On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued an interpretive rule clarifying its position that digital marketers providing consumer financial services companies with customer targeting and advertisement delivery services are subject to the Consumer Financial Protection Act (“CFPA”) as “service providers.” Critically, the rule takes the position that tech companies offering such marketing services fall within the scope of the Bureau’s unfair, deceptive, and abusive acts or practices (“UDAAP”) enforcement authority. Interpretive rules are exempt from the notice-and-comment rulemaking procedures under the Administrative Procedure Act but also lack the force of law.
Interpretive Rule Overview
The CFPA, including its UDAAP prohibition, applies to “covered persons” that offer or provide consumer financial products or services. The CFPA also applies to service providers to covered persons. The CFPA defines “service provider” as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” However, the term “service provider” does not include those providing either “a support service of a type provided to businesses generally or a similar ministerial service” or “time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.” The interpretive rule addresses the application of these exceptions to digital marketers.
The rule states that when digital marketers identify or select prospective customers and/or select or place content to affect consumer engagement, they are providing a significant and, therefore, “material” service to covered persons. The rule provides that such “material” service is beyond the scope of the “ministerial service” exception to the CFPA. The rule also explains that companies providing such services do not fall within the “time or space” exception because they are providing a service that goes beyond providing “airtime or physical space” for an advertisement. The interpretive rule states that digital marketers are increasingly more involved in the development of content strategy and, thus, are increasingly more likely to be service providers under the CFPA.
The rule provides a number of examples to illustrate the difference between “material” services and those that would qualify for an exception. For example, if a digital marketer offered a covered person the ability to choose to run an advertisement on a particular webpage or application of the covered person’s choosing, with the advertisements seen by any user of that page or application, the rule suggests that such activity would fall within the “time or space” exception. However, if a digital marketer targets and delivers advertisements to specific users based on certain characteristics, even if those characteristics are specified by the covered person, the rule states it likely would amount to a “material” service. When a digital marketer itself determines or suggests which users are the appropriate audience for certain advertisements (based on, for example, the marketer’s knowledge of users’ characteristics and behavior), the interpretive rule states that this goes “well beyond” providing airtime or physical space and a marketer would typically be considered a service provider in these circumstances.
As noted above, one of the most significant aspects of this rule is that it sets forth the position that tech companies offering these types of marketing services fall within the scope of the Bureau’s UDAAP supervision and enforcement authority. Earlier this year, the CFPB announced its view that discriminatory conduct in the offering or provision of a consumer financial product or service could constitute an unfair practice for the purposes of the UDAAP prohibition. The Bureau also has expressed concern over algorithmic bias and so-called “digital redlining.” Taken together, these developments suggest that the CFPB may be planning to rely on its UDAAP authority to target what it sees as potential discrimination resulting from tech companies’ use of consumer data and algorithms to target ads to consumers.
What about Section 230?
Notably, the interpretive rule still leaves open how the CFPB intends to implement this new view of “service providers.” For example, will the CFPB seek to use its UDAAP authority (both supervision and enforcement) against platforms that publish targeted advertising created by other companies? If that is the intent, the rule does not explain the agency’s position regarding how Section 230 of the Communications Decency Act might affect these efforts. That statue provides, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider” and has been interpreted by many courts to prohibit suits against digital platforms in connection with content created by third parties.
This interpretive rule should be taken as another signal to tech companies that the Bureau is paying close attention to their use of consumer data and algorithms. This attention may result in increased enforcement activity by the CFPB and possibly also by state regulators. In announcing the rule, Director Chopra stated: “When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws . . . [f]ederal and state law enforcers can and should hold these firms accountable if they break the law.” Additionally, in a speech to the National Association of Attorneys General Presidential Summit delivered on the same day the rule was issued, Director Chopra highlighted the rule and restated the Bureau’s support of state enforcement of the CFPA.