On September 15, 2022, the Federal Trade Commission (FTC) held an open Commission meeting that covered three agenda items: 1) a rulemaking on impersonation scams, 2) a policy statement on enforcement related to gig work, and 3) a staff report on dark patterns. While items (1) and (3) moved forward with a bipartisan 5-0 vote, the policy statement on the gig economy was adopted with a 3-2 vote along party lines. This alert provides some insight into the implications for future FTC activity in these areas. Continue Reading
On August 30, 2022, the California legislature passed the California Age-Appropriate Design Code Act (the Act). Modeled after the UK’s Age-Appropriate Design Code, California’s act drastically changes the landscape of online privacy and content availability for minors in California. The Act goes beyond the current federal protections of the Children’s Online Privacy Protection Act (COPPA) and could impose onerous new requirements on companies that were and were not previously covered by COPPA. These requirements include, among other things, estimating the ages of minors using the company’s online services; conducting detailed Data Protection Impact Assessments (DPIAs) for new and existing products; significantly restricting the collection, use, and sharing of minors’ personal information; and configuring default privacy settings to a “high level of privacy.” If the bill is signed into law by Governor Newsom, the Act would come into effect July 1, 2024. Continue Reading
On August 24, 2022, the California Attorney General (AG) announced the entry of a final judgment to resolve claims that makeup retailer Sephora violated the California Consumer Privacy Act (CCPA). Notably, this is the California AG’s first enforcement action resulting in a fine and settlement under the CCPA. The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling the personal information of California consumers through the use of third-party website advertising and analytics tools, failing to provide a “Do Not Sell My Personal Information” link for consumers to opt out of those sales, and failing to honor Global Privacy Control (GPC) signals as a means of opting out. As part of the relief, Sephora was ordered to pay a $1.2 million penalty and, among other things, implement a monitoring and reporting program to demonstrate its ongoing compliance with the CCPA. Continue Reading
On August 10, 2022, the Consumer Financial Protection Bureau (CFPB) issued a final Interpretive Rule stating that the Consumer Financial Protection Act (CFPA) applies to companies engaged in targeted advertising of financial products and services. Because the CFPB considers these companies to be covered by the CFPA, they would be subject to civil money penalties for any “unfair, deceptive, or abuse practices” (UDAAP), even for first-time violations. Despite the significance of the Interpretive Rule, there was no opportunity for the public to provide comments—the Interpretive Rule will be effective as of the date it is published in the Federal Register.
The CFPA applies to “covered persons” and their “service providers.” A “covered person” is someone who offers or provides financial products or services for use by consumers primarily for personal, family, or household purposes. 12 U.S.C § 5481(6). A service provider is “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” 12 U.S.C § 5481(26)(A). Significantly, the term “service provider” does not include entities that provide covered persons either 1) “a support service of a type provided to businesses generally or a similar ministerial service,” or 2) “time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.” 12 U.S.C. § 5481(26)(B). The CFPB explains that digital marketing companies engaged in targeted advertising services are service providers under the CFPA, and that they don’t fall under the exception for providing “time or space for an advertisement.”
The CFPB reasons that entities engaging in targeted advertising go beyond simply providing “time or space for an advertisement…through print, newspaper, or electronic media” because they are involved in the “identification or selection of prospective customers” or the “selection or placement of content to affect consumer engagement.” Even though the carve-out applies to advertising in “electronic media,” the CFPB explains its view that this term only encompasses advertising that is similar to print or newspaper ads, such as contextual advertising. (It seems, though, that if Congress meant for the CFPA to cover advertisers targeting financial products and services, it would have said so, given that regulators were well aware of the practice in 2010, when the CFPA was passed.)
The CFPB goes on to provide some examples of when digital media companies would be covered by the CFPA. It states that they would be subject to the CFPA, even if the covered provider of financial products or services chooses the criteria for delivering an ad or identifies by name who an ad should be delivered to. If the digital marketing company chooses times that the ad should be delivered to maximize engagement, the CFPA would apply to that company. The CFPB even notes that companies engaged in marketing analytics services alone could be subject to the CFPA.
Notably, although the CFPB goes to some length explaining why the exception for “time or space for an advertisement” does not apply, it does not attempt to explain why targeted advertising is outside the other exception for “a support service of a type provided to business generally or a similar ministerial service.”
Taken together with a prior CFPB announcement that it intends to use its UDAAP authority to take action against algorithmic discrimination, this Interpretive Rule firmly cements the CFPB’s intention to be a tech regulator. This is significant, given that tech companies working with companies offering financial products or services would be subject to civil money penalties if the CFPB finds them engaged in unfair, deceptive, or abusive practices in violation of the CFPA. 12 U.S.C. § 5565(a)(2). Companies with questions about the CFPB’s authority, potential priorities, and remedies should reach out to Maneesha Mithal, Libby Weingarten, or any other member of the firm’s privacy and cybersecurity practice.
On August 11, 2022, the Federal Trade Commission (FTC) took the first step toward creating national privacy and security rules that, if finalized, would apply across most sectors of the U.S. economy. The agency unveiled an Advance Notice of Proposed Rulemaking (ANPRM), which asks for public comment on 95 questions, ranging from topics such as targeted advertising, security of personal information, algorithmic discrimination, and protection of children and teens. Comments are due within 60 days of publication of the ANPRM in the Federal Register. The ANPRM was issued with a 3-2 vote along party lines. This alert attempts to answer some key questions about the announcement. Continue Reading
On June 24, 2022, the United States Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization,1 opening a legal path to state laws restricting or prohibiting access to certain reproductive health services. To enforce these laws, law enforcement officials may attempt to access individuals’ health information, including from technology platforms that process health information on behalf of individuals or other businesses. Continue Reading