found that the amount of the award was not excessive because the evidence showed that the entire operation was permeated with fraud and the defendants did not present any rebuttal evidence to show that some of the revenues were obtained by lawful means.

While this case presents an extreme example, it stands for a more general proposition that applies even in benign cases: individuals who have an ownership interest in debt buyers and collectors are not immune from personal liability, and courts may impose steep penalties against them individually even when the unlawful conduct takes place without their actual knowledge or exercise of any actual control over the operations.

On February 13, the U.S. Chamber of Commerce released model data privacy legislation and urged Congress to pass a federal data privacy law.

“Technology has changed the way consumers and businesses share and use data, and voluntary standards are no longer enough,said Tim Day, senior vice president of the Chamber’s Technology Engagement Center, or “C TEC.” “New rules of the road are necessary and it is time for Congress to pass a federal privacy law. The Chamber’s model privacy legislation puts consumers in control and ensures businesses can innovate while operating with certainty and providing transparency.”

According to the Chamber, its model legislation would:

  • Eliminate a patchwork of regulations that are confusing for consumers and businesses;
  • Empower consumers through transparency, opt-out, and data deletion;
  • Support innovation through regulatory certainty; and
  • Provide the Federal Trade Commission with additional enforcement power.

As we’ve previously reported, all signs suggest that Congress may finally enact comprehensive data privacy legislation. The patchwork of existing state laws frustrates pro-business groups like the Chamber, the Internet Association, and the Business Roundtable. Moreover, leading tech companies have lobbied Congress for data privacy legislation.

Consistent with its concern about the patchwork of existing state laws, the U.S. Chamber’s model data privacy legislation, the “Federal Consumer Privacy Act,” would preempt state and local laws (including tort laws) “to the extent that such [laws] related to, or serve as the basis for enforcement action as it relates to, the privacy or security of personal information.”

According to the Chamber, this broad preemption would support innovation by creating regulatory certainty: “Businesses would comply with one nationwide privacy framework, as opposed to having to navigate 50 unique state laws.”

The Chamber’s model legislation also includes a number of consumer-friendly provisions. The model legislation would:

  • Require businesses to be transparent about how personal information is used;
  • Require businesses to comply with requests from consumers regarding how their personal information is used or shared; and
  • Provide consumers, subject to certain exceptions, with opt-out and data-deletion rights.

A copy of the Chamber’s one-pager on its model legislation is available here, and the full text of the model legislation is available here.