Sometimes compliance with one consumer protection law might cause you to unwittingly violate another consumer protection law. The information-sharing provisions of the federal Fair Debt Collection Practices Act and the federal Gramm-Leach-Bliley Act illustrate how you might run into trouble, even if you plan to comply with both laws. The limitations on information sharing under the FDCPA and the mandatory disclosure made under the GLBA require those subject to both laws to exercise caution when disclosing information-sharing practices in their privacy notices.
With one exception for acquiring location information, the FDCPA prohibits debt collectors from communicating with third parties with respect to a debt without the “prior consent of the consumer given directly to the debt collector.” The GLBA requires debt owners to “provide a clear and conspicuous disclosure” of their policies and practices with respect to disclosing consumers’ non-public personal information to unaffiliated third parties. These “debt owners” under GLBA will also be considered “debt collectors” under the FDCPA if they acquired the debts after they were in default. While the FDCPA prohibits debt collectors from sharing consumer information in almost all cases, the GLBA still requires debt owners to provide debtors with a specific statement concerning the ways in which those debt owners may share information. Debt collectors subject to the FDCPA who are also debt owners subject to the GLBA must, therefore, carefully construct their privacy notices in a way that complies with the GLBA’s information-sharing notice requirements and the FDCPA’s information-sharing restrictions, while still recognizing that in some cases the debt owner who is a debt collector must share consumer information with third parties.
A recent order out of the U.S. District Court for the District of Nebraska (Veerhusen v. Capital Management Services, LP, Case No. 8:09CV354, January 29, 2010), illustrates how one debt collector/debt owner successfully complied with both statutes. Capital Management Services, LP, and other related entities tried to collect a debt from Jeff Veerhusen by sending him a collection letter. Attached to the collection letter was a Privacy Notice, which collectively referred to all of the related entities as the “Sherman Companies.” The Privacy Notice contained the following information, in relevant part, concerning the Sherman Companies’ information-sharing policies:
Sharing with Affiliates. From time to time, the Sherman Companies may share collected information about customers and former customers with each other and with their affiliated financial services companies in connection with administering and collecting accounts.
Sharing with Third Parties. The Sherman Companies do not share collected information about customers or former customers with third parties, except as permitted by applicable privacy law.
The Privacy Notice also advised Veerhusen that the Sherman Companies maintained physical safeguards (like restricted access), electronic safeguards (like encryption and password protection), and procedural safeguards (such as authentication procedures) to protect information collected about the Companies’ customers. Finally, the Privacy Notice informed Veerhusen that although the Notice suggested that the Sherman Companies might share his information, albeit in a manner consistent with privacy laws, the Sherman Companies would communicate information that it received or used for debt collection purposes only in accordance with the Fair Debt Collection Practices Act.
Veerhusen sued Capital Management and its related entities for alleged violations of the FDCPA. Veerhusen argued that the Privacy Notice falsely and misleadingly misrepresented that the Sherman Companies could communicate debt-related information about him with third parties, in violation of the FDCPA’s general prohibition on third-party communication. He also argued that the misrepresentation constituted a threat to take an action that the Sherman Companies were not legally allowed to take, also in violation of the FDCPA.
Veerhusen relied on a Seventh Circuit case, Ruth v. Triumph Partnerships (577 F.3d 790) (2009) to support his position. In Ruth, the debt owner sent a GLBA privacy notice to the debtor stating that the debt owner would “disclose nonpublic personal information” about the debtor to several third parties, such as direct marketers, retailers, banks and mortgage lenders. The notice gave debtors the chance to opt-out of the information-sharing program by filling out an “Opt-Out Response Form.” In Ruth, the Seventh Circuit held that the debt owner’s privacy notice violated the FDCPA because the notice would lead an unsophisticated consumer to think that the debt owner intended to share the consumer’s nonpublic information without the consumer’s consent, which the FDCPA prohibits. The Ruth Court concluded that the privacy notice was plainly misleading on its face.
The Veerhusen court distinguished the Ruth case and ruled in favor of Capital Management on its motion to dismiss, finding that the Sherman Companies’ Privacy Notice did not violate the FDCPA. In so ruling, the Veerhusen court focused on the nature of what kind of representation or statement is considered “false,” and, therefore, prohibited for purposes of the FDCPA. Relying on other federal circuit court opinions, the district court noted that statements that are technically false do not violate the FDCPA unless the false statement would actually mislead or deceive an unsophisticated consumer. The district court looked to the three categories of “deceptive or misleading statements” that the Seventh Circuit identified in Ruth to determine whether the Sherman Companies’ Privacy Notice could be characterized as “misleading or deceptive.” Category One consisted of statements that are plainly not misleading or deceptive. For those statements, the Ruth court would not look to extrinsic evidence (such as consumer surveys) to decide if consumers were confused by the statement; statements that are not misleading or deceptive on their face do not require further inquiry. Category Two consisted of statements that are not plainly misleading or deceptive, but that still might mislead or deceive a consumer. Category Two statements require examination of extrinsic evidence. Category Three consisted of statements that were misleading or deceptive on their face, such as the statements in the notice in Ruth indicating that the debt owner would share the debtor’s information unless the debtor affirmatively opted-out.
Viewing the Sherman Companies’ Privacy Notice as a whole, the Veerhusen court found that the Privacy Notice fell into Category One (plainly not misleading or deceptive). The district court acknowledged that some parts of the Privacy Notice could be construed as inconsistent with the FDCPA. The court did not elaborate on which specific provisions of the Privacy Notice it was referring to, but based on the parts of the Privacy Notice recited in the opinion it appears that the court was referring to the language referencing information-sharing with affiliated parties and with third parties “as permitted by applicable privacy law.” The Privacy Notice, however, clearly informed Veerhusen that the Sherman Companies were taking various measures to ensure the privacy of Veerhusen’s personal nonpublic information in compliance with applicable privacy laws. The Veerhusen court distinguished the Sherman Companies’ Privacy Notice from the Ruth notice insofar as the Ruth notice affirmatively stated that the debt owner would communicate nonpublic personal information without the debtor’s consent. The Veerhusen Privacy Notice, by contrast, expressly stated that if Veerhusen’s account was subject to the FDCPA, the Sherman Companies would only share information “in accordance with the [Fair Debt Collection Practices Act].”
The divergent results from the Veerhusen and Ruth cases underscore the importance of carefully choosing the description of how debt owners who may also be debt collectors with accounts subject to the FDCPA will share (or not share) consumer information. If a debt is subject to the FDCPA, any privacy notice sent in connection with that debt should be clear about how the debt collector will only use consumer information in a manner consistent with the FDCPA.
As if it wasn’t already complicated enough, the new GLBA forms will create additional compliance burdens. Debt owners that are also debt collectors subject to the FDCPA may be unable to take advantage of the new GLBA safe harbor forms or may be required to have multiple forms that will accurately reflect the practices for accounts subject to the protections of the FDCPA.
Charles F. Dodge is a partner in the Maryland office of Hudson Cook, LLP. Basis Points readers may reach Chuck at 410-865-5427 or by email at cdodge@hudco.com.
Maya P. Hill is an associate in the Maryland office of Hudson Cook, LLP. Basis Points readers can reach Maya at 410-782-2356 or by e-mail at mhill@hudco.com.