The Consumer Financial Protection Bureau (CFPB) recently made two announcements that (1) asserted jurisdiction over a larger group of nonbank “service providers,” (2) clarified that lax security standards are subject to unfair acts or practices enforcement, and provided minimum standards.
This expansion of the CFPB’s reach beyond traditional financial services businesses adds to an already complex web of financial services and data privacy regulation facing not only fintech companies, but many technology companies that may never have considered how the CFPB applies to them.
The Dodd-Frank Act defines a “service provider” to include “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” § 1002(26). Service providers are subject to the CFPB’s jurisdiction and may be held liable under a range of consumer financial laws such as the Fair Credit Reporting Act (FCRA), fair lending laws, and Unfair, Deceptive, or Abusive acts or Practices (UDAAP). In the past, digital marketing providers could rely on the “time and space exception” in the Dodd-Frank Act to avoid the reach of the CFPB. The statute exempts companies that solely provide “time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.”
The August 10th CFPB Interpretive Rule (the “Rule”) expanded the definition of “service providers” by significantly limiting that exception. This recent interpretation of the exemption concludes that many of the routine functions performed by modern digital marketers, such as lead generation, customer acquisition, and marketing analysis or strategy, qualify as material involvement in the development of content and placement strategies. The CFPB’s determination that these functions qualify as “material services” means that companies that provide these services to covered financial services companies are considered “service providers.” The Bureau reasons that because in-house marketing groups often perform similar functions, outside companies that perform the same functions should be subject to CFPB jurisdiction in the same manner as the financial services companies. The Rule defines the activities below to fall within CFPB jurisdiction and outside the service provider exemption.
According to the CFPB, companies that engage in digital marketing functions can only avoid service provider jurisdiction when they perform “ministerial” services. For example, a company that offers a covered financial services company the “ability to choose to run an advertisement on a particular webpage or application” chosen by that company would typically fall within the “time or space” exception. This very limited example demonstrates the CFPB’s view that it may be able to apply its authority to enforce consumer financial services laws, including its UDAAP authority, to any activity performed by marketing companies beyond very basic ministerial acts.
With this shift, the CFPB has put digital marketing companies on notice that they could be subject to the jurisdiction not only of the CFPB, but other state and federal consumer protection enforcement regulators. This means that digital marketing companies could be subject to liability under the FCRA, fair lending laws, and UDAAP.
On the heels of expanding its jurisdiction, the CFPB issued a circular on data (the “Circular”) warning companies that fail to implement certain security measures that they could be violating prohibition against unfair acts or practices. The Circular notes that deficient security practices could violate the prohibition against unfair acts or practices (1) that cause or are likely to cause substantial injury to consumers, (2) which are not reasonably avoidable by consumers, and (3) are not outweighed by countervailing benefits to consumers or competition. 12 U.S.C. § 5531(c).
The CFPB goes on to alert companies that the failure to implement common data security practices will “significantly increase the likelihood” of a violation. The CFPB defines “common data security practices” to include multifactor authentication, password management, or timely software updates. Companies that have not adopted these processes are “likely to cause substantial injury to consumers that is not reasonably avoidable.”
These recent actions are clear indications that the CFPB is expanding its enforcement reach beyond financial products and services into technology and data markets by asserting jurisdiction over digital marketing companies and signaling the intent to scrutinize data security practices across a wider range of companies. These announcements demonstrate the CFPB’s intent to take definitive moves into the already crowded field of federal and state data privacy regulators. These announcements will also serve as CFPB guidance for other regulators to follow when considering how to approach data aggregation, marketing, and security.
For some, this recent guidance may come as a surprise. Others who have been monitoring these developments will recognize these outcomes as policy statements based upon information gathered from the October 2021 Orders the CFPB sent to “tech giants” including some of the largest online marketing and social media companies. Among other things, those Orders sought detailed information to analyze how these companies access and use consumer financial data to support their payments products and services. Information gathered from those Orders has now been used as an anchor to expand jurisdiction and to set a floor for minimum data security practices.
The CFPB will likely issue additional guidance based upon information from the October 2021 Orders. Future activity will likely include both additional examinations and enforcement actions. Digital marketing companies and fintechs will need to negotiate carefully within the increasingly complex web of overlapping state and federal consumer protection and data/privacy laws.
Contact Heather Egan Sussman, Melissa Baal Guidorizzi, Daniel Forester, or Shawn Estrada for guidance on whether your company could be impacted, to evaluate your company’s consumer protection, data security, and privacy practices, or if you have any questions about navigating this evolving regulatory landscape.