Georgetown Law
Technology Review

Commencement

On October 30, 2020, the Consumer Financial Protection Bureau (CFPB) issued a final rule which modernizes the Fair Debt Collection Practices Act (FDCPA), a law prohibiting harassment and abuse, false or misleading representations, and unfair practices by debt collectors. While collection agencies are currently allowed to contact consumers by mail and by phone, the new rule enables communication via email, text message, and social media platforms as well. Further, the rule also clarifies how the protections of the FDCPA, which governs the practices of first- and third-party debt collectors, account for changes in consumer communication technologies that have been developed since the FDCPA’s enactment in 1977. The CFPB rule will go into effect one year from its publication date in the Federal Register, in late 2021.

The 653-page rule has the potential to significantly affect more than 20% of the U.S. population. Once the debt collector initiates contact via social media, the rule provides that the consumer may use the same channel to place a “cease communication” request or notify the debt collector that they refuse to pay the debt. The CFPB announcement indicates that consumers can opt out of electronic communications with debt collectors, but the exact steps required to prevent social media interaction have not yet been delineated.

Intrusion by debt collectors into individuals’ electronic and online personal spaces raises grave privacy concerns. Compounding the problem is the exchange of highly sensitive information on third party systems and platforms without end-to-end encryption or on mediums that are ripe for hacking. 

Third-Party Involvement

While social media platforms represent an efficient medium for debt collectors to interact with consumers, they expose users to a host of privacy issues which could potentially compromise private debt information. Data trails may yield information on predicting defaults and could expose social media users to predatory financing programs. Data mined in this practice might include users’ messages, browsing history, location, and past purchase history. 

By design, social media relies on the sharing of user-generated content for operation. As such, social media technologies may inadvertently or deliberately enable administrators to view private chats between debt collectors and users. Facebook was recently accused of spying on users’ private messages, “desperate for data” on its competitors. According to the report, the technology behemoth was secretly paying people to install a network that allowed Facebook access to users’ phone and web activity. California filed a lawsuit against Tik Tok in 2019, accusing the social media platform of secretly gathering user data and sending it to China. The same year, former Snapchat personnel admitted that employees with privileged access to user data had spied on user’s profiles. This year, Twitter confirmed hackers leveraged internal staff tools to download users’ account data, possibly including private messages.

Hacking

Once something is sent through the internet, it may become accessible to multiple parties, including hackers and scammers trolling social media sites. Electronic communication methods are especially susceptible to infiltration. Consumers may not know the debt collectors who contact them by email, text, or social media, casting some doubt on the legitimacy of the communication. Phantom debt collectors may take advantage of the new rule to send messages impersonating debt collectors, with links to viruses, malware, or phishing traps, raising serious data security and identity theft concerns.

Communications via private messaging services are inherently unsafe and inappropriate for sensitive communications. For instance, in 2018, millions of Facebook users’ private posts were made public when a bug altered the users’ privacy preferences. Text messages, emails, and the majority of social media messaging applications are not end-to-end encrypted by default, so consumers are left to trust the third-party servers with their debt information. The servers store the unencrypted messages, so in the event of a data breach, unauthorized users can access the content. The CFPB did not endorse encrypted mediums in an attempt to reduce “unwarranted” regulatory burdens. CFPB Director Kathy Kraninger believed “[e]mpowering consumers to help themselves, protect their own interests . . . is vital to preventing consumer harm and building financial well-being.” The multiplicity of unencrypted communication channels adds an additional level of concern when dealing with the sensitive financial information.

Conclusion

In anticipation of the new rule, it will be important for debt collection companies to ensure that any digital infrastructure is both flexible enough to adjust to consumer preferences but also sufficiently protective of consumers’ privacy. Through the guise of modernization, the debt collection rule could inundate consumers with electronic communications, especially with the lack of clear direction on how consumers can opt out. The potential privacy implications will likely warrant further consideration when the rule takes effect late next year.