On May 16, 2024, the Securities and Exchange Commission adopted amendments to Regulation S-P, the regulation that governs the treatment of nonpublic personal information about consumers by certain financial institutions. The amendments apply to broker-dealers, investment companies, and registered investment advisers (collectively, “covered institutions”) and are designed to modernize and enhance the protection of consumer financial information. Regulation S-P continues to require covered institutions to implement written polices and procedures to safeguard customer records and information (the “safeguards rule”), properly dispose of consumer information to protect against unauthorized use (the “disposal rule”), and implementation of a privacy policy notice containing an opt out option. Registered investment advisers with over $1.5 billion in assets under management will have until November 16, 2025 (18 months) to comply, those entities with less will have until May 16, 2026 (24 months) to comply.
Incident Response Program
Covered institutions will have to implement an Incident Response Program (the “Program”) to their written policies and procedures if they have not already done so. The Program must be designed to detect, respond to, and recover customer information from unauthorized third parties. The nature and scope of the incident must be documented with further steps taken to prevent additional unauthorized use. Covered institutions will also be responsible for adopting procedures regarding the oversight of third-party service providers that are receiving, maintaining, processing, or accessing their client’s data. The safeguard rule and disposal rule require that nonpublic personal information received from a third-party about their customers should be treated the same as if it were your own client.
Customer Notification Requirement
The amendments require covered institutions to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The amendments require a covered institution to provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. A covered institution is not required to provide the notification if it determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. To the extent a covered institution will have a notification obligation under both the final amendments and a similar state law, a covered institution may be able to provide one notice to satisfy notification obligations under both the final amendments and the state law, provided that the notice includes all information required under both the final amendments and the state law, which may reduce the number of notices an individual receives.
Recordkeeping
Covered institutions will have to make and maintain the following in their books and records:
Written policies and procedures required to be adopted and implemented pursuant to the Safeguards Rule, including the incident response program;
Written documentation of any detected unauthorized access to or use of customer information, as well as any response to and recovery from such unauthorized access to or use of customer information required by the incident response program;
Written documentation of any investigation and determination made regarding whether notification to customers is required, including the basis for any determination made and any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination;
Written policies and procedures required as part of service provider oversight;
Written documentation of any contract entered into pursuant to the service provider oversight requirements; and
Written policies and procedures required to be adopted and implemented for the Disposal Rule.
Registered investment advisers will be required to preserve these records for five years, the first two in an easily accessible place.
In today’s digital landscape, the exchange of personal information has become ubiquitous, often without consumers fully comprehending the extent of its implications.
The recent actions undertaken by the Federal Trade Commission (FTC) shine a light on the intricate web of data extraction and mishandling that pervades our online interactions. From the seemingly innocuous permission requests of game apps to the purported protection promises of security software, consumers find themselves at the mercy of data practices that blur the lines between consent and exploitation.
The FTC’s proposed settlements with companies like X-Mode Social (“X Mode”) and InMarket, two data aggregators, and Avast, a security software company, underscores the need for businesses to appropriately secure and limit the use of consumer data, including previously considered innocuous information such as browsing and location data. In a world where personal information serves as currency, ensuring consumer privacy compliance has never been more critical – or posed such a commercial risk for failing to get it right.
X-Mode and InMarket Settlements: The proposed settlements with X-Mode and InMarket concern numerous allegations based on the mishandling of consumers’ location data. Both companies supposedly collected precise location data through their own mobile apps and those of third parties (through software development kits). X-Mode is alleged to have sold precise location data (advertised as being 70% accurate within 20 meters or less) linked to timestamps and unique persistent identifiers (i.e., names, email addresses, etc.) of its consumers to private government contractors without obtaining proper consent. Plotting this data on a map makes it easy to reveal each person’s movements over time.
InMarket purportedly utilized location data to cross-reference such data with points of interest to sort consumers into particularized audience segments for targeted advertising purposes without adequately informing consumers – examples of audience segments include parents of preschoolers, Christian church attendees, and “wealthy and not healthy,” among other groupings.
Avast Settlement: Avast, a security software company, allegedly sold granular and re-identifiable browsing information of its consumers despite assuring consumers it would protect their privacy. Avast allegedly collected extensive browsing data of its consumers through its antivirus software and browser extensions while ensuring its consumers that their browsing data would only be used in aggregated and anonymous form. The data collected by Avast revealed visits to various websites that could be attributed to particular people and allowed for inferences to be drawn about such individuals – examples include academic papers on symptoms of breast cancer, education courses on tax exemptions, government jobs in Fort Meade, Maryland with a salary over $100,000, links to FAFSA applications and directions from one location to another, among others.
Sensitivity of Browsing and Location Data
It is important to note that none of the underlying datasets in question contained traditional types of personally identifiable information (e.g., name, identification numbers, physical descriptions, etc.) (“PII”). Even still, the three proposed settlements by the FTC underscore the sensitive nature of browsing and location data due to the insights such data reveals, such as religious beliefs, health conditions, and financial status, and the ease with which the insights can be linked to certain individuals.
In the digital age, the amount of data available about individuals online and collected by various companies makes the re-identification of individuals easier every day. Even when traditional PII is not included in a data set, by linking sufficient data points, a profile or understanding of an individual can be created. When such profile is then linked to an identifier (such as username, phone number, or email address provided when downloading an app or setting up an account on an app) and cross-referenced with various publicly available data, such as name, email, phone number or content on social media sites, it can allow for deep insights into an individual. Despite the absence of traditional types of PII, such data poses significant privacy risks due to the potential for re-identification and the intimate details about individuals’ lives that it can divulge.
The FTC emphasizes the imperative for companies to recognize and treat browsing and location data as sensitive information and implement appropriate robust safeguards to protect consumer privacy. This is especially true when the data set includes information with the precision of those cited by the FTC in its proposed settlements.
Accountability and Consent
With browsing and location data, there is also a concern that the consumer may not be fully aware of how their data is used. For instance, Avast claimed to protect consumers’ browsing data and then sold that very same browsing information, often without notice to consumers. When Avast did inform customers of their practices, the FTC claims it deceptively stated any sharing would be “anonymous and aggregated.” Similarly, X-Mode claimed it would use location data for ad-personalization and location-based analytics. Consumers were unaware such location data was also sold to government contractors.
The FTC has recognized that a company may need to process an individual’s information to provide them with services or products requested by the individual. The FTC also holds that such processing does not mean the company is then free to collect, access, use, or transfer that information for other purposes (e.g., marketing, profiling, background screening, etc.). Essentially, purpose matters. As the FTC explains, a flashlight app provider cannot collect, use, store, or share a user’s precise geolocation data, or a tax preparation service cannot use a customer’s information to market other products or services.
If companies want to use consumer personal information for purposes other than providing the requested product or services, the FTC states that companies should inform consumers of such uses and obtain consent to do so.
The FTC aims to hold companies accountable for their data-handling practices and ensure that consumers are provided with meaningful consent mechanisms. Companies should handle consumer data only for the purposes for which data was collected and honor their privacy promises to consumers. The proposed settlements emphasize the importance of transparency, accountability, meaningful consent, and the prioritization of consumer privacy in companies’ data handling practices.
Implementing and Maintaining Safeguards
Data, especially specific data that provide insights and inferences about individuals, is extremely valuable to companies, but it is that same data that exposes such individuals’ privacy. Companies that sell or share information sometimes include limitations for the use of the data, but not all contracts have such restrictions or sufficient restrictions to safeguard individuals’ privacy.
For instance, the FTC alleges that some of Avast’s underlying contracts did not prohibit the re-identification of Avast’s users. Where Avast’s underlying contracts prohibited re-identification, the FTC alleges that purchasers of the data were still able to match Avast users’ browsing data with information from other sources if the information was not “personally identifiable.” Avast also failed to audit or confirm that purchasers of data complied with its prohibitions.
The proposed complaint against X-Mode recognized that at least twice, X-Mode sold location data to purchasers who violated restrictions in X-Mode’s contracts by reselling the data they bought from X-Mode to companies further downstream. The X-Mode example shows that even when restrictions are included in contracts, they may not prevent misuse by subsequent downstream parties.
Ongoing Commitment to Privacy Protection:
The FTC stresses the importance of obtaining informed consent before collecting or disclosing consumers’ sensitive data, as such data can violate consumer privacy and expose them to various harms, including stigma and discrimination. While privacy notices, consent, and contractual restrictions are important, the FTC emphasizes they need to be backed up by action. Accordingly, the FTC’s proposed orders require companies to design, implement, maintain, and document safeguards to protect the personal information they handle, especially when it is sensitive in nature.
What Does a Company Need To Do?
Given the recent enforcement actions by the FTC, companies should:
Consider the data it collects and whether such data is needed to provide the services and products requested by the consumer and/or a legitimate business need in support of providing such services and products (e.g., billing, ongoing technical support, shipping);
Consider browsing and location data as sensitive personal information;
Accurately inform consumers of the types of personal information collected by the company, its uses, and parties to whom it discloses the personal information;
Collect, store, use, or share consumers’ sensitive personal information (including browser and location data) only with such consumers’ informed consent;
Limit the use of consumers’ personal information solely to the purposes for which it was collected and not market, sell, or monetize consumers’ personal information beyond such purpose;
Design, Implement, maintain, document, and adhere to safeguards that actually maintain consumers’ privacy; and
Audit and inspect service providers and third-party companies downstream with whom consumers’ data is shared to confirm they are (a) adhering to and complying with contractual restrictions and (b) implementing appropriate safeguards to protect such consumer data.
On December 3, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Consumer Financial Protection Bureau (CFPB) and the National Credit Union Administration (the Banking Agencies) released interagency guidance related to the use of alternative data for purposes of underwriting credit (the Guidance).
The Guidance acknowledges that alternative data may “improve the speed and accuracy of credit decisions,” especially in cases where consumer credit applicants have “thin files” because they are generally outside the mainstream credit system. In order to comply with applicable federal laws and regulations when using such alterative data, including those related to unfair, deceptive, or abusive acts or practices, the Banking Agencies advise that lenders should responsibly use such information. Furthermore, the Guidance reminds lenders of the importance of an appropriate compliance management program that comports with the requirements of applicable consumer protection laws and regulations.
As a final recommendation, the Banking Agencies suggest that lenders consult with appropriate regulators when planning to use alternative data to underwrite credit.
Hyperconnectivity is a real phenomenon and it is changing the concerns of society because of the kinds of interactions that can be brought about by IoT devices, which could be: i) People to people; ii) People to things (objects, machines); iii) Things/machines to things/machines.
It gives rise to different issues for people. According to a European Survey, 72% of EU Internet users worry that too much of their personal data is being shared online and that they have little control over what happens to this information[1]. It gives rise to inevitable ethical issues and its relationship with the techno environment.
The discussion on ethics that follows aims to provide a quick tour on general ethical principles and theories that are available as they may apply to IoT[2]. Law and ethics are overlapping, but ethics goes beyond law. Thus, a comparison of law and ethics is made and their differences are pointed out in the great work of Spyros G Tzafestas, who wrote Ethics and Law in the Internet of Things World. In this article, he considers that the risks and harms in a digital world are very high and complex, especially explaining those tech terms and their impact in our private life. Thus, it is of primary importance to review IoT and understand the limitations of protective legal, regulatory and ethical frameworks, in order to provide sound recommendations for maximizing good and minimizing harm[3].
Major data security concerns have also been raised with respect to ‘cloud’-supported IoT. Cloud computing (‘the cloud’) essentially consists of the concentration of resources, e.g. hardware and software, into a few physical locations by a cloud service provider (e.g. Amazon Web Service)[4]. We are living in a data-sharing storm and the economic impact of IoT’s cyber risks is increasing with the integration of digital infrastructure in the digital economy[5]. We are surrounded by devices which contain our data, for instance:
Wearable health technologies: wearable devices that continuously monitor the health status of a patient or gather real-world information about the patient such as heart rate, blood pressure, fever;
Wearable textile technologies: clothes that can change their color on demand or based on the biological condition of the wearer or according to the wearer’s emotions;
As a result of the serious impact IoT may have and because it involves a huge number of connected devices, it creates a new social, political, economic, and ethical landscape. Therefore, for a sustainable development of IoT, political and economic decision-making bodies have to develop proper regulations in order to be able to control the fair use of IoT in society.
In this sense, the most developed regions as regards establishing IoT Regulations and an ethical framework are the European Union and the United States both of which have enacted:
Legislation/regulations.
Ethics principles, rules and codes.
Standards/guidelines;
Contractual arrangements;
Regulations for the devices connected;
Regulations for the networks and their security; and
Regulations for the data associated with the devices.
In light of this, the next section will deal with Data Protection Regulations, Consumer Protection Acts, IoT and Cyber Risks Laws, Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment related with 2020 scenario, which is: 200 billion sensor devices and market size that, by 2025, will be between $2.7 trillion and $3 trillion a year.
Europe
The Alliance for Internet of Things Innovation (AIOTI) was initiated by the European Commission in order to open a stream of dialogue between European stakeholders within the Internet of Things (IoT) market. The overall goal of this initiative was the creation of a dynamic European IoT ecosystem to unleash the potential of IoT.
In October 2015, the Alliance published 12 reports covering IoT policy and standards issues. It provided detailed recommendations for future collaborations in the Internet of Things Focus Area of the 2016-2017 Horizon 2020 programme[7].
The IoT regulation framework in Europe is a growth sector:
EU Directive-2013/40: this Directive deals with “Cybercrime” (i.e., attacks against information systems). It provides definitions of criminal offences and sets proper sanctions for attacks against information systems[8].
EU NIS Directive 2016/1148: this Network and Information Security (NIS) Directive concerns “Cybersecurity” issues. Its aim is to provide legal measures to assure a common overall level of cybersecurity (network/information security) in the EU, and an enhanced coordination degree among EU Members[9].
EU Directive 2014/53: this Directive “On the harmonization of the laws of the member states relating to the marketing of radio equipment”[10] is concerned with the standardization issue which is important for the joint and harmonized development of technology in the EU.
EU GDPR: European General Data Protection Regulation 2016/679: this regulation concerns privacy, ownership, and data protection and replaces EU DPR-2012. It provides a single set of rules directly applicable in the EU member states.
EU Connected Communities Initiative: this initiative concerns the IoT development infrastructure, and aims to collect information from the market about existing public and private connectivity projects that seek to provide high-speed broadband (more than 30 Mbps).
United States
A quick overview of the general US legislation that protects civil rights (employment, housing, privacy, information, data, etc.) includes:
Fair Housing Act (1968);
Fair Credit Reporting Act (1970);
Electronic Communication Privacy Act (1986), which is applied to service providers that transmit data, the Privacy Act 1974 which is based on the Fair Information Practice Principle (FIPP) Guidelines;
Breach Notification Rule which requires companies utilizing health data to notify consumers that are affected by the occurrence of any data breach; and
IoT Cybersecurity Improvement Act 2019: the Bill seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
SB-327 Information privacy: connected devices: California’s new SB 327 law, which will take effect in January 2020, requires all “connected devices” to have a “reasonable security feature.”
The above legislation is general, and in principle can cover IoT activities, although it was not designed with IoT in mind. Legislation devoted particularly to IoT includes the following:
White House Initiative 2012: the purpose of this initiative is to specify a framework for protecting the privacy of the consumer in a networked work.
This initiative involves a report on a ‘Consumer Bill of Rights” which is based on the so-called “Fair Information Practice Principles” (FIPP). This includes two principles:
Respect for Context Principle: consumers have a right to insist that the collection, use, and disclosure of personal data by Companies is done in ways that are compatible with the context in which consumers provide the data;
Individual Control Principle: consumers have a right to exert control over the personal data companies collect from them or how they use it.
China
Where we start to see the most advanced picture is in China. In 2017, the Ministry of Industry and Information Technology (MIIT), China’s telecom regulator and industrial policy maker, issued the Circular on Comprehensively Advancing the Construction and Development of Mobile Internet of Things (NB-IoT) (MIIT Circular [2017] No. 351, the “Circular”), with the following approach in the opening provisions:
Building a wide-coverage, large-connect, low-power mobile Internet of Things (NB-IoT) infrastructure and developing applications based on NB-IoT technology will help promote the construction of network powers and manufacturing powers, and promote “mass entrepreneurship, innovation” and “Internet +” development. In order to further strengthen the IoT application infrastructure, promote the deployment of NB-IoT networks and expand industry applications, and accelerate the innovation and development of NB-IoT[11]
Nowadays China already has a huge packet of regulation on technological matters:
2015 State Council – China Computer Information System Security Protection Regulation (first in 1994);
2007 MPS – Management Method for Information Security Protection for Classified Levels;
2001 NPC Standing Committee – Resolution about Protection of Internet Security;
2012 NPC Standing Committee – Resolution about Enhance Network Information Protection;
July 2015: National Security Law – ‘secure and controllable’ systems and data security in critical infrastructure and key areas;
2014 MIIT – Guidance on Enhance Telecom and Internet Security;
2013 MIIT – Regulation about Telecom and Internet Personal Information Protection
2014 China Banking Regulatory Commission – Guidance for Applying Secure and Controllable Information;
Technology to Enhance Banking Industry Cybersecurity and Informatization Development
Further, as if this were not enough, the Chinese government is being proactive and has several important laws and regulations in the Pipeline, as it can be seen from the list below:
CAC: Administrative Measures on Internet Information Services;
CAC Rules on Security Protection for Critical Information Infrastructure;
Cybersecurity Law;
Cyber Sovereignty;
Security of Product and Service;
Security of Network Operation (Classified Levels Protection, Critical Infrastructure);
Data Security (Category, Personal Information);
Information Security.
Finally, China established, in 2016, the National Information Security Standardization Technical Committee and its current work is developing a Standardization – TC260 (IT Security) on Technical requirement for Industrial network protocol and general reference model and requirements for Machine-to-Machine (M2M) security.
Latin America
The Latin American countries have different levels of development and this sets up a huge asymmetry between the domestic legal frameworks. The following is a quick regulation overview on Latin American countries:
Brazil has the “National IoT Plan” (Decree N. 9.854/2019) that aims to ensure the development of public policies for this technology sector and members of Brazilian parliament presented the bill No. 7.656/17 with the purpose of eliminating tax charges on IoT products;
Colombia has a Draft of Law No. 152/2018 on the Modernization of the Information and Communication providing investments incentives to IT Techs (article 3);
Chile has a new Draft Law Boletín N° 12.192-25/2018 on Cyber crimes and regulation on internet devices and hackers attacks;
In 2017, Argentina launched a Public Consultation on IoT regarding regulations that must be updated and how to get more security and improve the technological level of the country[12].
Most Promising Smart Environments
Smart environments are regarded as the space within which IoT devices interact connected through a continuous network. Thus, smart environments aim to satisfy the experience of individuals from every environment, by replacing the hazardous work, physical labor and repetitive tasks with automated agents. Generally speaking, sensors are the basis of these kind of smart devices with many different applications e.g. Smart Parking, Waste Management, Smart Roads and Traffic Congestion, Air Pollution, River Floods, M2M Applications, Vehicle auto-diagnosis, Smart Farming, Energy and Water Uses, Medical and Health Smart applications, etc[13].
Another way of looking at smart environments and assess their relative capacity to produce business opportunities is to identify and examine the most important IoT use cases that are either already being exploited or will be fully exploited by 2020.
For the purposes of this article, the approach was restricted to sectors consisting of the most promising smart environments to be developed up to 2020 in the European Market as displayed in the Chart below:
Vertical IoT Market Size in Europe
The conclusions of the last report of the European Commission are impressive and can help to understand the continuous development of the IoT market and how every market has to comply with the law and they will emerge facing a regulatory avalanche as mentioned in item 2 on the Regulatory Ecosystem.
Final Considerations: IoT as Consumer Product Health and Safety
IoT safety is becoming more important every day. On the one hand, as mentioned above, most concerns for IoT safety are primarily in the areas of cyber-attacks, hacking, data privacy, and similar topics; what is better referred to as security than safety. On the other hand, it can be approached by physical safety hazards which may result from the operation of consumer products in an IoT environment or system. IoT provides a new way to approach business and it is not restricted to one or other market or topic. It is a metatopic ormetamarketshowing different possibilities and applications and will be spread in the near future.
In general, IoT products are electrical or electronic applications with a power source and a battery connected by a charging device. So long as the power source, batteries and charging devices are present we have the usual risks of electrical related hazards (fire, burns, electrical shock, etc.). Nonetheless, IoT makes matters more complicated as smart devices have the function to send commands and control devices in the real world.
IoT applications can switch the main electrical powers of secondary products or can operate complex motor systems and so on. Then they have to be accurate and might provide minimal requirements to care of consumer health and safety. Risk assessment and hazard mitigations will have to adapt to IoT applications reinventing new methods to assure regular standards of IoT usability. Traditional health and safety regulations might be up to date with this new technological reality to be effective at reducing safety hazards for consumer products.
To conclude, this article was intended to summarize two main issues: I) IoT as an increasing and cross topic market which will become a present reality closer to our daily lives; II) IoT will be regulated and become an important concern in consumer product health and safety.
[1] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P2.
[4] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P. 19.
[5] Petar Radanliev, David Charles De Roure and others. Definition of Internet of Things (IoT) Cyber Risk – Discussion on a Transformation Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment. Oxford University. MPRA Paper No. 92569, March 2019, P. 1.
This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher. In the pressure cooker of today’s financial services industry, the breadth and complexity of the issues you are facing will dominate any seminar dissecting recent developments alone. It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.
This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher. In the pressure cooker of today’s financial services industry, the breadth and complexity of the issues you are facing will dominate any seminar dissecting recent developments alone. It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.
This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher. In the pressure cooker of today’s financial services industry, the breadth and complexity of the issues you are facing will dominate any seminar dissecting recent developments alone. It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.
In Feder v. Williams-Sonoma Stores, Inc., the United States District Court for the District of New Jersey joined the New Jersey Superior Court in weighing in on the issue of whether a retailer violates consumer privacy state law by requesting a customer’s zip code at the point of purchase. Feder was brought by the same plaintiff’s lawyers and with claims similar to those in the state court case Imbert v. Harmon Stores, Inc.(Bed, Bath & Beyond). Imbert was decided last month, but without any written decision, and permitted that case to proceed past the pleading stage. The District Court in Feder, however, issued the first written opinion under the New Jersey statutes, finding that allegations that a zip code was verbally requested could not support a claim under New Jersey law.
Both Feder and Imbert involved plaintiffs suing under New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”), alleging that a store’s requirement that customers provide their zip codes during a credit card transaction violates their rights under the TCCWNA. The TCCNWA prohibits a seller from “offering, entering into, giving or displaying a written consumer contract or notice that violates a clearly established right of the consumer.” N.J. Stat. Ann. 56: 12-15. As a predicate for the TCCNWA claim, both Feder and Imbert relied on the Restrictions on Information Required to Complete Credit Card Transactions (“Restriction Statute“). The Restriction Statute prohibits a retailer from requiring a customer to provide “personal identification information” to complete a credit card transaction, thus providing the basis for violation of a “clearly established consumer right.”
Senior District Judge Walls in Feder granted Williams-Sonoma’s Motion to Dismiss, finding that the plaintiff failed to sufficiently allege conduct that violated the TCCWNA because she failed to identify a particular provision of a written consumer contract that violated her rights. Feder pled that the credit card transaction form constituted the written consumer contract. Judge Walls, skeptical of this assertion, reasoned that even if the form qualified as a contract, plaintiff’s recorded zip code and verbal request for the same did not constitute a contract provision. Consequently, Judge Wales found that plaintiff failed to satisfy the elements of TCCNWA because “[t]he alleged requirement that plaintiff provide her zip code would only violate the TCCWNA if it was a provision of a written contract.” Plaintiff also alleged that her rights were violated under the Restriction Statute — not by the recording of her zip code — but by the requirement that she provide her zip code. However, the Restriction Statute does not provide for a private right of action, and, as discussed above, a claim under Plaintiff’s proposed private vehicle for enforcement, the TCCNWA, failed.
Williams-Sonoma also argued that if the credit card transaction was considered a written consumer contract, the court must consider all terms of that “contract” including the point of sale signage at Williams-Sonoma stores expressly stating that when a zip code is requested it is used for marketing purposes, and that providing it is voluntary and is not a condition of processing the transaction. The Restriction Statute differs critically from California’s Song-Beverly in that New Jersey’s Restriction Statute only applies to information being “required,” whereas Song-Beverly also applies to a “request.” This issue was not presented inImbert. However, since the District Court ruled on the TWNCCA, it did not need to reach this issue.
One additional anomaly between the Feder and Imbert cases is that in Imbert the state court permitted the plaintiff to proceed with an invasion of privacy claim. However, when presented with Williams-Sonoma’s Motion to Dismiss, Feder abandoned her invasion of privacy claim in her Opposition because the Motion revealed she had previously provided her contact information to Williams-Sonoma. Feder also filed a cross-motion for leave to file an Amended Complaint, which the District Court denied as futile.
The new Consumer Financial Protection Bureau, which opens for business next week, does not plan to ban specific financial products, presidential adviser Elizabeth Warren told Congress.
Banning fraudulent financial products and services “is a tool in the toolbox, and that’s where it should stay,” Warren testified at a Republican-led House Oversight and Government Reform hearing on Thursday, the Wall Street Journal,Politicoand other media reported. “We have no present intention to ban a product, but we are still learning about what’s out there” she said.
Republicans on the panel, who questioned Warren at a contentious hearing in late May, grilled Warren about whether the CFPB may try to outlaw payday loans and try to regulate new car loans.
“The American people have a right to know how the bureau will advance and enforce its regulatory assignment,” said Committee Chairman Darrell Issa, a California Republican. “Consumers deserve opportunities to choose between lending alternatives and other financial tools that establish credit and give buyers the chance for affordable enhancements to their standards of living.”
A C-span video of the three and one-half hour hearing is posted here.
Banks push to weaken derivatives rules – In a potential win for big banks, federal regulators are considering a weaker version of a plan that initially sought to limit a big bank from controlling more than 20 percent of any one derivatives exchange.
The Commodity Futures Trading Commission is now privately discussing a lower cap after aggressive lobbying by Wall Street, the New York Times Dealbook reports. How aggressive? CFTC officials have held almost 50 private meetings with players including mega-banks such as Goldman Sachs Group Inc. and Morgan Stanley.
New financial data office – A new Treasury Department office tasked with collecting data from banks, hedge funds and brokerages is yet another example of government overreach and a likely target for hackers, Republicans warned Thursday at a House hearing.
The Office of Financial Research was created by the Dodd-Frank reform law with the power to collect and analyze company-specific data to help regulators pinpoint systemic risks to the economy.
The new office “has very broad power and authority with very few checks and balances,” said Texas Republican Randy Nuegebauer . “There is no limit to the information you can require from a company.”
Oil payment rules – Human rights groups urged the Securities and Exchange Commission to hurry up and finalize an energy industry anti-corruption rule that was tucked into the Dodd-Frank law.
The proposed SEC rule would force oil, natural gas and other energy companies listed on U.S. stock exchanges to disclose exactly how much each pays to overseas governments to acquire drilling and production rights. Energy companies have fought the SEC plan, saying the requirement would be overly burdensome and costly.
