CFPB Launches Public Inquiry into Rising Mortgage Closing Costs and ‘Junk Fees’

Go-To Guide:
  • The Consumer Financial Protection Bureau (CFPB) has launched a public inquiry into rising mortgage closing costs, seeking to understand the reasons behind the increase, identify who benefits, and find ways to reduce costs for both borrowers and lenders.
  • This inquiry, part of a broader effort against “junk fees,” aims to gather public input on the impact of these fees on consumers’ financial health and the mortgage lending market, with a focus on third-party costs, fee beneficiaries, and the evolving nature of these expenses.

On May 30, 2024, the CFPB issued a new request for information (RFI) from the public regarding “why closing costs are increasing, who is benefiting, and how costs for borrowers and lenders could be lowered.”

As part of a wider effort targeting what both the CFPB and the Biden administration refer to as “junk fees,” the CFPB is focusing on evaluating how these fees affect consumers’ financial health and the broader impact on mortgage lenders. This follows the CFPB’s continued expression of interest in “junk fees,” on which GT reported in a May 2024 blog post.

“Junk fees and excessive closing costs can drain down payments and push up monthly mortgage costs,” CFPB Director Rohit Chopra said in a separate press release. “The CFPB is looking for ways to reduce anticompetitive fees that harm both homebuyers and lenders.”

The Request for Information

According to a recent CFPB analysis, mortgage closing costs surged by over 36% from 2021 to 2023. The CFPB alleges that these unavoidable fees can strain household budgets and limit the ability to afford a down payment, while also hindering lenders from offering competitive mortgage options due to the higher costs they must absorb or pass on.

The CFPB is seeking public input to address these concerns and make mortgage costs more manageable. Some key areas of interest include:

  • Competitive pressure. The CFPB aims to evaluate the extent to which consumers or lenders currently apply competitive pressure on third-party closing costs, seeking to understand market barriers that limit competition.
  • Fee beneficiaries. The CFPB aims to identify the beneficiaries of required services and determine whether lenders have control or influence over the third-party costs that are transferred to consumers.
  • How fees are evolving and their impact on consumers. The CFPB seeks details on which expenses have surged the most in recent years and the factors driving these increases, such as the higher prices for credit reports and credit scores. Additionally, the CFPB is interested in understanding how closing costs affect housing affordability, access to homeownership, and home equity.

Takeaways

The CFPB oversees numerous laws and regulations concerning mortgage lending and real estate settlement, such as the Truth in Lending Act, the Fair Credit Reporting Act, and the Real Estate Settlement Procedures Act. The insights gained from this inquiry are poised to shape rulemaking, guidance, and various policy initiatives moving forward.

The CFPB invites comments and data from the public and stakeholders within 60 days of the RFI being published in the Federal Register.

We have provided ongoing analysis and commentary on this issue as it has developed. See below more context on legislative and regulatory efforts to curb “junk fees”:

Zeba Pirani contributed to this article

On July 1, 2024, Texas May Have the Strongest Consumer Data Privacy Law in the United States

It’s Bigger. But is it Better?

They say everything is bigger in Texas which includes big privacy protection. After the Texas Senate approved HB 4 — the Texas Data Privacy and Security Act (“TDPSA”), on June 18, 2023, Texas became the eleventh state to enact comprehensive privacy legislation.[1]

Like many state consumer data privacy laws enacted this year, TDPSA is largely modeled after the Virginia Consumer Data Protection Act.[2] However, the law contains several unique differences and drew significant pieces from recently enacted consumer data privacy laws in Colorado and Connecticut, which generally include “stronger” provisions than the more “business-friendly” laws passed in states like Utah and Iowa.

Some of the more notable provisions of the bill are described below:

More Scope Than You Can Shake a Stick At!

  • The TDPSA applies much more broadly than any other pending or effective state consumer data privacy act, pulling in individuals as well as businesses regardless of their revenues or the number of individuals whose personal data is processed or sold.
  • The TDPSA applies to any individual or business that meets all of the following criteria:
    • conduct business in Texas (or produce goods or services consumed in Texas) and,
    •  process or sell personal data:
      • The “processing or sale of personal data” further expands the applicability of the TDPSA to include individuals and businesses that engage in any operations involving personal data, such as the “collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
      • In short, collecting, storing or otherwise handling the personal data of any resident of Texas, or transferring that data for any consideration, will likely meet this standard.
  • Uniquely, the carveout for “small businesses” excludes from coverage those entities that meet the definition of “a small business as defined by the United States Small Business Administration.”[3]
  • The law requires all businesses, including small businesses, to obtain opt-in consent before processing sensitive personal data.
  • Similar to other state comprehensive privacy laws, TDPSA excludes state agencies or political subdivisions of Texas, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education. But, TDPSA uniquely excludes electric utilities, power generation companies, and retail electric providers, as defined under Section 31.002 of the Texas Utilities Code.
  • Certain categories of information are also excluded, including health information protected by HIPAA or used in connection with human clinical trials, and information covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act of 1974, the Farm Credit Act of 1971, emergency contact information used for emergency contact purposes, and data necessary to administer benefits.

Don’t Mess with Texas Consumers

Texas’s longstanding libertarian roots are evidenced in the TDPSA’s strong menu of individual consumer privacy rights, including the right to:

  • Confirm whether a controller is processing the consumer’s personal data and accessing that data;
  • Correct inaccuracies in the consumer’s personal data, considering the nature of the data and the purposes of the processing;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a copy of the consumer’s personal data that the consumer previously provided to a controller in a portable and readily usable format, if the data is available digitally and it is technically feasible; and
  • Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces legal or similarly significant legal effects concerning the consumer.

Data controllers are required to respond to consumer requests within 45 days, which may be extended by 45 days when reasonably necessary. The bill would also give consumers a right to appeal a controller’s refusal to respond to a request.

Controller Hospitality

The Texas bill imposes a number of obligations on data controllers, most of which are similar to other state consumer data privacy laws:

  • Data Minimization – Controllers should limit data collection to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of collection that have been disclosed to a consumer. Consent is required before processing information in ways that are not reasonably necessary or not compatible with the purposes disclosed to a consumer.
  • Nondiscrimination – Controllers may not discriminate against a consumer for exercising individual rights under the TDPSA, including by denying goods or services, charging different rates, or providing different levels of quality.
  • Sensitive Data – Consent is required before processing sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship or immigration status, genetic or biometric data processed for purposes of uniquely identifying an individual; personal data collected from a child known to be under the age of 13, and precise geolocation data.
    • The Senate version of the bill excludes data revealing “sexual orientation” from the categories of sensitive information, which differs from all other state consumer data privacy laws.
  • Privacy Notice – Controllers must post a privacy notice (e.g. website policy) that includes (1) the categories of personal data processed by the controller (including any sensitive data), (2) the purposes for the processing, (3) how consumers may exercise their individual rights under the Act, including the right of appeal, (4) any categories of personal data that the controller shares with third parties and the categories of those third parties, and (5) a description of the methods available to consumers to exercise their rights (e.g., website form or email address).
  • Targeted Advertising – A controller that sells personal data to third parties for purposes of targeted advertising must clearly and conspicuously disclose to consumers their right to opt-out.

Assessing the Privacy of Texans

Unlike some of the “business-friendly” privacy laws in Utah and Iowa, the Texas bill requires controllers to conduct data protection assessments (“Data Privacy Protection Assessments” or “DPPAs) for certain types of processing that pose heightened risks to consumers. The assessments must identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the consumer as mitigated by any safeguards that could reduce those risks. In Texas, the categories that require assessments are identical to those required by Connecticut’s consumer data privacy law and include:

  • Processing personal data for targeted advertising;
  • The sale of personal data;
  • Processing personal data for profiling consumers, if such profiling presents a reasonably foreseeable risk to consumers of unfair or deceptive treatment, disparate impact, financial, physical or reputational injury, physical or other intrusion upon seclusion of private affairs, or “other substantial injury;”
  • Processing of sensitive data; and
  • Any processing activities involving personal data that present a “heightened risk of harm to consumers.”

Opting Out and About

Businesses are required to recognize a universal opt-out mechanism for consumers (or, Global Privacy Control signal), similar to provisions required in Colorado, Connecticut, California, and Montana, but it would also allow businesses more leeway to ignore those signals if it cannot verify the consumers’ identity or lacks the technical ability to receive it.

Show Me Some Swagger!

The Attorney General has the exclusive right to enforce the law, punishable by civil penalties of up to $7,500 per violation. Businesses have a 30-day right to cure violations upon written notice from the Attorney General. Unlike several other laws, the right to cure has no sunset provision and would remain a permanent part of the law. The law does not include a private right of action.

Next Steps for TDPSA Compliance

For businesses that have already developed a state privacy compliance program, especially those modeled around Colorado and Connecticut, making room for TDPSA will be a streamlined exercise. However, businesses that are starting from ground zero, especially “small businesses” defined in the law, need to get moving.

If TDPSA is your first ride in a state consumer privacy compliance rodeo, some first steps we recommend are:

  1. Update your website privacy policy for facial compliance with the law and make sure that notice is being given at or before the time of collection.
  2. Put procedures in place to respond to consumer privacy requests and ask for consent before processing sensitive information
  3. Gather necessary information to complete data protection assessments.
  4. Identify vendor contracts that should be updated with mandatory data protection terms.

Footnotes

[1] As of date of publication, there are now 17 states that have passed state consumer data privacy laws (California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Massachusetts, Montana, New Jersey, New Hampshire, Tennessee, Texas, Utah, Virginia) and two (Vermont and Minnesota) that are pending.

[2] See, Code of Virginia Code – Chapter 53. Consumer Data Protection Act

[3] This is notably broader than other state privacy laws, which establish threshold requirements based on revenues or the amount of personal data that a business processes. It will also make it more difficult to know what businesses are covered because SBA definitions vary significantly from one industry vertical to another. As a quick rule of thumb, under the current SBA size standards, a U.S. business with annual average receipts of less than $2.25 million and fewer than 100 employees will likely be small, and therefore exempt from the TDPSA’s primary requirements.

For more news on State Privacy Laws, visit the NLR Consumer Protection and Communications, Media & Internet sections.

Mid-Year Recap: Think Beyond US State Laws!

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.

On the industry law, there has been activity focused on data brokers, those in the health space, and for those that sell motor vehicles. The FTC has focused on the activities of data brokers this year, beginning the year with a settlement with lead-generation company Response Tree. It also settled with X-Mode Social over the company’s collection and use of sensitive information. There have also been ongoing regulation and scrutiny of companies in the health space, including HHS’s new AI transparency rule. Finally, in this area is a new law in Utah, with a Motor Vehicle Data Protection Act applicable to data systems used by car dealers to house consumer information.

On the activity side, there has been less news, although in this area the “activity” of protecting information (or failing to do so) has continued to receive regulatory focus. This includes the SEC’s new cybersecurity reporting obligations for public companies, as well as minor modifications to Utah’s data breach notification law.

Finally, there have been new laws directed to particular individuals. In particular, laws intended to protect children. These include social media laws in Florida and Utah, effective January 1, 2025 and October 1, 2024 respectively. These are similar to attempts to regulate social media’s collection of information from children in Arkansas, California, Ohio and Texas, but the drafters hope sufficiently different to survive challenges currently being faced by those laws. The FTC is also exploring updates to its decades’ old Children’s Online Privacy Protection Act.

Putting It Into Practice: As we approach the mid-point of the year, now is a good time to look back at privacy developments over the past six months. There have been many developments in the privacy patchwork, and companies may want to take the time now to ensure that their privacy programs have incorporated and addressed those laws’ obligations.

Listen to this post

HHS Publishes Final Rule to Support Reproductive Health Care Privacy

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires covered entities and business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their NPPs to support reproductive health care privacy.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home,” OCR Director Melanie Fontes Rainer said in a news release. OCR administers the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses (“covered entities”) and business associates to safeguard the privacy of PHI.

Commenters to an earlier notice of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care would be used and disclosed to expose both patients and providers to investigation and liability under state abortion laws, particularly new and revived laws. This Final Rule is intended to prohibit the disclosure of PHI related to lawful reproductive health care—a change from the current Privacy Rule where an entity is generally permitted, but not required, to disclose relevant and material information in a legitimate law enforcement inquiry.

Key Takeaways

New Category of Protected Health Information. The Final Rule changes the HIPAA Privacy Rule by defining a new category of protected health information and adds a new “prohibited use and disclosure” under the HIPAA Privacy Rule at 45 CFR 164.502—mandating that a covered entity or business associate may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care”;
  • To impose criminal, civil, or administrative liability on any “person” for the mere act of seeking, obtaining, providing or facilitating “reproductive health care”; and
  • To identify any “person” for any of those above described purposes.

Prohibition. Under the Final Rule, HIPAA-covered entities and business associates who receive requests for protected health information must make a reasonable determination that one or more of the following conditions exists:

  • The reproductive health care is lawful in the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided).
  • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care such as contraception is protected by the Constitution).

Presumption. Such care is presumed lawful unless the HIPAA-covered entity or business associate has

  • actual knowledge that the reproductive care was not lawful under the circumstances it was provided; or
  • factual information supplied by the requester demonstrating a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Attestation Requirement. The Final Rule adds 45 CFR § 164.509(c) to require a covered entity or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation from the requester. However, obtaining the attestation does not relieve a covered entity or business associate from its responsibility to determine whether the reproductive health care that may be the subject of the requested information was lawful. An attestation must contain the following elements:

  • A description of the information requested that identifies the information in a specific fashion, including one of the following:
    • The name(s) of any individual(s) whose protected health information is sought, if practicable;
    • If that name is not practicable, the name(s) or other specific identification of the person(s) or class of person(s) who are requested to make the use or disclosure;
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure;
  • A clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR § 164.502(a)(5)(iii)(i.e., identifying any person under the newly added prohibition);
  • A statement that a person may be subject to criminal penalties if they use or disclose the reproductive health information improperly;
  • Must be in plain language and contain the elements set forth in 45 CFR § 164.509(c) (inclusion of other elements not set forth in 45 CFR § 164.509(c) is prohibited); and
  • Must be signed by the person requesting the disclosure (which may take an electronic format).

The Final Rule prohibits the attestation from being “combined with” any other document (yet allows additional supporting information or documentation needed for the request to be submitted with the attestation (for example, a clearly labelled subpoena). While covered entities can develop their own attestation form, to reduce the compliance burden, HHS plans to publish a model attestation form prior to the compliance date.

Notices of Policy Practices. With the new processes for using and disclosing reproductive health information, covered entities must update their Notices of Privacy Practices (NPPs) required under 45 CFR § 164.520. For purposes of this Final Rule, updates to the NPPs must describe among other things the types and uses of disclosures of PHI that are prohibited under 45 CFR 164.502(a)(5)(iii). The notice should also contain a description of the uses and disclosures for which an attestation is required under the new 45 CFR § 164.509. Further, the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs determined that this Final Rule meets the criteria in 5 USC § 804(2) for being a major rule because it is projected to have an annualized impact of more than $100,000,000 based on the number of covered entities and business associates that will have to implement these changes.

Practical Implications for HIPAA Covered Entities & Business Associates

Considering the significant changes this Final Rule introduces, there is no time like the present for covered entities and business associates to consider the compliance implications that a new category of PHI will have on existing HIPAA policies and procedures. In addition to developing and/or obtaining new attestation forms, making reasonable determinations of the lawfulness of reproductive health care and updating notices of privacy practices, privacy and security officers will likely need to evaluate the impact these changes will have on the policies that govern data dissemination, and the processes and procedures that may change as well. Covered entities and business associates will also likely want to include these changes into training for employees involved in these activities.

The Final Rule goes into effect on June 25, 2024, with a compliance date of December 23, 2024. The NPP requirements, however, take effect on February 16, 2026—consistent with OCR’s 42 CFR Part 2 Rule of February 16, 2024, so that covered entities regulated under both rules can implement changes to their NPPs at the same time.

HIPAA covered entities and business associates should consider the context and framework of the HIPAA Privacy Rule and these new modifications as they consider third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). If the new reproductive health prohibition is not applicable, HIPAA covered entities should still consider the fact that HIPAA otherwise permits, but does not require, them to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. Therefore, HIPAA affords covered entities the ability to protect the privacy interests of their patients, especially in the current post-Dobbs environment.

Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests that include reproductive health care information. Questions remain surrounding a covered entity or business associate’s burden of determining that the reproductive health care provided to an individual was in fact lawful. For example, if a complaint follows, does a covered entity have to account for the disclosures that are made? While the Final Rule is gender-neutral, what is the likelihood that it would be applied to men—could it? In any case, we will continue to monitor developments, including questions of how HIPAA and other privacy concerns interact with reproductive health care, in the wake of Dobbs. For more on the subject, please see our past blog on the 2023 proposed rule.

Ann W. Parks contributed to this article.

FTC: Three Enforcement Actions and a Ruling

In today’s digital landscape, the exchange of personal information has become ubiquitous, often without consumers fully comprehending the extent of its implications.

The recent actions undertaken by the Federal Trade Commission (FTC) shine a light on the intricate web of data extraction and mishandling that pervades our online interactions. From the seemingly innocuous permission requests of game apps to the purported protection promises of security software, consumers find themselves at the mercy of data practices that blur the lines between consent and exploitation.

The FTC’s proposed settlements with companies like X-Mode Social (“X Mode”) and InMarket, two data aggregators, and Avast, a security software company, underscores the need for businesses to appropriately secure and limit the use of consumer data, including previously considered innocuous information such as browsing and location data. In a world where personal information serves as currency, ensuring consumer privacy compliance has never been more critical – or posed such a commercial risk for failing to get it right.

X-Mode and InMarket Settlements: The proposed settlements with X-Mode and InMarket concern numerous allegations based on the mishandling of consumers’ location data. Both companies supposedly collected precise location data through their own mobile apps and those of third parties (through software development kits).  X-Mode is alleged to have sold precise location data (advertised as being 70% accurate within 20 meters or less) linked to timestamps and unique persistent identifiers (i.e., names, email addresses, etc.) of its consumers to private government contractors without obtaining proper consent. Plotting this data on a map makes it easy to reveal each person’s movements over time.

InMarket purportedly utilized location data to cross-reference such data with points of interest to sort consumers into particularized audience segments for targeted advertising purposes without adequately informing consumers – examples of audience segments include parents of preschoolers, Christian church attendees, and “wealthy and not healthy,” among other groupings.

Avast Settlement: Avast, a security software company, allegedly sold granular and re-identifiable browsing information of its consumers despite assuring consumers it would protect their privacy. Avast allegedly collected extensive browsing data of its consumers through its antivirus software and browser extensions while ensuring its consumers that their browsing data would only be used in aggregated and anonymous form. The data collected by Avast revealed visits to various websites that could be attributed to particular people and allowed for inferences to be drawn about such individuals – examples include academic papers on symptoms of breast cancer, education courses on tax exemptions, government jobs in Fort Meade, Maryland with a salary over $100,000, links to FAFSA applications and directions from one location to another, among others.

Sensitivity of Browsing and Location Data

It is important to note that none of the underlying datasets in question contained traditional types of personally identifiable information (e.g., name, identification numbers, physical descriptions, etc.) (“PII”). Even still, the three proposed settlements by the FTC underscore the sensitive nature of browsing and location data due to the insights such data reveals, such as religious beliefs, health conditions, and financial status, and the ease with which the insights can be linked to certain individuals.

In the digital age, the amount of data available about individuals online and collected by various companies makes the re-identification of individuals easier every day. Even when traditional PII is not included in a data set, by linking sufficient data points, a profile or understanding of an individual can be created. When such profile is then linked to an identifier (such as username, phone number, or email address provided when downloading an app or setting up an account on an app) and cross-referenced with various publicly available data, such as name, email, phone number or content on social media sites, it can allow for deep insights into an individual. Despite the absence of traditional types of PII, such data poses significant privacy risks due to the potential for re-identification and the intimate details about individuals’ lives that it can divulge.

The FTC emphasizes the imperative for companies to recognize and treat browsing and location data as sensitive information and implement appropriate robust safeguards to protect consumer privacy. This is especially true when the data set includes information with the precision of those cited by the FTC in its proposed settlements.

Accountability and Consent

With browsing and location data, there is also a concern that the consumer may not be fully aware of how their data is used. For instance, Avast claimed to protect consumers’ browsing data and then sold that very same browsing information, often without notice to consumers. When Avast did inform customers of their practices, the FTC claims it deceptively stated any sharing would be “anonymous and aggregated.” Similarly, X-Mode claimed it would use location data for ad-personalization and location-based analytics. Consumers were unaware such location data was also sold to government contractors.

The FTC has recognized that a company may need to process an individual’s information to provide them with services or products requested by the individual. The FTC also holds that such processing does not mean the company is then free to collect, access, use, or transfer that information for other purposes (e.g., marketing, profiling, background screening, etc.). Essentially, purpose matters. As the FTC explains, a flashlight app provider cannot collect, use, store, or share a user’s precise geolocation data, or a tax preparation service cannot use a customer’s information to market other products or services.

If companies want to use consumer personal information for purposes other than providing the requested product or services, the FTC states that companies should inform consumers of such uses and obtain consent to do so.

The FTC aims to hold companies accountable for their data-handling practices and ensure that consumers are provided with meaningful consent mechanisms. Companies should handle consumer data only for the purposes for which data was collected and honor their privacy promises to consumers. The proposed settlements emphasize the importance of transparency, accountability, meaningful consent, and the prioritization of consumer privacy in companies’ data handling practices.

Implementing and Maintaining Safeguards

Data, especially specific data that provide insights and inferences about individuals, is extremely valuable to companies, but it is that same data that exposes such individuals’ privacy. Companies that sell or share information sometimes include limitations for the use of the data, but not all contracts have such restrictions or sufficient restrictions to safeguard individuals’ privacy.

For instance, the FTC alleges that some of Avast’s underlying contracts did not prohibit the re-identification of Avast’s users. Where Avast’s underlying contracts prohibited re-identification, the FTC alleges that purchasers of the data were still able to match Avast users’ browsing data with information from other sources if the information was not “personally identifiable.” Avast also failed to audit or confirm that purchasers of data complied with its prohibitions.

The proposed complaint against X-Mode recognized that at least twice, X-Mode sold location data to purchasers who violated restrictions in X-Mode’s contracts by reselling the data they bought from X-Mode to companies further downstream. The X-Mode example shows that even when restrictions are included in contracts, they may not prevent misuse by subsequent downstream parties.

Ongoing Commitment to Privacy Protection:

The FTC stresses the importance of obtaining informed consent before collecting or disclosing consumers’ sensitive data, as such data can violate consumer privacy and expose them to various harms, including stigma and discrimination. While privacy notices, consent, and contractual restrictions are important, the FTC emphasizes they need to be backed up by action. Accordingly, the FTC’s proposed orders require companies to design, implement, maintain, and document safeguards to protect the personal information they handle, especially when it is sensitive in nature.

What Does a Company Need To Do?

Given the recent enforcement actions by the FTC, companies should:

  1. Consider the data it collects and whether such data is needed to provide the services and products requested by the consumer and/or a legitimate business need in support of providing such services and products (e.g., billing, ongoing technical support, shipping);
  2. Consider browsing and location data as sensitive personal information;
  3. Accurately inform consumers of the types of personal information collected by the company, its uses, and parties to whom it discloses the personal information;
  4. Collect, store, use, or share consumers’ sensitive personal information (including browser and location data) only with such consumers’ informed consent;
  5. Limit the use of consumers’ personal information solely to the purposes for which it was collected and not market, sell, or monetize consumers’ personal information beyond such purpose;
  6. Design, Implement, maintain, document, and adhere to safeguards that actually maintain consumers’ privacy; and
  7. Audit and inspect service providers and third-party companies downstream with whom consumers’ data is shared to confirm they are (a) adhering to and complying with contractual restrictions and (b) implementing appropriate safeguards to protect such consumer data.

Eleventh Circuit Affirms Dismissal of FCRA Claims Since Alleged Inaccurate Information Was Not Objectively and Readily Verifiable

In Holden v. Holiday Inn Club Vacations Inc., No. 22-11014, No. 22-11734, 2024 WL 1759143 (11th Cir. 2024), which was a consolidated appeal, the United States Court of Appeals for the Eleventh Circuit (“Eleventh Circuit” or “Court”) held that the purchasers of a timeshare did not have actionable FCRA claims since the alleged inaccurate information reported to one of the consumer reporting agencies (“CRAs”) was not objectively and readily verifiable. In doing so, the Eleventh Circuit affirmed two decisions issued by United States District Court for the Middle District of Florida (“District Court”) granting of summary judgment in favor of the timeshare company in the respective cases.

Summary of Facts and Background

Two consumers, Mark Mayer (“Mayer”) and Tanethia Holden (“Holden”), entered into two separate purchase agreements with Holiday Inn Club Vacations Incorporated (“Holiday”) to acquire timeshare interests in Cape Canaveral and Las Vegas, respectively. Holiday is a timeshare company that allows customers to purchase one or more of its vacation properties in weekly increments that can be used annually during the designated period. As part of the transaction, Holiday’s customers typically elect to finance their timeshare purchases through Holiday, which results in the execution of a promissory note and mortgage.

  1. Mayer’s Purchase, Default, and Dispute

On September 15, 2014, Mayer entered into his purchase agreement with Holiday, which contained a title and closing provision stating the transaction would not close until Mayer made the first three monthly payments, and Holiday recorded a deed in Mayer’s name. The purchase agreement also included a purchaser’s default provision stating that upon Mayer’s default or breach of any of the terms or conditions of the agreement, all sums paid by Mayer would be retained by Holiday as liquidated damages and the parties to the purchase agreement would be relieved from all obligations thereunder. Further, the purchase agreement provided that any payments made under a related promissory note prior to the closing would be subject to the purchaser’s default provision. On the same day, Mayer executed a promissory note to finance his timeshare purchase, which was for a term of 120 months. On July 13, 2015, Holiday recorded a deed in Mayer’s name, and he proceeded to tender timely monthly payments until May 2017. As a result of Mayer’s failure to tender subsequent payments, Holiday reported Mayer’s delinquency to the CRA.

Approximately two years later, Mayer obtained a copy of his credit report and discovered Holiday had reported a past-due balance. Thereafter, Mayer sent multiple letters to the CRA disputing the debt, as he believed the purchase agreement was terminated under the purchaser’s default provision. Each dispute was communicated to Holiday, who in turn certified that the information was accurately reported. Mayer sued Holiday for an alleged violation of 15 U.S.C. § 1681s-2(b) of the FCRA based on the furnishing of inaccurate information and failure to “fully and properly re-investigate” the disputes. Holiday eventually moved for partial summary judgment, which the District Court granted. The District Court reasoned that the underlying issue of whether the default provision excused Mayer’s obligation to keep paying was a legal dispute rather than a factual inaccuracy and, in turn, made Mayer’s claim not actionable under the FCRA. Mayer timely appealed to the Eleventh Circuit.

  1. Holden’s Purchase, Default, and Dispute

On June 25, 2016, Holden entered into her purchase agreement with Holiday, which contained a nearly identical title and closing provision to that of Mayer’s purchase agreement. Additionally, Holden’s purchase agreement incorporated a similar purchaser’s default provision. Similarly, Holden executed a promissory note to finance her timeshare purchase, which was for a term of 120 months, and entered into a mortgage to secure the payments under the note. After making her third payment, Holden defaulted and hired an attorney to cancel the purchase agreement pursuant to the closing and title provision and purchaser’s default provision. However, Holiday disputed the purchase agreement was canceled and, on June 19, 2017, recorded a timeshare deed in Holden’s name. More importantly, Holiday reported Holden’s delinquent debt to the CRA.

In response, Holden’s attorney sent three dispute letters to Holiday, which resulted in Holiday investigating the dispute and determining the reporting was accurate since Holden was still obligated under the note. Eventually, Holden sued Holiday for various violations of Florida State law and the FCRA. Holden claimed Holiday reported inaccurate information to the CRA, failed to conduct an appropriate investigation, and failed to correct the inaccuracies. The parties filed competing motions for partial summary judgment, which ended with the District Court granting Holiday’s motion and denying Holden’s motion. Specifically, the District Court held that Holden’s FCRA claim failed because contract disputes regarding whether Holden still owed the underlying debt are legal disputes and not factual inaccuracies. Holden timely appealed to the Eleventh Circuit.

The Fair Credit Reporting Act

As the Eleventh Circuit reiterated in Holden, when a furnisher is notified of a consumer’s dispute, the furnisher must undertake the following three actions: (1) conduct an investigation surrounding the disputed information; (2) review all relevant information provided by the CRA; and (3) report the results of the investigation to the CRA. When a furnisher determines an item of information disputed by a consumer is incomplete, inaccurate, or cannot be verified, the furnisher is required to modify, delete, or permanently block reporting of the disputed information. See 15 U.S.C. § 1681s-2(b)(1)(E). Additionally, any disputed information that a furnisher determines is inaccurate or incomplete must be reported to all other CRAs. See 15 U.S.C. § 1681s-2(b)(1)(D). Despite the foregoing, consumers have no private right of action against furnishers merely for reporting inaccurate information to the CRAs. The only private right of action a consumer may assert against a furnisher is for a violation of 15 U.S.C. § 1681s-2(b) for failure to conduct a reasonable investigation upon receiving notice of a dispute from a CRA. See 15 U.S.C. § 1681s-2(c)(1)).

To successfully prove an FCRA claim, the consumer must demonstrate the following: (1) the consumer identified inaccurate or incomplete information that the furnisher provided to the CRA; and (2) the ensuing investigation was unreasonable based on some facts the furnisher could have uncovered that establish the reported information was inaccurate or incomplete.

The Eleventh Circuit’s Decision

In affirming the District Court’s decisions granting summary judgment and dismissing the FCRA claims, the Eleventh Circuit clarified that whether the alleged inaccuracy was factual or legal was “beside the point. Instead, what matters is whether the alleged inaccuracy was objectively and readily verifiable.” Specifically, the Eleventh Circuit cited to Erickson v. First Advantage Background Servs. Corp., 981 F. 3d 1246, 1251-52 (11th Cir. 2020), which defined “accuracy” as “freedom from mistake or error.” The Eleventh Circuit continued by reiterating that “when evaluating whether a report is accurate under the [FCRA], we look to the objectively reasonable interpretations of the report.” As such, “a report must be factually incorrect, objectively likely to mislead its intended user, or both to violate the maximal accuracy standards of the [FCRA].”

Based on this standard, the Eleventh Circuit held that the alleged inaccurate information on which Mayer and Holden based their FCRA claims was not objectively and readily verifiable since the information stemmed from contractual disputes without simple answers. As such, the Eleventh Circuit found that Holiday took appropriate action upon receiving Mayer and Holden’s disputes by assessing the issues and determining whether the respective debts were due and/or collectible, which thereby satisfied its obligation under the FCRA. While Mayer and Holden argued to the contrary, the Eleventh Circuit held that the resolutions of these contract disputes were not straightforward applications of the law to facts. In support of its decision, the Eleventh Circuit cited to the fact that Florida State courts have reviewed similar timeshare purchase agreements and reached conflicting conclusions about whether the default provisions excused a consumer’s obligation to pay the underlying debt.

Conclusion

Holden is a limited victory for furnishers, as the Eleventh Circuit declined to impose a bright-line rule that only purely factual or transcription errors are actionable under the FCRA and held a court must determine whether the alleged inaccurate information is “objectively and readily verifiable.” Accordingly, there are situations when furnishers are required by the FCRA to accurately report information derived from the readily verifiable and straightforward application of the law to facts. One example of such a situation is misreporting the clear effect of a bankruptcy discharge order on certain types of debt. Thus, furnishers should revisit their investigation and verification procedures so they do not run afoul of the FCRA. Furnishers should also continue to monitor for developing case law as other circuit courts confront these issues.

A New Day for “Natural” Claims?

On May 2, the Second Circuit upheld summary judgment in favor of KIND in a nine year old lawsuit challenging “All Natural” claims. In Re KIND LLC, No. 22-2684-cv (2d Cir. May 2, 2024). Although only time will tell, this Circuit decision, in favor of the defense, may finally change plaintiffs’ appetite for “natural” cases.

Over the many years of litigation, the lawsuit consolidated several class action filings from New York, Florida, and California into a single, multi-district litigation with several, different lead plaintiffs. All plaintiffs alleged that “All Natural” claims for 39 KIND granola bars and other snacks were deceptive. Id. at 3. Plaintiff had alleged that the following ingredients rendered the KIND bars not natural: soy lecithin, soy protein isolate, citrus pectin, glucose syrup/”non-GMO” glucose, vegetable glycerine, palm kernel oil, canola oil, ascorbic acid, vitamin A acetate, d-alpha tocopheryl acetate/vitamin E, and annatto.

The Second Circuit found that, in such cases, the relevant state laws followed a “reasonable consumer standard” of deception. Id. at 10. Further, according to the Second Circuit, the “Ninth Circuit has helpfully explained” that the reasonable consumer standard requires “‘more than a mere possibility that the label might conceivably be misunderstood by some few consumers viewing it in an unreasonable manner.’” Id. (quoting McGinity v. Procter & Gamble Co., 69 F.4th 1093, 1097 (9th Cir. 2023)). Rather, there must be “‘a probability that a significant portion of the general consuming public or of targeted consumers, acting reasonably in the circumstances, could be misled.’” Id. To defeat summary judgement, the plaintiffs would need to present admissible evidence showing how “All Natural” tends to mislead under this standard.

The Second Circuit agreed with the lower court that plaintiffs’ deposition testimony failed to provide such evidence where it failed to “establish an objective definition” representing reasonable consumer understanding of “All Natural.” Id. at 28. While one plaintiff believed the claim meant “not synthetic,” another thought it meant “made from whole grains, nuts, and fruit,” while yet another believed it meant “literally plucked from the ground.” Id. The court observed that plaintiffs “fail[ed] to explain how a trier of fact could apply these shifting definitions.” Id. The court next rejected as useful evidence a dictionary definition of “natural,” which stated, “existing or caused by nature; not made or caused by humankind.” Id. at 29. The court reasoned that the dictionary definition was “not useful when applied to a mass-produced snack bar wrapped in plastic” – something “clearly made by humans.” Id.

The court, finally, upheld the lower court’s decision to exclude two other pieces of evidence the plaintiffs offered. First, the Second Circuit agreed that a consumer survey was subject to exclusion where leading questions biased the results. Id. at 21-22. The Second Circuit also agreed that an expert report by a chemist lacked relevance where it assessed “typical” sourcing of ingredients, not necessarily how KIND’s ingredients were manufactured or sourced. Id. at 22-24.

© 2024 Keller and Heckman LLP
by: Food and Drug Law at Keller and Heckman of Keller and Heckman LLP

For more news on Food Advertising Litigation, visit the NLR Biotech, Food, Drug section.

Bidding Farewell, For Now: Google’s Ad Auction Class Certification Victory

A federal judge in the Northern District of California delivered a blow to a potential class action lawsuit against Google over its ad auction practices. The lawsuit, which allegedly involved tens of millions of Google account holders, claimed Google’s practices in its real-time bidding (RTB) auctions violated users’ privacy rights. But U.S. District Judge Yvonne Gonzalez Rogers declined to certify the class of consumers, pointing to deficiencies in the plaintiffs’ proposed class definition.

According to plaintiffs, Google’s RTB auctions share highly specific personal information about individuals with auction participants, including device identifiers, location data, IP addresses, and unique demographic and biometric data, including age and gender. This, the plaintiffs argued, directly contradicted Google’s promises to protect users’ data. The plaintiffs therefore proposed a class definition that included all Google account holders subject to the company’s U.S. terms of service whose personal information was allegedly sold or shared by Google in its ad auctions after June 28, 2016.

But Google challenged this definition on the basis that it “embed[ded] the concept of personal information” and therefore subsumed a dispositive issue on the merits, i.e., whether Google actually shared account holders’ personal information. Google argued that the definition amounted to a fail-safe class since it would include even uninjured members. The Court agreed. As noted by Judge Gonzalez Rogers, Plaintiffs’ broad class definition included a significant number of potentially uninjured class members, thus warranting the denial of their certification motion.

Google further argued that merely striking the reference to “personal information,” as proposed by plaintiffs, would not fix this problem. While the Court acknowledged this point, it concluded that it did not yet have enough information to make that determination. Because the Court denied plaintiffs’ certification motion with leave to amend, it encouraged the parties to address these concerns in any subsequent rounds of briefing.

In addition, Judge Gonzalez raised that plaintiffs would need to demonstrate that the RTB data produced in the matter thus far was representative of the class as a whole. While the Court agreed with plaintiffs’ argument and supporting evidence that Google “share[d] so much information about named plaintiffs that its RTB data constitute[d] ‘personal information,” Judge Gonzalez was not persuaded by their assertion that the collected RTB data would necessarily also provide common evidence for the rest of the class. The Court thus determined that plaintiffs needed to affirmatively demonstrate through additional evidence that the RTB data was representative of all putative class members, and noted for Google that it could not refuse to provide such and assert that plaintiffs had not met their burden as a result.

This decision underscores the growing complexity of litigating privacy issues in the digital age, and previews new challenges plaintiffs may face in demonstrating commonality and typicality among a proposed class in privacy litigation. The decision is also instructive for modern companies that amass various kinds of data insofar as it demonstrates that seemingly harmless pieces of that data may, in the aggregate, still be traceable to specific persons and thus qualify as personally identifying information mandating compliance with the patchwork of privacy laws throughout the U.S.

U.S. EPA Finalizes Designation of Two PFAS Chemicals as Hazardous Substances Under CERCLA

On April 19, the U.S. Environmental Protection Agency (EPA) released its long-awaited final rule designating perfluorooctanoic acid (PFOA) and perfluorooctanesulfonic acid (PFOS), including their salts and structural isomers, as “hazardous substances” under Section 102(a) of the Comprehensive Environmental Response, Compensation, and Liability Act (“CERCLA” or “Superfund”) (the “Final Rule”). The designation, which takes effect 60 days after the final rule is published in the Federal Register, will provide expanded investigation and remediation authority to EPA, will provide a powerful tool for private actions under CERCLA, and will trigger additional release reporting requirements. It will also expand enforcement authority in states that regulate CERCLA-designated hazardous substances.

Hazardous Substance Designation of PFOA and PFOS Has Broad Implications for Cleanups and CERCLA Liability

PFOA and PFOS are two specific chemical compounds within a broad group of thousands of manmade chemicals known as per- and polyfluoroalkyl substances (PFAS). EPA focused its regulatory efforts on these two PFAS; however, the vast majority of PFAS remain unregulated under CERCLA even after issuance of the Final Rule.

Designating PFOA and PFOS as hazardous substances triggers numerous requirements. The primary impact of the Final Rule is that it incorporates PFOS and PFOA into CERCLA’s strict, joint and several liability framework. This change grants EPA the power to investigate releases of PFOA and PFOS and compel potentially responsible parties (PRPs), including owners and operators of a property or facility, to remediate releases of PFOA and PFOS through the specific CERCLA enforcement provisions. PRPs also now have a clear private right of action under CERCLA to pursue cost recovery and contribution actions. Additionally, when the Final Rule becomes effective, facilities will be required to immediately report releases of PFOA and PFOS above their designated “reportable quantities,” (currently one pound within a 24-hour period), to the National Response Center and relevant state or tribal authorities.

Furthermore, many states include CERCLA hazardous substances under their cleanup statutes, meaning these states will now be able to require remediation of PFOA and PFOS under state law.

Listing PFOA and PFOS as “hazardous substances” under CERCLA does not make PFOA or PFOS contaminated waste a “hazardous waste” or a “hazardous constituent” under the Resource Conservation and Recovery Act. However, this designation does require the U.S. Department of Transportation to designate PFOA and PFOS as “hazardous materials” for purposes of transport under the Hazardous Materials Regulations.

While the PFOA and PFOS CERCLA Listing is Final, Questions Remain

As noted in our prior article on the proposed rule, EPA’s designation of PFOA and PFOS as “hazardous substances” leaves several questions unanswered.

  • How will EPA’s CERCLA enforcement discretion policy really play out in practice? 

    Concurrently with the publication of the Final Rule, EPA also released a PFAS Enforcement Discretion and Settlement Policy under CERCLA. This enforcement policy captures EPA’s current position that it does not intend to pursue PRPs under circumstances where “equitable factors” do not support doing so. Enumerated circumstances in the policy include so-called “passive receivers” of PFAS, including community water systems and publicly-owned treatment works, publicly-owned municipal solid waste landfills, publicly-owned airports and local fire departments, and farms where PFAS-containing biosolids are applied to the land. However, EPA’s enforcement policy—which is not binding upon the agency and is subject to change at any time—should be viewed with a healthy dose of skepticism among regulated industries, considering the sheer breadth of potential CERCLA liability for these substances, as well as continued Congressional proposals to codify exemptions for passive receivers within the CERCLA statute itself. Notably, the agency’s enforcement position does not in any way prevent private parties from initiating cost recovery or contribution actions under CERCLA.

  • How will regulated industries manage the costs of PFOA and PFOS cleanup?PFAS contamination can be wide-ranging due to several factors unique to the chemicals themselves. Further, unlike remediation technologies for other well-studied contaminants, existing remediation technologies for PFOA and PFOS are nascent at best and are expensive at a large scale. It is therefore often difficult to even estimate accurate cost ranges for PFOA and PFOS cleanups, but costs can easily run into the millions of dollars at complex sites. Although EPA has published interim guidance on PFOA and PFOS disposal methods, and the recently passed Infrastructure Investment and Jobs Act provides $3.5 billion over five years for Superfund cleanups, the methods and money may not go as far as planned if cleanup costs for PFOA and PFOS sites end up exponentially higher.
  • How will EPA handle potential PFOA and PFOS contamination at closed Superfund sites?In response to comments seeking clarification on whether designating PFOA and PFOS will lead to the reopening of closed Superfund sites, EPA stated that the final rule “has no impact” on EPA’s authority to list PFOA and PFOS sites as Superfund sites. EPA’s question-and-answers page—which we note is not a binding statement from the agency—also states that “[d]esignation will not change EPA’s process for listing and/or deleting [National Priorities List (NPL)] sites or evaluating remedies’ protectiveness through five-year reviews, and it will not require PFOA and PFOS sampling at NPL (final or deleted) sites.” While the final rule does not require PFOA and PFOS sampling at closed sites, it does not prevent EPA from ordering sampling at these sites. PRPs who may have long ago stopped budgeting for remedial costs at existing or legacy locations that were remediated years and even decades ago, may find that they are required to revisit these sites where PFOA and PFOS may be present.
  • What cleanup standards will govern PFOA and PFOS remediation?There is a current patchwork of state regulatory standards relating to PFAS, ranging from binding cleanup levels, advisory guidance, or no PFAS standards at all, which may lead to similarly patchwork cleanup standards depending on which standards are applied as an appropriate “applicable or relevant and appropriate requirement” (ARAR) at a specific site. In addition, on April 10, 2024, EPA issued a final rule setting Maximum Contaminant Levels (MCL) for PFOA and PFOS in drinking water at 4.0 parts per trillion (ppt), individually. While these drinking water standards are separate from EPA’s final rule listing PFOA and PFOS as “hazardous substances” under CERCLA, the “hazardous substances” rule notes that the MCL may be an appropriate ARAR for cleanup efforts under CERCLA.
  • What other PFAS will EPA next target under CERCLA?As noted above, PFOA and PFOS are two specific PFAS among thousands of others currently and historically used. Much of the science on the potential health effects of PFAS (both individual chemical compounds and as a class) continues to evolve. In the meantime, EPA has moved to regulate additional types of PFAS under other statutes. For example, as we noted in a previous client alert, EPA recently published a proposed rule listing seven other PFAS compounds as hazardous constituents under RCRA. Some or all of these PFAS may eventually be targets of future CERCLA rulemaking efforts.

Next Steps

The Final Rule will take effect 60 days after it is published in the Federal Register. Affected parties should consider their portfolio of planned, active, and in some cases, closed remediation sites for potential implications, and companies may consider reviewing and updating their hazardous substance reporting and transportation protocols to address PFOA and PFOS as applicable.

EPA Designates Two PFAS as Hazardous Substances

On April 19, 2024, the U.S. Environmental Protection Agency (EPA) announced that it was designating two common per- and polyfluoroalkyl substances (PFAS) as hazardous substances under the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA), commonly known as Superfund. As expected, EPA is issuing a final rule to designate perfluorooctanoic acid (PFOA) and perfluorooctanesulfonic acid (PFOS) as hazardous substances. The pre-publication version of the rule is available here.

Once the rule is effective, entities will be required to report releases of PFOA and PFOS into the environment that meet or exceed the reportable quantity. Reporting past releases is not required if the releases have ceased as of the effective date of the rule. EPA will have the authority to order potentially responsible parties to test, remediate, or pay for the cleanup of sites contaminated with PFOA or PFOS under CERCLA.

Massachusetts established reportable concentrations for six PFAS, including PFOA and PFOS, in 2019. The Massachusetts regulations also contain cleanup standards for PFAS contamination in soil and groundwater.

Under Maine law, these substances also are automatically deemed a Maine hazardous substance regulated under the Maine Uncontrolled Hazardous Substance Sites Law. Maine’s PFAS screening levels are available here.

Solid waste facility operators had expressed serious concerns about the prospect of PFOA and PFOS being listed as hazardous substances under CERCLA and have advocated for a narrow exemption. Landfills can be recipients of PFAS-containing waste without knowing it. Similarly, wastewater treatment plant operators feared liability and increased costs if the rule designating PFOA and PFOS as hazardous substances became final.

EPA’s announcement of the final rule came with a CERCLA enforcement discretion policy [PFAS Enforcement Discretion and Settlement Policy Under CERCLA] that makes clear that EPA will focus enforcement on parties that significantly contributed to the release of PFAS into the environment.

The policy states that the EPA does not intend to pursue certain publicly‑owned facilities such as solid waste landfills, wastewater treatment plants, airports, and local fire departments, as well as farms where biosolids are applied to the land. Firefighting foam (aqueous film-forming foam, or AFFF) is known to contain PFAS, and runoff from the use of AFFF has been known to migrate into soil and groundwater.