CFPB Puts Digital Marketers on Notice

On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an interpretive rule (the “Rule”) setting forth its position on the circumstances under which digital marketing providers for financial services companies are “service providers” under the Consumer Financial Protection Act (“CFPA”).[1] If treated as service providers, those companies may be subject to the CFPB’s enforcement authority, which includes exposure to potential unfair, deceptive, and abusive acts or practices (“UDAAP”) claims.

While the Rule lacks the force of law, it provides useful insight into how the CFPB may flex its enforcement authority related to consumer financial products and services, how they are marketed, and what activity or technology it may scrutinize. Subjecting technology and marketing companies—both big and small—to the CFPB’s sweeping UDAAP authority could have a significant impact.

Overview

The CFPA applies to any “service provider” that provides a material service to a covered person[2] in connection with the offering of a consumer financial product or service. Digital marketers have traditionally been exempt from being viewed as service providers under two exemptions for entities that provide either: (a) “a time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media,” or (b) “a support service of a type provided to businesses generally or a similar ministerial service.”

Apart from the limited activities enumerated in the Rule, it appears that the CFPB is attempting to essentially eliminate the exemptions for digital marketing providers. Under the Rule, digital marketers involved in either (a) the identification or selection of prospective customers, or (b) the selection or placement of content to affect consumer behavior are considered service providers under the CFPA.

The Rule provides a number of examples to illustrate services that would make a digital marketer a service provider, and those that would fall within the time and space exception or ministerial service exception. These examples make clear just how broadly the CFPB apparently intends to interpret digital marketing activity that qualifies as the actions of a service provider:

• Identifying/Selecting Customers; Content Placement. Digital marketing providers materially engaged in identifying or selecting prospective customers or selecting or placing content in a way to encourage consumer engagement with advertising may be service providers. Specifically, the CFPB comments that digital ad targeting and content delivery services would typically be performed by a “covered person” under the CFPA, including services to measure the effectiveness of certain marketing efforts by calculating a “customer acquisition rate” and services to analyze optimal advertising purchases. 
• Targeting and Delivery of Advertisements. Digital marketing providers engaged in targeting and delivery of advertisements are service providers because they are not merely providing advertisement time or space and, thus, do not qualify for the “time or space” exception. Specifically, those that target and deliver advertisements to users with certain characteristics specified by a covered person are typically service providers under the CFPA.
• Use of Algorithms/Analytics. Digital marketing providers that commingle the targeting and delivery of advertisements to consumers, for example, by using “algorithmic models or other analytics,” with the provision of advertising “time or space,” are providing material services and, thus, are typically covered by the CFPA.

In contrast, the Rule identifies at least one limited marketing activity that it considers to fall with an exception: offering covered persons the ability to choose to run an advertisement on a particular web page or application of the covered person's choosing. According to the CFPB, that falls within the “time or space” exception as long as the advertisements can be seen by anyone who accesses that web page.

Significance of the Interpretative Rule 

The Rule signals the CFPB’s intent to treat many companies that provide digital marketing services to covered persons as service providers under the CFPA. This exposes those companies to potential UDAAP liability and liability for other violations of the CFPA, including claims involving purported discrimination in connection with any marketing.

Stepping back, it appears that the Rule may be taking aim at Big Tech—and fintechs more broadly—and their use of AI and data analytics to deploy financial services. This Rule continues the CFPB’s focus on fintechs by pulling in digital marketing providers that have traditionally been exempt. In particular, the CFPB has repeatedly emphasized the potential for algorithms and analytics to be used in a discriminatory manner. This suggests that the CFPB will pursue companies that use or develop algorithms that process consumer data in a way that the CFPB believes is discriminatory.

Based on recent enforcement trends, examples of the types of discrimination in the digital marketing context that the CFPB may target include:

• Trait-Based Targeting: Targeting audiences in a way that excludes persons with protected characteristics, such as race, color, religion, sex, or national origin.
• Delivery Determinations: Deciding where, when, and to whom an advertisement will be shown based on protected characteristics or close proxies for protected characteristics.
• “Look-alike” Targeting: Targeting advertisements to persons who mirror or resemble a known audience (e.g., existing customers) based, at least in part, on protected characteristics or close proxies for protected characteristics.

The impact of the CFPB’s pursuit of digital marketers’ use or development of algorithms could be significant. For instance, we have seen the Federal Trade Commission (“FTC”) issue monetary penalties and require the destruction of an algorithm that was allegedly derived from improperly collected data in violation of the FTC’s UDAP authority. The CFPB may seek similar penalties under the Rule, particularly if the marketing analytics could have a discriminatory impact. This heightens the stakes of compliance by implicating core business models, intellectual property, and future profits of digital marketing companies.

In light of this, companies that provide digital marketing or marketing-related data services to financial services providers should assess the potential of being captured as a services provider, as interpreted by the Rule. The CFPB’s UDAAP Examination Manual suggests that companies deemed to be service providers should incorporate measures designed to prevent discrimination into their compliance programs, and be prepared to show their processes for assessing potential risks and discriminatory outcomes. Given the Rule’s broad reach, digital marketing companies should consider proactive measures to ensure appropriate coverage of these safeguards in their respective programs to mitigate potential regulatory exposure.  

[1] The interpretative rule entitled “Limited Applicability of Consumer Financial Protection Act's ‘Time or Space’ Exception With Respect to Digital Marketing Providers” was subsequently published in the Federal Register. See 87 FR 50556-01.

[2] The CFPA defines a “covered person” as a person that offers or provides a “consumer financial product or service,” which is in turn defined to include “providing payments or other financial data processing products or services to a consumer by any technological means,” provided that such products or services are “offered or provided for use by consumers primarily for personal, family, or household purposes.” See 12 U.S.C. § 548(5).