What Fintech and Digital Marketing Companies Need to Know Now About the CFPB’s Expanded Jurisdiction | Orrick, Herrington & Sutcliffe LLP

by James · August 29, 2022

The Consumer Financial Protection Bureau (CFPB) recently issued two announcements that (1) asserted jurisdiction over a larger group of “service providers” outside of banks, (2) clarified that lax security standards are subject to unfair acts or practices, and provided minimum standards.

Table of Contents

What happened?

On August 10, 2022, the CFPB warned that digital marketing providers must comply with federal consumer finance protections.
On August 11, 2022, the CFPB issued a circular defining what it considers “egregious data security practices” that may violate the prohibition against unfair acts or practices.

This expansion of the CFPB’s reach beyond traditional financial services businesses adds to an already complex web of financial services and privacy regulation that faces not only fintech companies, but many technology companies that may never have considered how the CFPB applies to them.

1. Digital marketers are now subject to federal consumer financial protection laws.

The Dodd-Frank Act defines a “service provider” to include “any person who provides a material service to a covered person in connection with the offering or delivery by such covered person of a consumer financial product or service.” Section 1002(26). Service providers are subject to the CFPB’s jurisdiction and can be held liable under a variety of consumer financial laws such as the Fair Credit Reporting Act (FCRA), Fair Lending Acts, and Unfair, Deceptive, or Abusive Acts or Practices (UDAAP). Previously, digital marketing providers could rely on the “time and space exception” of the Dodd-Frank Act to avoid the reach of the CFPB. The statute exempts companies that provide “time or space exclusively for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.”

The August 10 CFPB interpretive rule (the “Rule”) expanded the definition of “service providers” by significantly narrowing this exception. This recent interpretation of the exemption concludes that many of the routine functions performed by modern digital marketers, such as lead generation, customer acquisition, and market analysis or strategy, qualify as significant involvement in the development of content and placement strategies. The CFPB’s determination that these functions qualify as “material services” means that companies that provide these services to covered financial services companies are considered “service providers.” The Bureau reasons that because internal marketing groups often perform similar functions, external companies that perform the same functions should be subject to CFPB jurisdiction in the same way as financial companies. The rule defines the activities below to fall within CFPB jurisdiction and outside the service provider exemption.

Lead Generation – Identifying or selecting potential customers for a covered person’s business using a marketer’s own knowledge of a user’s characteristics and behavior.
Customer Acquisition – Implementation of a marketing plan itself where the covered financial services company selects the characteristics of their target audience (such as demographics and behavior online or offline)
Marketing Analysis or Strategy – Companies that measure the effectiveness of certain marketing efforts by calculating a “customer acquisition rate” are considered to be performing functions similar to a covered person and do not fall within the CFPB’s interpretation of the exemption.

According to the CFPB, companies that engage in digital marketing functions can only avoid service provider jurisdiction when they perform “ministerial” services. For example, a company that offers a covered financial services company “the ability to choose to run an advertisement on a particular website or application” chosen by that company would typically fall within the “time or space” exception. This very limited example demonstrates the CFPB’s view that it may be able to apply its authority to enforce consumer financial services laws, including UDAAP authority, to any activity conducted by marketing companies beyond very basic ministerial actions.

With this shift, the CFPB has put digital marketing companies on notice that they may be subject to the jurisdiction of not only the CFPB, but also other state and federal regulators for consumer protection enforcement. This means that digital marketing companies may be subject to liability under the FCRA, fair lending laws and the UDAAP.

2. Failure to implement certain data security practices as an example of an unfair act or practice.

On the heels of expanding its jurisdiction, the CFPB issued a Data Circular (the “Circular”) warning companies that do not implement certain safeguards that they could be in violation of the Unfair Acts or Practices Prohibition. The circular notes that defective security practices may violate the prohibition against unfair acts or practices (1) that cause or are likely to cause substantial harm to consumers, (2) that cannot reasonably be avoided by consumers, and (3) are not outweighed by countervailing benefits to consumers or competition. 12 USC § 5531(c).

The CFPB goes on to warn companies that failure to implement common data security practices will “significantly increase the likelihood” of a breach. The CFPB defines “common data security practices” to include multi-factor authentication, password management, or timely software updates. Companies that have not adopted these processes are “likely to cause significant harm to consumers that is not reasonably avoidable.”

What will be next?

These recent actions are clear indications that the CFPB is expanding its enforcement reach beyond financial products and services into technology and data markets by asserting jurisdiction over digital marketing companies and signaling its intent to scrutinize data security practices across a wider range of companies. These announcements demonstrate the CFPB’s intent to take definitive action in the already crowded field of federal and state privacy regulators. These announcements will also serve as CFPB guidance for other regulators to follow as they consider how to approach data aggregation, marketing and security.

For some, this recent guidance may come as a surprise. Others who have been monitoring these developments will recognize these results as policy statements based on information gathered from the October 2021 orders the CFPB sent to “tech giants” including some of the largest online marketing and social media companies. Those orders sought, among other things, detailed information to analyze how these companies access and use consumer financial data to support their payment products and services. Information gathered from these orders has now been used as an anchor to expand jurisdiction and to set a minimum for data security practices.

The CFPB is likely to issue additional guidance based on information from the October 2021 orders. Future activity is likely to include both additional investigations and enforcement actions. Digital marketing companies and fintechs must carefully negotiate the increasingly complex web of overlapping state and federal consumer protection and data/privacy laws.

Why does this matter?

The CFPB’s expanded definition of jurisdiction over digital marketing and service providers will allow it to assert its powerful and broad authority over a wider range of technology companies, including certain social media sites and online shopping platforms.
The CFPB has announced its views on minimum data security standards for companies to avoid violations of federal and state unfair practices or practices laws.
Fintechs and marketing companies that have not considered how consumer protection laws may apply to them should begin reviewing their policies, procedures and products for compliance with consumer protection laws.