November 30, 2018

Summit Provides Insights on Hot Trends and Issues in Consumer Protection and Privacy

Federal Officials Identify Consumer Protection Enforcement Priorities, Compliance Tips at Holland & Knight Seminar
Holland & Knight Alert
Anthony E. DiResta | David L. Haller

Holland & Knight and the National Bar Association Consumer Law Section (NBA-CLS) on Nov. 16, 2018, hosted the Exploring the New Normal in Consumer Protection Enforcement Summit, a half-day seminar that focused on identifying priorities in consumer protection law, effective strategies in law enforcement investigations, risk areas for companies and the key issues presented in compliance management.

Guest speakers at the Summit included:

  • Serena Viswanathan, Deputy Director, Bureau of Consumer Protection, Federal Trade Commission (FTC)
  • Tom Pahl, Policy Associate Director for Research, Markets & Regulations, Consumer Financial Protection Bureau (CFPB)
  • Mark Eichorn, Assistant Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission (FTC)
  • Abigail Stempson, Director, NAGTRI Center for Consumer Protection, National Association of Attorneys General (NAAG)
  • Mark Neeb, CEO, ACA International

The Holland & Knight team included:

  • Tony DiResta, former Director, Southeast Regional Office, Federal Trade Commission (FTC), Partner and Co-Chair of the Consumer Protection Defense and Compliance Practice (Washington, D.C.)
  • Kwamina Williford, Partner and Co-Chair of the Consumer Protection Defense and Compliance Practice (Washington, D.C.)
  • Mark Melodia, Partner (New York)
  • Norma Krayem, Senior Policy Advisor and Chair, Global Cybersecurity & Privacy Policy and Regulatory Team (Washington, D.C.)

Guest Speaker Highlights

Serena Viswanathan, Deputy Director, Bureau of Consumer Protection, Federal Trade Commission (FTC)

Serena Viswanathan, who has served at the Federal Trade Commission for nearly 20 years, shared her insights into the FTC's consumer protection priorities and her advice about how businesses can best navigate FTC investigations. She shared a number of key themes and consumer protection, enforcement and other FTC priorities.

Consumer Protection Priorities

  • Viswanathan, in her personal capacity, stated that while the FTC has five new commissioners and a new director of the Bureau of Consumer Protection, she does not anticipate a substantial shift in enforcement priorities. In fact, she expects to see strong enforcement of the law going forward.
  • Many suspected that, upon the arrival of the new commissioners, there would be frequent disagreements about enforcement decisions falling largely along political lines. This has not been the case.
  • Indeed, most of the FTC's cases have been voted upon unanimously, and Viswanathan has seen no pulling of the punches when it comes to enforcement.
  • The FTC's consumer protection enforcement priorities continue to be the following:
  1. financial technology products
  2. deceptive health or safety claims
  3. influencer marketing
  4. gag clauses regarding negative consumer reviews
  5. data security and privacy
  6. fraud

New Enforcement Practices

  • Viswanathan noted that there are two enforcement practices that will likely change going forward:
  1. the FTC will aggressively enforce court orders
  2. the FTC will seek stronger remedies
    • This means that the FTC will consider seeking monetary relief where it has not considered seeking it in the past.
    • This also means that the FTC will more readily require consumer notification where it may prevent consumer harm.

Effective Advocacy Strategies

  • Although businesses are not likely to see lax enforcement anytime soon, Viswanathan did offer insight into effective advocacy strategies that businesses and their attorneys can use to navigate FTC investigations. Businesses should do the following:

    • Take responsibility for their failings. Corrective action and remediation is critical.
    • Focus on providing the FTC with a factual basis for not taking action. That factual basis will usually consist of effective policies and procedures, which are consistently followed, and will thus make future violations of the law unlikely.
    • Give the FTC enough time to understand what happened before providing the FTC with substantial amounts of information about compliance changes that the business plans to implement or is in the process of implementing.

Tom Pahl, Policy Associate Director for Research, Markets & Regulations, Consumer Financial Protection Bureau (CFPB)

Tom Pahl, who served at the Federal Trade Commission for more than 20 years and at the Consumer Financial Protection Bureau for nearly five years, shared his insights into the CFPB's priorities, how businesses can best navigate CFPB investigations, and how business can avoid those investigations in the first place.

Enforcement Priorities

  • Pahl, in his personal capacity, stated that the CFPB is in a state of transformation with the primary aim of ensuring that all of its actions are consistent with the Dodd-Frank Wall Street Reform and Consumer Protection Act, as written.
  • Although Pahl expects that Acting Director Mick Mulvaney's CFPB will target the same activity and will conduct the same number of investigations, the products of those investigations will be reviewed for strict compliance with the Dodd-Frank Wall Street Reform and Consumer Protection Act and its implementing regulations.
  • The CFPB is now interested in determining whether there are ways in which it can reduce any undue burden on business through regulatory and enforcement reform.

Regulatory Reforms

  • Pahl confirmed that the following regulatory reformations are at the top of the CFPB's priority list:
  1. reconsidering the rulemaking process
  2. reconsidering the payday lending rule
  3. reconsidering the Home Mortgage Disclosure Act rule
  4. evaluating rules to determine whether they should be revised
  5. revising rules to make them less burdensome
  6. engaging in congressionally mandated rulemaking pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act and the Economic Growth, Regulatory Relief, and Consumer Protection Act
  7. engaging in debt collection rulemaking

New Practices

  • In addition to these regulatory reforms, the CFPB is instituting two related practices. They are now focused on the following:

    • Providing written – rather than oral – guidance regarding how businesses should go about complying with the law so as to ensure that all CFPB guidance is consistent and available to the public.
    • Taking enforcement action where there exists, and it can prove, substantial consumer harm.

Compliance Management Systems

  • Pahl went on to underscore the importance of compliance management systems. Maintaining an effective compliance management system, Pahl noted, not only makes a business less likely to come to the CFPB's attention, but also helps the business secure a favorable outcome if it does. If a business has a robust compliance management system it is less likely that the CFPB will 1) bring a case against the business, 2) require that the business remain under court order, or 3) seek a far-reaching remedy.
  • Pahl also shared his advice about how businesses should go about crafting compliance systems. He recommended that businesses should start early and involve internal compliance officials as well as outside counsel with experience with the regulatory agencies. Once a business has created a compliance system it must put it in writing, distribute it to all of the employees tasked with putting it into practice and train those employees how to do so. Finally, the business must ensure that those employees consistently follow the compliance program as written and raise any issues they encounter along the way to the business.

Effective Advocacy Strategies

  • If a business' compliance management system fails and the CFPB opens an investigation, there are, according to Pahl, advocacy strategies that businesses should employ in order to best navigate the investigation. Businesses should do the following:

    • Reduce their positions to writing, in white papers or other memoranda, as early and as often as possible. This will help businesses to create an investigatory record and allow the CFPB to circulate the white papers throughout the agency.
    • Take full advantage of in-person meetings, including the initial meet and confer, if only to ensure that the Civil Investigative Demand is not overbroad and will not cause an undue burden.
    • Do their best to resolve all of their issues at the staff level, raising only their most serious concerns with senior officials.

Mark Eichorn, Assistant Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission (FTC)

Mark Eichorn, who has served at the Federal Trade Commission for 20 years, shared his insights, in his personal capacity, about the prospects for new data security and privacy legislation as well as FTC coordination with other engaged government officials at the state, federal and international levels.

Domestic Enforcement Cooperation

  • Eichorn began by stating that he is not optimistic that Congress will enact uniform federal legislation providing certainty to businesses as to their data security and privacy responsibilities. Indeed, just this month the FTC reiterated its longstanding call for federal data security and privacy legislation, but, thus far, that call has fallen on deaf ears.
  • While there may not be a single standard for some time, Eichorn noted that, in the meantime, the FTC will continue to closely coordinate with state regulators, including state attorneys general, to ensure that state and federal enforcement actions do not often overlap and that, when they do, those enforcement actions remain consistent. The FTC not only coordinates with the states, which often have concurrent jurisdiction over privacy issues, it also coordinates with other federal agencies, including the U.S. Securities and Exchange Commission (SEC) and the CFPB, each of which may have an interest in investigating or taking action in response to a particular breach or business practice impacting consumer privacy.

Foreign Enforcement Cooperation

Eichorn noted that, although the level of cooperation between the FTC and other domestic regulators may be higher than that between the FTC and foreign regulators, international cooperation on data security investigations is substantial and growing. The FTC cannot share information with foreign regulators if their laws forbid activity permitted in the United States, but international cooperation is commonplace and allows regulators to increase internal efficiency and reduce unnecessary burdens on businesses being investigated by several regulators at once.

About Our Teams

If you have questions about any of the topics discussed during the seminar, Holland & Knight's Consumer Protection Defense and Compliance and Global Cybersecurity and Privacy Policy and Regulation teams can provide additional information. Both teams are comprised of individuals with extensive experience handling FTC, CFPB, state attorneys general and other regulatory investigations and can provide advice not just on how to navigate those investigations once they begin but also on how to avoid them in the first place.  


Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.

Related Insights