Amidst the storms and the polar vortex wreaking havoc across the country this winter, the Federal Trade Commission recently created a mini-storm of its own. In late January, the FTC, pursuant to its investigative authority under the Federal Trade Commission Act, sent out civil investigative demands (or "CIDs") to members of the auto finance industry. These CIDs seek information to "determine whether unnamed persons, partnerships, corporations, or others are engaged in, or may have engaged in, deceptive or unfair acts or practices related to consumer privacy and/or data security, including but not limited to the collection, acquisition, use, disclosure, security, storage, retention, or disposition of consumer information, in or affecting commerce, in violation of Section 5 of the Federal Trade Commission Act... ."
The CIDs seek answers to interrogatories and production of documents relating to financial products or services offered by the recipients of the CIDs covering the period from January 1, 2013, until the entity complies with the CID's requirements.
The CID interrogatories focus on the policies and practices for disclosing non-public personal information about a customer or consumer to non-affiliated third parties, the policies and practices relating to providing initial, revised, and annual privacy notices to customers and/or consumers, and whether there are any circumstances in which a privacy notice is not provided to a consumer. The CIDs request a description of those circumstances.
The CIDs ask for information about the policies and practices for providing notice of a consumer's opportunity to opt out of disclosure of non-public personal information, how a consumer may exercise his or her right to opt out, and what the policies and practices are for complying with a consumer's exercise of his or her opt-out rights.
The FTC is also focusing on information security by requesting information on the types of customer information collected from consumers and the name of the person responsible for coordination of the CID recipient's information security program.
The FTC is also interested in whether any information collected on consumers is furnished to a consumer reporting agency, and, if so, the FTC requests a description of policies and procedures that relate to direct disputes.
For purposes of the FTC's interrogatories, recall that a "consumer" is an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes or by that individual's legal representative. A "customer" is a consumer who has a continuing relationship with you, under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.
Finally, the FTC asks about the information accessibility and the circumstances of use of GPS tracking hardware installed on motor vehicles for repossession or billing purposes. This includes the policies and purposes for the use of geolocation technology and the circumstances under which a creditor may access the categories of information that geolocation technology can provide. The FTC is also interested in data regarding the number of devices installed, the number of times the devices have been activated to render a vehicle immobile, and any disclosure concerning geolocation technology provided to customers who buy or lease vehicles.
"Geolocation technology" or "GPS tracking hardware" is technology or hardware installed in a vehicle for the purpose of effecting repossession efforts. This includes technology or hardware that can provide information about a vehicle's location or speed and/or that can remotely disable a vehicle's starter. "Geolocation information" is information regarding or indicative of the geographic location of a motor vehicle, location determined through GPS technology, derived from the CID recipient's monitoring units, other monitoring units, or information derived from any of the foregoing.
The document requests track the interrogatories, for example, by requesting a copy of the recipient's information security program and policies for installing GPS tracking hardware. However, the requests also ask for the production of policies regarding employee training and conduct on privacy and information security, a written identity theft prevention program, policies and practices regarding the accuracy and integrity of information furnished to consumer reporting agencies, and agreements between the recipient and third parties regarding GPS tracking hardware.
As Garth Brooks says, "The thunder rolls." For those of you worried about getting a CID from the CFPB, don't forget about that other consumer protection agency that was established almost 100 years ago. Many say the well-established FTC is easier to work with than the CFPB. We've only just begun responding to these CIDs, so that remains to be seen.
Get your policies ready, implement them, and train your employees on compliance. This will be the best defense to an FTC investigation (and to a CFPB investigation, for that matter).
You may receive a CID, but you can be ready. Still, handling a CID is a challenging and labor-intensive process. If you receive a CID from the FTC, seek competent counsel to help you respond. And if you're caught in this storm, you've got friends in low places.
Nicole F. Munro is a partner in the Maryland office of Hudson Cook, LLP. Nikki can be reached at 410-865-5430 or by email at nmunro@hudco.com.
Copyright © 2024 CounselorLibrary.com, LLC. All rights reserved.