Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Online Marketing Practices Continue to Pose Regulatory Threats for the Financial Services Industry

By Craig Nazzaro, Brad Rustin and Elizabeth A. DeVos 
March 01, 2018

Last year, the Federal Trade Commission (FTC) released a staff report on Cross-Device Tracking, which added to the FTC's efforts to regulate emerging issues in the ever-evolving area of online behavioral advertising. The advertising in question involves the collection of data from a particular computer or device regarding a user's Internet-viewing behavior over time and across non-affiliate websites. Ostensibly, this technology obtains user preferences or interests. Cross-device tracking is the logical next step for this technology.

This cross-device tracking enables online behavioral advertising to be coordinated across a user's various devices such as smartphones, tablets, computers, game consoles and Internet-connected televisions. Using both behavioral advertising and cross-device tracking has grown since the release of the FTC study and shows no signs of stopping in 2018.

Within the guidance, the FTC acknowledges the benefits of both behavioral and cross-device tracking, but remains concerned with the privacy and consumer protection challenges raised by these systems. On the one hand, the FTC cites the benefits of a seamless experience for consumers across their devices, such as when they check email, read a book or watch a movie. Cross-device tracking also enables improved fraud detection and account security by providing companies with more options to protect a consumer by identifying a new device and requiring authentication through a known device. On the other hand, however, the FTC raises concerns over consumer transparency with the technology, particularly given that the scope of cross-device technology in this space is not understood by a majority of the public.

|

The Drawbacks

A large issue with both behavioral advertising and cross-device tracking is that the approach to the practice is not uniform. Vendors for financial services firms can create many different user experiences and deploy various technologies that can accomplish the goal in different ways. For example, a vendor can track a user through traditional cookies, flash cookies, Web beacons and countless other technologies, all of which may require different opt-out methods. A vendor can also positively identify the same user across multiple devices using login information or other personally identifiable information commonly called the “deterministic method.”

Alternatively, a vendor can track and identify a probable user through non-personal data, such as an IP addresses. This practice is known as a “probabilistic method.” As the proprietor of a website, a vendor must understand the technology and the methods being utilized by its marketing partners to properly disclose the practices and technology to the proprietor's consumers. This requires a level of due diligence that many proprietors fail to perform. Without proper controls and policies governing these practices, a website proprietor's regulatory, reputational and litigation risks all increase dramatically.

For those in the financial services industry, these leaps in technology can pose greater threats to those utilizing the services than those in less heavily regulated industries. For example, if lenders employed these technologies to capture data that contain contact information, the lenders can find themselves in violation of federal consumer protection regulations such as the Fair Debt Collections Protection Act (FDCPA), the Telephone Consumer Protection Act (TCPA), Equal Credit and Opportunity Act (ECOA), or the Dodd-Frank Act protections under the Unfair Deceptive or Abusive Acts (UDAAP) regulations.

Lenders are put under greater scrutiny regarding how they are using and storing the data collected and how these processes are disclosed to their consumers. Legal and compliance departments within lenders are often surprised at the magnitude of regulatory liability these practices can create. For example, if your advertising department has free reign to create the parameters of whom your institution is targeting for behavioral advertising, will any thought be given to the fair lending impact those choices may have? In another hypothetical, is your marketing department deploying technology that may return contact information for borrowers? If so, is your institution aware of how that data is stored and utilized? If not, the lender may be facing violations under the TCPA and the FDCPA.

|

Best Practices

To avoid these risks, address privacy concerns and improve consumer transparency regarding cross-device tracking and behavioral advertising, financial services industry professionals should take the following steps:

  1. Be transparent about your data collection and use practices by truthfully disclosing your tracking activities. Draft and deploy both an enterprise-wide privacy policy and an online privacy policy.
  2. Provide choice mechanisms that give consumers control over their data and, when you offer such choices, ensure that they are respected. To the extent opt-out tools are provided, any material limitations on how they apply or are implemented regarding cross-device tracking must be clearly and conspicuously disclosed.
  3. Provide heightened protections for sensitive information, such as financial information, meaning express consent should be granted by a consumer prior to engaging in cross-device tracking on these and other sensitive topics.
  4. Maintain reasonable security over the collected data. Companies should keep only the data necessary for their business purposes and they should properly secure the data they collect and maintain.
  5. Create controls around which departments can unilaterally deploy third-party online marketing vendors. Many times, smaller lenders may be unaware of what their marketing departments are doing within the digital space and may be unaware of the regulatory risks these activities could create.
  6. When negotiating the scope of services with digital advertising vendors, ensure that your legal and compliance partners review any change in technology or scope.
  7. Review your online privacy disclosure annually to ensure the necessary updates are made to the policy.
|

Conclusion

With the technology that drives data collection evolving daily, the regulators of financial serves are taking notice. The best way to avoid the reputational, litigation and regulatory risks associated with this space is to: 1) fully (if not, over-) disclose your activity and technology to your consumers; 2) maintain strict controls over the deployment of the services and technology; and 3) maintain a robust third-party vendor oversight function, which contemplates the regulatory implications that occur within the digital marketing space.

*****
Craig Nazzaro is Of Counsel in the Atlanta office of Nelson Mullins Riley & Scarborough LLP. His practice areas include Alternative Lending & Other Non-Bank Financial Services, FinTech, and Payments & Digital Commerce. Dowse Bradwell “Brad” Rustin, IV, is a partner in the firm's Greenville, SC, office whose practice areas include Banking & Financial Services, FinTech and Payments & Digital Commerce. Elizabeth A. DeVos is an associate in the firm's Greenville, SC, office. Her practice areas include Banking and Financial Services, FinTech, Consumer Financial Services, and Payments & Digital Commerce.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.