Privacy in Marketplace

CFA Warns Bureau of Consumer Financial Protection That Proposed Debt Collection Regulations Threaten Consumers’ Privacy and Security

Thirty-Six Groups File Joint Comments Citing Serious Concerns

 |  Press Release

Washington, D.C. – In comments filed yesterday to the Bureau of Consumer Financial Protection, thirty-six consumer, privacy, civil rights and public interest organizations said that the agency’s proposed debt collection regulations threaten consumers’ privacy and security. Noting that privacy was one of the major concerns prompting Congress to enact the Fair Debt Collection Practices Act, the groups warned that in attempting to interpret the statute and take into account new means of communications, the agency was opening the door to more potential privacy abuses and security problems, at a time when there are already serious concerns about rampant robocalling, online privacy, data breaches, and identity theft.

“Consumers’ privacy and security should be at the forefront as these regulations are crafted,” said Susan Grant, Director of Consumer Protection and Privacy at Consumer Federation of America, which led in drafting the comments. “Consumers don’t choose to be in debt trouble, and if they find themselves in that unfortunate situation we need to ensure that their problems aren’t made even worse by abusive collection practices that expose them to reputational and other potential harms.”

The groups object to provisions of the proposed rules that would allow debt collectors to:

  • Contact consumers too frequently. A debt collector could make seven calls to a consumer within seven days about a debt and an unlimited number of emails or texts. Since many consumers have multiple debts, the number of calls they could receive is “staggering,” the groups said. For instance, a consumer with five debts could be called 35 times in seven days. On top of this, the consumer could receive a barrage of texts and emails. The limit should be three attempted calls and one conversation per consumer per week, the groups argued, regardless of the number of debts the firm is attempting to collect from that person. Similar limits should be set for texts and emails.
  • Send texts and emails to consumers without their consent. Emails and texts can be disruptive and annoying, clog up consumers’ inboxes and use up data on their cellphones, and result in charges for consumers who have limited data plans. Furthermore, texts and emails are not necessarily “private,” since they may be read by others in a variety of circumstances. They may also contain malware that can jeopardize consumers’ privacy and security. To protect against inappropriate disclosures and ensure that consumers are actually able to receive and respond to the information about the debts, debt collectors should ask for their prior affirmative consent to use a particular email address or cell phone number for communications, the groups said.
  • Post messages to consumers on social media platforms and send direct messages to them through those platforms. Though postings would only be allowed on social media pages that cannot be seen by others, the groups pointed out that privacy settings are not infallible and social media platforms “cannot be trusted to keep information private from outsiders or from their own voracious data collection activities.” Other messaging services may also not be private or secure. Therefore, debt collectors should not be able to use any of these methods to communicate with consumers, the groups said.
  • Relay “limited-content messages” to the consumer and to third-parties in an attempt to locate the consumer. The groups noted that even a seemingly innocuous message such as “This is Robin Smith trying to reach Sam Jones. Please contact me at 1-800-555-1212.” is likely to raise questions about who Mr. Smith is and why he is trying to reach Mr. Jones. The groups noted that the option to mention an “account” is even more worrisome, since reasonable people would conclude that this refers to a debt. These messages would violate the provisions of the law intended to protect consumers from harassment and abuse, including intrusions of their privacy, the groups concluded.
  • Provide crucial information to consumers via hyperlinks. The groups said that consumers’ well-founded reluctance to click on links in messages from strangers because of the danger of malware could prevent them from getting the important information they need about the debts. Another problem is that scammers and phishers posing as debt collectors could send messages with infected links. The groups also expressed concerns about directing consumers to websites, which would enable debt collectors to track them online, and about dashboards that could be vulnerable to data breaches and other abuses.

“The harms that result from invasions of privacy, both tangible and intangible, are very real to consumers,’ said Ms. Grant. “Debt collection regulations should aim to protect consumers from abuse, not protect debt collectors from responsibility to keep consumers’ personal information private and secure.”