On April 12, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) filed a lawsuit against TransUnion, two of its subsidiaries, and former TransUnion executive John Danaher, individually, for breach of an order of execution. The January 2017 order was part of a settlement in which TransUnion agreed to pay $16.9 million in damages and civil penalties for deceptively marketing credit ratings and credit-related products, such as as credit monitoring services.
The CFPB complaint, available herealleges that after the order took effect, TransUnion ignored its demands and continued to use deceptive marketing practices, including:
- Falsely stating that consumers could get a “free” or “$1” credit score or report, when in fact the consumers who signed up were signed up for a trial subscription, so that if they did not cancel affirmatively, they had to pay an indefinite monthly subscription
- Request payment information for “identification purposes” but use that payment information to sign up consumers for subscription services
- Falsely stating that consumers could purchase a stand-alone credit report or score (for example, through brightly colored call-to-action buttons labeled “View Your Credit Score”), when in fact, TransUnion only offered an ongoing subscription to credit monitoring
- Sending misleading emails stating that a consumer already has access to credit monitoring when in fact they were not registered
TransUnion has yet to file a response, but has publicly said it submitted a compliance plan to the CFPB that the agency ignored.
The action of the CFPB is remarkable in more ways than one. We provide some of the top takeaways below:
- A new era of aggressive action: CFPB Director Rohit Chopra made it clear that the CFPB would be prepared to act aggressively against big business and “repeat offenders”. Last month, in a speech at the University of Pennsylvania Law School, Principal Chopra spoke about the big corporations that see paying fines as a cost of doing business. He focused on deterring such repeat offenders through monetary penalties and the imposition of structural remedies, such as limits on the size or growth of businesses, prohibitions on certain business practices or the divestiture of certain product lines.
- Individual Responsibility: This action targets not only TransUnion and its subsidiaries, but also one of its former senior executives. The complaint alleges that in a calculated risk, the executive decided that the creation of an opt-in button for a monthly subscription service, as required by the prior order of the CFPB, would have had a negative impact on the income. Thus, he would have decided to delay or cancel compliance with the order. The CFPB, along with Director Chopra’s former agency, the Federal Trade Commission, has been quite aggressive in naming individuals in fintech, publicity, and privacy cases. This case is probably meant to be a CFPB salvo against companies and executives who view non-compliance as a risk that may be worth taking.
- Dark patterns: Some of the practices that TransUnion admitted to in the 2017 settlement and are accused of continuing in this latest complaint fall under an increasingly targeted area called “dark patterns.” Although “dark patterns” don’t have a clear definition, they generally refer to how online user interfaces are designed to trick consumers into making choices they may not have intended. For example, the CFPB alleged that TransUnion engaged in such activity by limiting disclosure to consumers that they were signing up for a monthly subscription service to small, low-contrast text that loaded into an image approximately 30 seconds slower than the rest of the page. . The CFPB and other law enforcement agencies continue to show increasing interest in the use of dark patterns.
The CFPB’s action against TransUnion is a swipe at the front of the Biden administration, as it targets repeat offenders and companies large and small for misleading consumer disclosures. To avoid regulatory scrutiny, all companies should review their customer interfaces to ensure they are free of dark patterns that could intentionally or unintentionally mislead consumers. For advice on these matters, please contact Maneesha Mithal, Chris Olsen, David Cornell, or any other member of Wilson Sonsini’s privacy and cybersecurity practice.