Background on Data Broker Regulation

The debate surrounding data brokers and regulation isn’t new. For decades, policymakers and enforcers have raised concerns about the collection and sale of consumer data by these entities, citing the sensitive nature of the information and profiles that they sell, the use of this data in making consequential decisions about consumers, and the invisibility of most data brokers to the public. (See, e.g., here, here, and here.)

In the 1970s, Congress passed the Fair Credit Reporting Act (the nation’s first commercial privacy law) to regulate consumer reporting agencies (CRAs), an important subset of these entities. The FCRA sets forth data privacy and accuracy requirements when CRAs sell (and companies furnish and use) consumer data for decisions affecting people’s eligibility for credit, jobs, and insurance. The FCRA didn’t end the debate, however. Since then, some policymakers have pressed for broader regulation of data brokers, especially with the advent of mobile devices and other technological advances, enabling data brokers to collect more detailed data about consumers, and to make more granular inferences and predictions, and then sell this information to the public. In response, data brokers have pointed to the beneficial services they provide, and have argued that existing laws (including the FCRA, the Gramm Leach Bliley Act, the FTC Act, and now numerous state privacy laws) are adequate to address any harms that occur.

Recently, this debate has accelerated, as shown by the increased regulatory activity we are seeing today. For some policymakers, the repeal of Roe v. Wade and its implications for reproductive privacy has added an important new dimension to the debate. On April 15, the White House convened a roundtable of government officials, academics, advocates, and other experts to discuss “harmful data broker practices” and provide further impetus for regulation.

Congress

So, what specific proposals are we seeing? Not surprisingly, some of them are coming from Congress. In July, we blogged about two bipartisan efforts to stop the government from purchasing consumers’ location and web browsing and search history from data brokers, absent a warrant or other due process measures. One of these proposals (an amendment to the House National Defense Authority Act bill) would restrict such purchases by DOD. Another (the Fourth Amendment is Not for Sale Act, now introduced in both the House and the Senate) would restrict such purchases more broadly across the federal government. All of these bills are pending, with Congress now in recess.

Readers also may recall that the leading federal privacy bill (the bipartisan American Data Privacy and Protection Act) contains strict data broker provisions requiring online registration and a one-stop mechanism allowing consumers to delete data held by data brokers and prevent further collection by these entities. Other recent federal bills (e.g., the bipartisan DELETE Act) contain even stricter data broker requirements.

Federal Trade Commission

The FTC is also very active in this area. In a 2022 blogpost, an FTC official warned that the FTC will use the “full scope of its authorities” to stop the “illegal use and sharing” of consumers’ location, health, and other sensitive data. Soon after, the FTC filed a lawsuit against data broker Kochava, alleging that its sale of location data obtained from mobile devices harms consumers and is legally “unfair” because the data can reveal sensitive locations that consumers visit, such as reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. In addition, the ANPR in the FTC’s Commercial Surveillance and Data Security Rulemaking is replete with references to data brokers and data sales, suggesting that this could be a focus of any rule it proposes.

Like Congressional efforts, the FTC’s actions here are pending. In Kochava, the court dismissed the FTC’s initial complaint due to what it viewed as the hypothetical nature of the FTC’s injury allegations, but the FTC has filed a new complaint (under seal). In the FTC’s rulemaking, the comment period for the ANPR closed last November, so the FTC could release a proposed rule any day now. We await news on both fronts.

California – SB 362

No privacy discussion would be complete without California. And sure enough, the California legislature is currently considering new data broker legislation. In brief, SB 362 would amend the state’s existing data broker law by establishing an “accessible deletion mechanism” where consumers can direct data brokers to delete their information. This would in turn trigger a ban on further data collection by these entities, unless consumers opt in. The law also would allow an “authorized agent” to request deletion for the consumer, require independent compliance audits every three years, and mandate regular reports to the public and to the California Consumer Protection Agency. Due to the broad definition of “data broker,” the bill would cover a wide array of entities, including members of the advertising industry.

If passed, this law would substantially up the ante for data brokers operating in California, and could spread to other states. Currently, eleven states have enacted comprehensive baseline privacy laws, but only a few have data broker laws, with mostly modest requirements. Not surprisingly, opposition to the bill is strong in the data broker and ad industries, who (according to news reports) say it will hurt anti-fraud efforts and the economy, and have launched an effort to defeat the bill. Because California’s legislature adjourns September 14, the window for action is closing soon.

Consumer Financial Protection Bureau

Finally, in what could be the most consequential data broker regulation of all, CFPB Director Rohit Chopra just announced (on the day of the White House roundtable) that the CFPB will soon launch a rulemaking to “modernize” the FCRA so that it reflects how today’s data brokers “build even more complex profiles about our searches, our clicks, our payments, and our locations” and “impermissibly disclose sensitive contact information” of people who don’t want to be contacted, such as domestic violence survivors.

Among other things, per Director Chopra, the CFPB is considering proposals to bring within the FCRA (1) a data broker’s sale of certain types of data (e.g., payment history, income, criminal records) because the data is “typically” used to make credit, employment, or certain other eligibility determinations and (2) credit header information, a major source of information for data brokers that has long been considered to fall outside the FCRA. Such proposals would dramatically extend the FCRA’s reach to a broader class of data brokers than are currently covered. According to Director Chopra, the CFPB will publish an outline of proposals and alternatives next month.

* * *

All of the above proposals are now pending, so it’s not clear whether they will reach fruition or what shape they will ultimately take. However, the sheer volume of activity shows that data brokers are in the spotlight and are likely to remain there for a while

Credential stuffing refers to an attack where a hacker uses stolen usernames and passwords, or “credentials,” from an online service that has suffered a data breach to access other online services, according to the AG’s report. Attackers exploit the habit of some consumers to reuse their passwords across multiple websites. Attackers may also use automated software to initiate login attempts using stolen credentials from the dark web.

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing,” New York State Attorney General Letitia James wrote in a press release accompanying the report.

Specifically, the AG report states that data security programs should incorporate safeguards against the threat of credential stuffing in four areas: (1) defending against credential-stuffing attacks, (2) detecting a credential stuffing breach, (3) preventing fraud and misuse of customer information, and (4) responding to a credential stuffing incident.

The AG recommends that businesses implement the following safeguards to mitigate the risk of successful credential-stuffing attacks. Which safeguards are appropriate to a business will depend on the size and complexity of the business, the volume and sensitivity of customer information it maintains, the risk and scale of injury, and the software and systems already in use.

Defend against a credential-stuffing attack

• Bot Detection – Businesses can leverage bot detection software to distinguish automated log in attempts from regular “human” log in attempts, and to block malicious bots. The AG noted, however, that in its view CAPTCHA systems have been less effective than bot detection software.
• Multi-Factor Authentication – Multi-factor authentication creates an additional hurdle to logging in to an account by requiring users to not only have appropriate credentials but also a device that issues authentication codes or biometric authentication procedures.
• Passwordless Authentication – Passwordless authentication allows a user to access their account using an authentication procedure, such as a one-time code or emailed link.
• Web Application Firewalls (WAF) – WAFs that guard against malicious traffic can also include safeguards that protect against credential stuffing. These safeguards include rate limiting, which blocks or throttles repeated log in attempts; HTTP request analysis, which analyzes header information and other metadata for indicators of malicious traffic; and IP address blacklists, which block IP addresses known to have engaged in attacks.
• Preventing Reuse of Compromised Passwords – Businesses can implement procedures to prevent customers from reusing passwords that have been previously compromised, using vendors that compile such credentials.

Detecting a Credential Stuffing Breach

• Monitoring Customer Activity – Businesses may monitor indicators of fraudulent activity to protect customer accounts.
• Monitoring Customer Reports of Fraud – Businesses may also review reports from customers about unauthorized transactions or account access.
• Notice of Account Activity – Businesses may notify customers of unusual account activity to help the customer identify unauthorized activity and report it to the business.
• Threat Intelligence – Businesses may utilize threat intelligence firms that monitor dark web activity for discussion of stolen credentials or accounts.

Preventing Fraud and Misuse of Customer Information

• Re-authentication at the Time of Purchase – To prevent attackers from leveraging stolen accounts to make a purchase, the AG states that businesses may require users to re-authenticate stored payment information. For example, the user may be required to re-enter their credit card number or CVV code, or the company might send the user an authentication code.
• Third Party Fraud Detection – Companies may use third-party services that identify suspicious or fraudulent transactions.
• Mitigating Social Engineering – Anticipating that some hackers may try to convince customer service personnel to authenticate their account, companies can develop policies that anticipate social engineering attacks and train relevant personnel on those attacks.
• Preventing Gift Card Theft – The AG suggests that transferring gift cards between customer accounts and transferring funds between gift cards should be restricted or require re-authentication; and that companies should only display the last four digits of a gift card number.

Incident Response

• Investigation – Where companies suspect an attack, the new guidance states that companies should conduct a timely investigation to determine, at a minimum, “whether customer accounts were accessed without authorization, and, if so, which accounts were impacted, and how attackers were able to bypass existing safeguards.”
• Remediation – Companies should take action to remediate credential-stuffing attacks, according to the AG’s guidance. The AG suggests blocking attackers’ continued access to the accounts, resetting passwords, and freezing relevant accounts, where appropriate.
• Notifying Customers – The AG states that businesses should “quickly notify each customer whose account has been, or is reasonably likely to have been, accessed without authorization.” The AG’s report states that customer notice should include the following elements:
  • Disclosing whether the particular customer’s account was accessed without authorization;
  • The timing of the attack;
  • What customer information was accessed; and
  • What actions have been taken to protect the customer.

Finally, given the evolving nature of credential stuffing-related threats, the AG warns that businesses should continually evaluate the effectiveness of applicable controls and implement new procedures where appropriate.

* * *

Since State AGs don’t typically issue guidance like this, it may be a sign that New York plans to continue to target businesses who have not followed their guidance and have thus allegedly inadequately protected against credential stuffing. While other states aren’t bound by this NY-specific guidance, other State AG offices are likely to take notice and discuss this unusual measure through their standing working groups. As a result, some states may potentially follow suit and launch their own investigations on credential stuffing.

State and federal regulators are active in this space, investigating companies’ compliance with UDAP, FTCA, and FCRA Red Flags. Including the possibility of credential stuffing in your data security risk assessment and policy review may reduce your regulatory exposure.

Please join us for Privacy Priorities for 2022: Legal and Tech Developments to Track and Tackle, a joint webinar between Kelley Drye’s Privacy Team and Ketch, a data control and programmatic privacy platform. This Data Privacy Week webinar will highlight key legal and self-regulatory developments to monitor, along with practical considerations for how to tackle these changes over the course of the year. This will be the first in a series of practical privacy webinars by Kelley Drye to help you keep up with key developments, ask questions, and suggest topics that you would like to see covered in greater depth. Register here.

Also please join us for State Attorney General Consumer Protection Priorities for 2022. This webinar will provide discussion and practical information on the topics mentioned above and other state consumer protection, advertising, and privacy enforcement trends. Register here.

Initially filed in 2012, plaintiffs alleged that TransUnion willfully violated FCRA by failing to maintain reasonable procedures to assure maximum possible accuracy of the consumer reports it sold, and by failing to provide required disclosures to consumers. TransUnion offers an add-on service to its standard consumer reports whereby it would check consumers against OFAC’s “Specially Designated Nationals and Blocked Persons List” (SDN), which lists terrorists, drug traffickers, and other criminals. Companies that do business with individuals on the SDN face strict liability penalties approaching $290,000 per transaction, so companies have a strong incentive to cross-reference the SDN before undertaking certain transactions – depending on the type of transaction and other factors.

The case arose out of so-called “false positives,” whereby TransUnion would find and report a potential match to the SDN but that match would subsequently be found to be erroneous. For example, lead plaintiff Sergio L. Ramirez was prevented from buying a car in 2011 because TransUnion told lenders that he potentially matched two individuals on the OFAC list. Ramirez and other class members alleged that TransUnion failed to take reasonable steps, such as also cross-referencing date of birth or other information available on the SDN, before reporting the match on the consumer report. TransUnion countered that it did all that was feasible for the time period in question to achieve maximum accuracy, as required by FCRA, while still helping its clients comply with OFAC regulations and avoid criminal penalties.

The case provides an interesting example of the competing legal obligations that a company can face under different statutes, and of the need to stay abreast of constantly evolving technology that informs the relevant legal standard. Determining how to screen potential customers for OFAC compliance and use consumer reports consistent with FCRA depends on a number of factors, including the technology available at the time and the type and scope of transaction at issue.

Kelley Drye’s Export Controls and Sanctions Compliance Group regularly assists clients with obligations in connection with OFAC screening, and Kelley Drye’s Consumer Financial Protection Regulation regularly advises clients on FCRA compliance.

The Commissioners’ opening statements focused on key issues related to the agency’s mandate including enforcement, policy development, business education, and competition promotion. But for members and Commissioners alike, privacy and data security were the clear headline issues of the day. A variety of related topics were also raised, including protecting children online, the Internet of Things (IOT), tourism, credit reports, telecommunications, and deceptive claims. A brief summary of these issues follows.

Privacy, Data Security, and FTC Enforcement

Several members referenced the recent Yahoo breach of customer data to highlight the importance of protecting consumer privacy and raised related policy issues such as what reasonable measures companies should take to protect sensitive personal data, standards for providing notification of data breaches, and whether the Commission has sufficient enforcement tools to address these concerns.

Chairman Thune posed questions related to both data security and the Commission’s enforcement authority, and inquired whether “substantial harm” must always be economic harm. Chairwoman Ramirez posited that there was no such limitation, and while in most cases substantial harm would be economic, it was proper in her opinion for the Commission to consider intangible harms related to privacy, such as infringement of privacy rights or the potential risks that come from the unauthorized release of personal information.

Senator Blumenthal used the Yahoo case to inquire whether changes are required to Section 5 of the Federal Trade Commission Act to make the FTC a more effective enforcer of data breaches. Chairwoman Ramirez responded that, while the existing law works, it could be improved by giving the FTC authority to issue civil penalties and jurisdiction over non-profit organizations. Commissioner Ohlhausen added that she was supportive of a federal data breach notification requirement.

Senator Sullivan, pressing on the notification issue, inquired about what current law requires with respect to timing, particularly in the case of Yahoo. Chairwoman Ramirez echoed Commissioner Ohlhausen’s support for federal notification legislation that would set a uniform standard for security and incorporate a reasonableness approach. She further speculated that 30 or 60 days might be appropriate, but acknowledged the need to strike a balance between over-notifying consumers and providing them with timely, accurate information with which to take protective measures.

Senator Shatz pointed out that, when a breach affects hundreds of millions of consumers’ data, prevention, and not just notification, becomes paramount. He suggested that Congress should reexamine what constitutes “reasonable” data security requirements, and whether existing law would require a company to increase security standards if they clearly are not working, as evidenced by recent massive breaches.

Protecting Student Data Online

Protecting the privacy of children’s personal information from use – inappropriate or otherwise – was raised on a bipartisan basis with regard to collection of student data. Senators Blumenthal and Daines expressed concern that school-age children, 13 years and older, were not covered by the Children’s Online Privacy Protection Act’s (COPPA’s) parental consent requirement when it comes to disclosure of sensitive data that could reveal a student’s known location, consumer preferences, or academic performance. Acknowledging the existence of legitimate uses for such data – for example personalized learning – they called for further clarification of what businesses can do with student data, which would be addressed by the Safeguarding American Families from Exposure by Keeping Information and Data Secure (SAFE KIDS) Act, a bill introduced by Senators Blumenthal and Daines. Chairwoman Ramirez agreed that regardless of the proposed use, personal information of children should be protected and only released with parental consent. Commissioner Ohlhausen cautioned, however, that older children have different needs and capabilities than younger children that are worth further consideration.

Internet of Things (IOT)

The complex and multiple challenges associated with the IOT were addressed mostly in prepared remarks and brief mentions throughout the hearing. Chairman Thune concluded his opening statement with a caution to the Commission to exercise “humility” so as to preserve “permission-less innovation” as it examines this evolving issue. Similarly, Commissioner Ohlhausen testified regarding the Commission’s recent workshop on the IOT and opined that IOT regulations were premature given the current pace of technological innovation in the field.

Tourism

Senators Heller and Klobuchar each inquired about a specific issue, of possible individual interest, related to tourism. Senator Heller wanted to know whether 2012 FTC guidance on resort fees was benefiting consumers and challenged whether the number of complaints (ranging from 8-10 based on his data) justified recent FTC enforcement actions. Senator Klobuchar raised questions as to how search engine results function on third party travel sites. Chairwoman Ramirez acknowledged both concerns and indicated she would provide additional information post-hearing.

Credit Reports

Senator Shatz raised concerns about the time it takes to correct errors on credit reports, which may prevent otherwise eligible applicants from obtaining loans and sometimes jobs. He also noted the disparate impact such errors can have on persons in underserved and low-income communities. The Commissioners unanimously agreed this was a priority issue, noting they take the Fair Credit Reporting Act very seriously and have brought a number of enforcement actions in this area. Commissioner McSweeny underscored that this issue was essential to dealing with problems like identity theft, and Chairwoman Ramirez stated that there was room for progress, including by more quickly correcting errors and eliminating time-consuming procedures. She also noted that the FTC was coordinating with the Consumer Financial Protection Bureau on this issue.

Telecommunications

Members also raised issues in areas where FTC jurisdiction overlaps with the Federal Communications Commission (FCC). For example, Senator Blumenthal referenced a plethora of complaints about the ineffectiveness of Do-Not-Call lists. He identified robocalls as a root of the problem and noted he supports a ban of the technology. Chairwoman Ramirez shared the Senator’s frustration and acknowledged that technology has helped malefactors avoid and bypass the law. She indicated that the FTC, in discussions with the FCC, is looking at technology-based solutions, as well as other means to address the problem.

Additionally, in response to questions about FTC input on FCC regulations in areas of shared jurisdiction concerning the treatment of data, the Commissioners agreed that it was important for there to be a harmonized approach across federal agencies. That said, Chairwoman Ramirez cautioned that privacy and data security issues will continue to arise across different agencies with different authorities. In these situations, the FTC weighs in where permitted through agency notice and comment procedures, such as it did on the FCC’s privacy and set-top box rules.

Deceptive Claims and Safety Recalls

Senator Udall, who has introduced a bill to specifically prohibit deceptive claims related to the safety benefits of sports equipment, pressed the Commissioners to more carefully scrutinize anti-concussion marketing claims, such as Shock Doctor’s assertion that their product prevents head injuries, to determine if they are deceptive. He noted previous FTC action in the form of warning letters, and encouraged the FTC to remain engaged and active. Senator Blumenthal also welcomed examination of this issue, noting the issue is relevant to the National Hockey League as well. In addition, Senator Blumenthal raised concerns in connection with the FTC’s settlements with used car dealers and manufacturers, stating that his Used Car Safety Recall Repair Act would require car dealers to make recall repairs before selling used cars.

Conclusion

While the hearing was far too broad to delve into the specifics of every issue, it was a comprehensive issue-spotting exercise that highlighted numerous important matters of Congressional interest and concern pending before the FTC. Other issues mentioned, not covered here, include prescription drug prices, health care competition as a result of the Affordable Care Act, and the potential for fraud in the renewable identification number (RIN) market created under the Renewable Fuel Standard Program.

Chairman Thune suggested that the Committee would continue to examine these issues, perhaps in the upcoming lame duck session, through an industry panel before the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security. The Subcommittee intended to hold a counterpart hearing for industry and thought leaders to offer perspectives in addition to the Commission, but that hearing was cancelled due to conflicts. Chairman Thune indicated it would have to be rescheduled.

For any questions about this hearing or related issues contact:

Dana Rosenfeld

Alysa Hutnik

Jennifer McCadney

Donnelly McDowell

Many predict that President Obama will not be able to replace Scalia before the 2016 Presidential election, meaning that the seat may be vacant for the remainder of the term. Democrats have been urging the President to immediately nominate a successor, with Republicans imploring the President to give that right to the next Commander-in-Chief. Senate Majority Leader Mitch McConnell has stated that the Senate should not confirm a replacement until after the 2016 election.

Until a successor is confirmed, it means that the Supreme Court will be comprised of four reliable liberals, three reliable conservatives, and one Justice Kennedy, who typically leans to the right but has often acted as the Court’s swing vote. With only eight justices, it is likely that we will see a number of important cases end in a 4-to-4 split this year, including several key cases relating to consumer class actions. In the case of a tie, the appeals court decision will be upheld, no precedent will be set, and the Supreme Court traditionally will not issue an opinion.

Here’s a brief rundown of how Scalia’s passing may affect three key consumer class actions in front of the Court this term.

Case: Spokeo Inc. v Robins (Docket No. 13-1339) Issue: Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, but alleges a private right of action based on a bare violation of a federal statute. Outcome in a split: Plaintiff’s win – would make a bare violation of a federal statute sufficient to confer Article III standing, thereby making it easier for plaintiffs to move forward in litigating cases alleging statutory violations.

Plaintiff, Thomas Robins, alleged that “people search engine,” Spokeo, violated the Fair Credit Reporting Act (FCRA) by disclosing inaccurate personal information about him that harmed his employment prospects and violated his rights under the FCRA. Mr. Robins alleged that, as a result of the FCRA violations, he was “concerned that his ability to obtain credit, employment, insurance and the like will be adversely affected.” Spokeo moved to dismiss on the ground that Robins lacked standing under Article III. Typically, a plaintiff must demonstrate “injury-in-fact” to have Article III standing, but the Ninth Circuit held in this case that Robins met the standing requirement “by virtue of the alleged violations of his statutory rights.” Facebook, Google, eBay and Yahoo submitted a joint amicus brief in the case warning that if the Court upholds the Ninth Circuit’s decision, it could result in a flood of “no-injury” litigation under the FCRA and several other wide-reaching federal statutes such, as the Telephone Consumer Protection Act (TCPA), and other privacy and data security actions.

The case involves a dispute over a class action brought by Xbox 360 purchasers who alleged that the Xbox console contained a design defect causing game discs to become scratched. In 2012, the district court struck down the class allegations, finding that the defect was present in less than one percent of the total number of consoles purchased. This ordinarily would leave plaintiffs with the option of pursuing individual claims until final judgment, before the denial of class certification could be appealed. Instead, the plaintiffs moved to dismiss their claims with prejudice, a motion that would create a final judgment far more quickly, allowing a speedier appeal of the denial of class certification. The Ninth Circuit granted the motion finding the appeal could proceed. The Ninth Circuit eventually held that in the absence of a settlement, a stipulation that leads to a dismissal with prejudice does not destroy the adversity in that judgment necessary to support an appeal of a class certification denial.

In Tyson Foods, the district court certified a Rule 23(b)(3) class action and Fair Labor Standards Act (FLSA) collective action for claims alleging that Tyson Foods had not paid its employees for all time spent donning and doffing personal protective equipment and walking to and from their work stations. Under Rule 23, a court may not certify a damages lawsuit as a class action unless “there are questions of law or fact common to the class” that “predominate over any questions affecting only individual members.” The FLSA imposes similar certification requirements on collective actions. Plaintiffs sought to prove injury and damages using statistical evidence that averaged donning and doffing time, even though employees used different equipment and it was undisputed that hundreds of employees were not entitled to any additional compensation. Tyson Foods contended that that the average time was meaningless and that plaintiffs’ changing times were different enough that they should not be able bring a class action suit. A jury found Tyson Foods liable, but awarded only about half of the damages that plaintiffs’ statistical experts had calculated were due. On appeal, the Eighth Circuit affirmed.

The CFPB made three primary allegations:

• Failure to employ reasonable procedures to assure maximum possible accuracy. The CFPB alleged that GIS and BGC failed to follow reasonable procedures to assure maximum accuracy, including by failing to have written procedures for researching public records information for consumers with common names or who use nicknames, allowing employees to exercise discretion in determining whether a record matched the consumer in question, and failing to use consumer dispute data to identify the root causes of accuracy errors.
• Failure to meet the requirements of section 1681k of FCRA. The CFPB alleged that GIS and BGC failed to comply with FCRA section 1681k, which requires furnishers of consumer reports for employment purposes to either: (1) notify the consumer at the time the information is reported, or (2) maintain “strict procedures” designed to ensure that the information is complete and up to date. The CFPB alleged that the procedures employed by respondents did not even meet the “reasonable” standard under section 1681e(b), much less the “strict” standard required for providers of consumer reports for employment purposes.
• Failure to exclude non-reportable information from background checks. The CFPB additionally alleged that respondents failed to take sufficient steps to exclude certain dated information that cannot be included in consumer reports under FCRA. Specifically, GIS and BGC allegedly failed to ensure that civil suits and judgments and records older than seven years were excluded from reports, thus illegally including such information in the consumer reports. The order requires the companies to pay $10.5 million in redress to affected consumers and a $2.5 million civil monetary penalty. Respondents are also required to implement a comprehensive audit program, revise their compliance procedures, and retain an independent consultant to review and assess the companies’ policies and procedures for ensuring compliance with FCRA.

The government filed the brief in King v. General Information Services, Inc., which is pending in the Eastern District of Pennsylvania District Court. The defendant argues that the FCRA provision is an unconstitutional restriction of free speech. Contrary to that position, the government argues that the provision satisfies the applicable Central Hudson test for restrictions on commercial speech and should not be invalidated, despite the U.S. Supreme Court's recent ruling in Sorrell v. IMS Health Inc. The brief concludes, "The law directly advances the government’s substantial interest in protecting individuals’ privacy and is no more extensive than necessary to protect that interest while also accommodating businesses’ competing interest in obtaining complete information about people to whom they are considering offering a loan, an insurance policy, or a job."

The brief demonstrates the cooperation expected between the FTC and CFPB as they jointly enforce FCRA. In July 2011, the FTC issued "40 Years of Experience with the Fair Credit Reporting Act," a staff report "to share [the FTC's] extensive experience with the CFPB and the public through a summary of its key interpretations and guidance" developed through its 40 years of enforcing FCRA. Companies subject to FCRA should continue to watch for coordination between the agencies as the enforcement roles evolve.

The Rule, promulgated under the Fair Credit Reporting Act, currently requires creditors to send a risk-based pricing notice if, based on the consumer’s credit report, the creditor provides materially less favorable credit terms than the most favorable terms it provides to a substantial portion of other consumers. A recipient of the notice can obtain a free credit report to check its accuracy.

The proposed amendments would require credit score disclosure if a credit score is used to make the determination, add content to the notices, and provide new model notices. There will be a 60-day comment period once the proposal is published in the Federal register.

During the address, Brill also outlined the major components of the FTC’s preliminary staff report on privacy, "Protecting Consumer Privacy in an Era of Rapid Change” which includes a proposal for a Do Not Track mechanism that would permit consumers to control their tracking preferences at every website they visit. For a more detailed discussion of the FTC’s Report, including the concepts behind Do Not Track, please click here to read the Kelley Drye client advisory.

FCRA requires claims to be brought within two years after the plaintiff discovers the violation or within five years after the date the violation occurs. Invoking the former provision, Equifax argued that it was entitled to dismissal because the plaintiff had discovered the alleged violations more than two-years before she filed suit in May 2008. Equifax cited record evidence that plaintiff had called in 2004 and 2005 to dispute information in her credit file that she believed was inaccurate. Equifax contended further that it sent plaintiff the results of its investigation into her disputes on three occasions, the last of which was in late November 2005. According to Equifax, because these results contained the inaccurate information forming the basis of her FCRA allegations, plaintiff had discovered the violation more than two years before filing suit.

The Western District of Washington denied the motion, rejecting the argument that plaintiff’s knowledge of inaccurate information in her credit report put her on notice of Equifax’s alleged FCRA violation. “FCRA is not a strict liability statute,” said the court. Indeed, a credit reporting agency can escape liability under FCRA for an inaccurate credit report as long as it shows it followed reasonable procedures in generating it. Therefore, inaccurate information in a credit report, standing alone, cannot violate FCRA. According to the court, to obtain dismissal, Equifax had to show something more. Specifically, it had to produce sufficient evidence tying the investigation reports it provided to the plaintiff with plaintiff’s discovery of the precise violations alleged in the lawsuit. This, according to the court, it failed to do.

As a threshold matter, while Equifax produced evidence that it sent the reports to the plaintiff, it failed to prove that she received them. In fact, plaintiff testified that she had no recollection of receiving the reports. The court refused to opine on “the applicability of any kind of mailbox rule or presumption of receipt” by the plaintiff simply because there was evidence that Equifax mailed the reports. Equifax cited no authority supporting such a rule.

In addition, the court rejected Equifax’s argument that plaintiff was on notice of the alleged FCRA violations as a result of being denied credit more than two years before filing suit. Equifax argued that the same inaccurate information forming the basis for her FCRA claims was sent to the credit union that denied her credit application. However, there was no evidence indicating that the denial of credit by the third party credit union could alert plaintiff to a FCRA violation. In fact, plaintiff testified that she did not know what information Equifax sent to the credit union, and testified further that other, legitimately reported delinquencies on her credit report could have led to the denial of her credit application.

The rules also provide consumers an additional avenue to challenge the accuracy of information used to generate their credit rating. Historically, consumers were encouraged to deal with the credit reporting agency about the accuracy of such information. Under the new FACTA rules, furnishers are now required, in most cases, to investigate disputes that are submitted directly to them by consumers regarding the accuracy of information that furnishers provided to a credit reporting agency.

Click here to review the final inter-agency rules and guidelines.

For example, the FTC, among other things, emphasized that while the past year’s economic downturn prompted companies to offer new services targeted towards those most in need, some of these companies failed to deliver on these services. The FTC obtained preliminary or temporary relief in all twenty-two federal lawsuits filed against operators who allegedly falsely asserted they would obtain a loan modification or halt a foreclosure on consumers’ behalf. Typically, the operator allegedly was paid a high initial fee by the consumer, and then did little or nothing to help to modify the loan or halt foreclosure.

In order to maximize its efforts, the FTC indicated that it has renewed its efforts to partner with state and local enforcement agencies. The FTC secured relief through its participation in ten mortgage fraud task forces all over the nation. For example, the FTC entered into an $8.5 million settlement with a foreclosure “rescue” company, which precludes the company from making representations about the likelihood that it could stop a foreclosure. The FTC had alleged that the company collected high fees from consumers often exceeding $1,000, but did not endeavor to help them to avoid foreclosure.

The FTC also announced that in settling five Federal Credit Reporting Act suits (four of which were against users of credit reports and one of which was against a Credit Reporting Agency), the FTC obtained $447,000 in civil penalties and $157,000 in suspended penalties. In two of these actions, the FTC alleged that the users made adverse employment decisions predicated on background checks without notifying them of their rights under the FCRA.

A brief look at the recent history of class actions filed under the federal truncation statute – the Fair Credit Reporting Act (“FCRA”), which applies only to transaction receipts provided to customers – may offer guidance on how California courts may deal with actions brought under Section 1747.09.

Beginning in December 2006, plaintiffs’ attorneys began filing class action lawsuits against a broad spectrum of retailers and other businesses in California based largely on the failure to truncate expiration dates on electronically printed credit card receipts provided to consumers, and sought statutory penalties of between $100 and $1,000 per transaction for each “willful” violation alleged, plus attorneys’ fees, costs and punitive damages. See15 U.S.C. § 1681n. In order to prevent consumers, who had not suffered any actual damage, from recovering potentially annihilating statutory damages against retailers and other merchants, Congress passed the Credit and Debit Card Receipt Clarification Act, which added a provision to the Fair and Accurate Credit Transactions Act (“FACTA”) preventing consumers from obtaining statutory damages for willful expiration date violations taking place between December 4, 2004 and June 3, 2008. Further, several courts refused to certify a class on the theory that a class action is not superior to other methods for the fair and efficient adjudication of the controversy. However, no similar legislation has been enacted by the California legislature, and it remains to be seen whether courts will deny certification of a class action brought under Section 1747.09, as several courts have done in FACTA cases, to limit abusive lawsuits brought by consumers under California state law.

Accordingly, if you have not already done so, you should act swiftly to ensure that all machines and registers are in compliance with the truncation requirements. To accomplish this, consider auditing machines and registers by printing out receipts both retained by the company and issued to the customer. If any violation of Section 1747.09 or FACTA is detected, corrective action should be taken to limit potential liability and to decrease the risk of a potential lawsuit.

If you answered E, “All of the above,” you are CORRECT. However, many companies do not realize their businesses are subject to consumer financial services laws. Consequently, their businesses may not be compliant and may be subject to litigation risk.

The focus of the Consumer Finance Law Blog is to keep – all on one site – traditional and non-traditional financial service providers subject to consumer financial services laws abreast of recent developments in:

• State consumer protection statutes and regulations
• State privacy statutes
• Privacy and consumer protection litigation
• Card Association Rules
• Equal Credit Opportunity Act
• Electronic Funds Transfer Act
• Fair Credit Reporting Act
• Fair Credit Transactions Act
• Fair Debt Collection Practices Act
• Payment Card Industry Data Security Standard
• State Money Transmitter Statutes
• State Retail Installment Sales Act
• State and Federal Unfair and Deceptive Trade Practices Acts
• TILA, RESPA, and related federal and state consumer disclosure and notice requirements
• Insurance coverage issues
• Legislation that may impact company compliance or create new litigation risk.

We welcome you and hope that you find our posts interesting, educational, and thought provoking. We also welcome your feedback and invite you to suggest topics or recent decisions of interest that you would like us to address.