May 2024 Regulatory Roundup

PRIVACY & DATA SECURITY

FTC Finalizes Order Against Blackbaud Inc. Over Data Breach

The FTC finalized its Order against Blackbaud, Inc., alleging a series of significant lapses in data security and transparency following a major data breach. The FTC found that Blackbaud, a provider of data, fundraising, and financial services, failed to implement basic security measures that allowed an attacker to access sensitive data, including Social Security numbers and bank account information, for three months before detection. Despite paying a ransom, the company could not verify if the stolen data was subsequently deleted.

The FTC further alleged that Blackbaud failed to enforce its own data retention policies – storing consumer information long past its legitimate business need to do so – resulting in the theft of data that should have been securely destroyed years earlier. Moreover, the company waited nearly two months to notify customers about the breach and then misled consumers about the scope and severity of the incident.

Its future compliance now under a microscope with regulators, Blackbaud will be required by the Order to enhance its data security measures, implement a comprehensive information security program, and adhere to a data retention schedule.

BUSINESSES NEED TO KNOW: No business is immune to the risk of a data breach, but that risk can be mitigated with the right compliance efforts. We can’t say it any better than the FTC did itself (in haiku form, no less):

Keep data secure.

Safely dispose after use.

Tell people the truth.

Coming tomorrow - June 6th

M&S Privacy Webinar: Privacy Watch: Wait, What? Not Another State Privacy Law!

Minnesota Joins Legislative Surge with Comprehensive State Privacy Law

Minnesota has become the latest state to enact comprehensive privacy legislation. The Minnesota Consumer Data Privacy Act (MCDPA), affecting entities handling data of more than 100,000 consumers or deriving substantial revenue from selling consumer data, introduces unique requirements and protections. It mandates the appointment of a chief privacy officer, includes novel consumer rights related to profiling decisions, and implements selective exemptions for small businesses and specific data types. The MCDPA mirrors aspects of privacy laws in other states, emphasizing universal opt-out mechanisms, data protection assessments, and anti-discrimination policies.

BUSINESSES NEED TO KNOW: Another day, another new state privacy law. The MCDPA will take effect on July 31, 2025.

Vermont’s Data Privacy Bill Includes Unique Consumer Protections

The Vermont legislature passed its own comprehensive data privacy bill, H.121, which is at this time awaiting Governor Phil Scott’s signature. The bill shares similar core requirements with other state laws in giving consumers the right to access, correct, delete, and deny the sale or sharing of their personal data. However, it also emphasizes stringent data minimization, enhanced child protections, and, marking a significant shift in state privacy law enforcement, includes a limited private right of action for consumers – the first state to do so since California’s 2018 CCPA.

BUSINESSES NEED TO KNOW: See above; it’s another day. If signed, Vermont’s law will take effect July 1, 2025. However, the Governor has stated concerns regarding the private right of action, so this bill’s enactment is uncertain.

State Privacy Laws

Stay up-to-date on the state privacy landscape.

TCPA/TELESERVICES

FCC Begins Classifying Persistent Robocall Facilitators as Threat to Consumer Communication

The FCC has, for the first time, classified a group of entities and individuals persistently facilitating robocall campaigns aimed at defrauding consumers as a Consumer Communications Information Services Threat (C-CIST). The move empowers international anti-robocall partners to identify and block threats before they reach U.S. networks and builds on recent FCC initiatives against robocalls, particularly those using generative AI voice-cloning technology.

The first group to receive the C-CIST designation, "Royal Tiger," is comprised of entities and individuals in the U.S., India, the UK, and the UAE. The group has consistently been involved in illegal robocall campaigns, resulting in numerous enforcement actions.

The C-CIST classification will assist industry stakeholders in fortifying their “Know Your Customer” and “Know your Upstream Provider” verification processes and allow better coordination with regulatory and law enforcement partners globally.

BUSINESSES NEED TO KNOW: Businesses should beware of the enforcement risk this classification poses and include “C-CIST classification” in their due diligence efforts when assessing potential third-party partnerships.

ADVERTISING & MARKETING

FTC Releases 2023 Annual Report

In May, the Federal Trade Commission released its Fiscal Year 2023 Annual Report. The report details the FTC’s efforts to enforce consumer protection and antitrust laws in an evolving economy, particularly addressing challenges posed by AI and algorithmic decision-making. Among its most significant activity, the Commission conducted the largest telemarketing sweep in U.S. history targeting illegal robocalls. Privacy enforcement also took center stage - especially with regard to children’s privacy laws including the Children’s Online Privacy Protection Act - as the FTC took action for privacy violations against corporate giants including Amazon, Microsoft, and Ring.

BUSINESSES NEED TO KNOW: As the report shows, telemarketing and privacy enforcement have remained high priorities for the FTC, as is continuing collaborative efforts with other state and federal regulators to increase its enforcement reach.

CFPB Targets Credit Card Rewards Programs Over Deceptive Practices

The Consumer Financial Protection Bureau announced a targeted focus on troubling patterns in the credit card industry's rewards program practices, citing concerns over stealthy changes to program benefits and manipulation of rewards point values.

The announcement highlighted issues such as massive devaluation of points and misleading promotions, echoing findings from a CFPB report that identified growing complaints from consumers regarding unclear conditions for sign-up bonuses, devalued rewards points, sudden loss of card perks, and expiration policies.

The agency has previously taken enforcement actions against credit card issuers including Bank of America and American Express, for engaging in unfair, deceptive, or abusive acts or practices related to their rewards programs.

BUSINESSES NEED TO KNOW: Amid industry criticism and the agency's limited bandwidth, the extent of regulatory intervention in this area remains uncertain. However, the move underscores the risk associated with any rewards or loyalty program, as well as the importance of ensuring consumers have an accurate understanding of the value of their reward earnings.

GENERAL COMPLIANCE

Supreme Court Upholds CFPB Funding, Paving the Way for Increased Enforcement

In a 7-2 Ruling, U.S. Supreme Court upheld the funding structure of the Consumer Financial Protection Bureau (CFPB), resolving a long-standing constitutional dispute and enabling the CFPB to resume over a dozen enforcement actions and investigations that had been paused. More specifically, the ruling affirmed the CFPB's funding method as constitutional, preserving the agency's independence; reinstated stayed enforcement actions and investigative efforts; and potentially increased regulatory initiatives by the CFPB, now unburdened by constitutional challenges.

BUSINESSES NEED TO KNOW: With legal battles over its existence likely concluded, this decision reinforces the CFPB's operational stability and emboldens the agency to pursue its regulatory and enforcement agenda more aggressively. Not surprisingly, businesses offering financial services should anticipate increased regulatory scrutiny and enforcement activity.

CFPB Targets Buy-Now, Pay-Later Firms with Credit Card Regulations

The CFPB issued new guidance treating Buy-Now, Pay-Later (BNPL) firms as credit card companies. Issued as an interpretive rule and grounded in the Truth in Lending Act, the guidance mandates that BNPL lenders provide similar protections and rights related to billing statements, disputes, and refunds. Specifically, BNPL firms must investigate disputes (pausing payment requirements while doing so), refund returned products or cancelled services, and provide billing statements.

BUSINESSES NEED TO KNOW: The CFPB will be accepting public comment on the new guidance until Aug. 1, and has said it is open to considering adjustments. The rule is set to take effect 60 days after its formal publication in the Federal Register.

Learn how we can help keep you in compliance and ahead of the regulatory curve. Let's Talk.

Want to receive Regulatory Roundups right to your inbox? Subscribe.