On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an interpretive rule (the “Rule”) setting forth its position on the circumstances under which digital marketing providers for financial services companies are “service providers” under the Consumer Financial Protection Act (“CFPA”).[1] If treated as service providers, those companies may be subject to the CFPB’s enforcement authority, which includes exposure to potential unfair, deceptive, and abusive acts or practices (“UDAAP”) claims.
While the Rule lacks the force of law, it provides useful insight into how the CFPB may flex its enforcement authority related to consumer financial products and services, how they are marketed, and what activity or technology it may scrutinize. Subjecting technology and marketing companies—both big and small—to the CFPB’s sweeping UDAAP authority could have a significant impact.
The CFPA applies to any “service provider” that provides a material service to a covered person[2] in connection with the offering of a consumer financial product or service. Digital marketers have traditionally been exempt from being viewed as service providers under two exemptions for entities that provide either: (a) “a time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media,” or (b) “a support service of a type provided to businesses generally or a similar ministerial service.”
Apart from the limited activities enumerated in the Rule, it appears that the CFPB is attempting to essentially eliminate the exemptions for digital marketing providers. Under the Rule, digital marketers involved in either (a) the identification or selection of prospective customers, or (b) the selection or placement of content to affect consumer behavior are considered service providers under the CFPA.
The Rule provides a number of examples to illustrate services that would make a digital marketer a service provider, and those that would fall within the time and space exception or ministerial service exception. These examples make clear just how broadly the CFPB apparently intends to interpret digital marketing activity that qualifies as the actions of a service provider:
In contrast, the Rule identifies at least one limited marketing activity that it considers to fall with an exception: offering covered persons the ability to choose to run an advertisement on a particular web page or application of the covered person's choosing. According to the CFPB, that falls within the “time or space” exception as long as the advertisements can be seen by anyone who accesses that web page.
The Rule signals the CFPB’s intent to treat many companies that provide digital marketing services to covered persons as service providers under the CFPA. This exposes those companies to potential UDAAP liability and liability for other violations of the CFPA, including claims involving purported discrimination in connection with any marketing.
Stepping back, it appears that the Rule may be taking aim at Big Tech—and fintechs more broadly—and their use of AI and data analytics to deploy financial services. This Rule continues the CFPB’s focus on fintechs by pulling in digital marketing providers that have traditionally been exempt. In particular, the CFPB has repeatedly emphasized the potential for algorithms and analytics to be used in a discriminatory manner. This suggests that the CFPB will pursue companies that use or develop algorithms that process consumer data in a way that the CFPB believes is discriminatory.
Based on recent enforcement trends, examples of the types of discrimination in the digital marketing context that the CFPB may target include:
The impact of the CFPB’s pursuit of digital marketers’ use or development of algorithms could be significant. For instance, we have seen the Federal Trade Commission (“FTC”) issue monetary penalties and require the destruction of an algorithm that was allegedly derived from improperly collected data in violation of the FTC’s UDAP authority. The CFPB may seek similar penalties under the Rule, particularly if the marketing analytics could have a discriminatory impact. This heightens the stakes of compliance by implicating core business models, intellectual property, and future profits of digital marketing companies.
In light of this, companies that provide digital marketing or marketing-related data services to financial services providers should assess the potential of being captured as a services provider, as interpreted by the Rule. The CFPB’s UDAAP Examination Manual suggests that companies deemed to be service providers should incorporate measures designed to prevent discrimination into their compliance programs, and be prepared to show their processes for assessing potential risks and discriminatory outcomes. Given the Rule’s broad reach, digital marketing companies should consider proactive measures to ensure appropriate coverage of these safeguards in their respective programs to mitigate potential regulatory exposure.
[1] The interpretative rule entitled “Limited Applicability of Consumer Financial Protection Act's ‘Time or Space’ Exception With Respect to Digital Marketing Providers” was subsequently published in the Federal Register. See 87 FR 50556-01.
[2] The CFPA defines a “covered person” as a person that offers or provides a “consumer financial product or service,” which is in turn defined to include “providing payments or other financial data processing products or services to a consumer by any technological means,” provided that such products or services are “offered or provided for use by consumers primarily for personal, family, or household purposes.” See 12 U.S.C. § 548(5).