On April 12, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) filed a lawsuit against TransUnion, two of its subsidiaries, and former TransUnion executive John Danaher in his individual capacity for violating an enforcement order. That order, from January 2017, was part of a settlement in which TransUnion agreed to pay $16.9 million in restitution and civil penalties for deceptively marketing credit scores and credit-related products, such as credit monitoring services.

The CFPB's complaint, available here, alleges that after the order went into effect, TransUnion disregarded its requirements and continued using deceitful marketing practices, including:

• Misrepresenting that consumers could obtain a "free" or "$1" credit score or report, when in fact consumers who signed up were enrolled in a trial subscription, such that if they did not affirmatively cancel, they had to pay for an indefinite monthly subscription
• Asking for payment information for "identification purposes" but using that payment information to enroll consumers in subscription services
• Misrepresenting that consumers could purchase a standalone credit report or score (e.g., through brightly colored call-to-action buttons labeled "See Your Credit Score"), when in fact TransUnion was only offering an ongoing credit monitoring subscription
• Sending misleading emails that indicate a consumer already has access to credit monitoring when in fact they were not signed up

TransUnion has yet to file a response, but has publicly stated that it submitted a compliance plan to the CFPB that the agency ignored.

The action from the CFPB is noteworthy for a number of reasons. We provide some of the high-level takeaways below:

• A New Era of Aggressive Action: CFPB Director Rohit Chopra has made it clear that the CFPB will be willing to move aggressively against both large companies and "repeat offenders." Last month, in a speech at the University of Pennsylvania Law School, Director Chopra spoke about large companies that see the payment of fines as one cost of doing business. He laid out a new focus on deterring these repeat offenders with both monetary penalties and the imposition of structural remedies, such as limits on company size or growth, bans on certain business practices, or divestitures of certain product lines.
• Individual Liability: This action targets not only TransUnion and its subsidiaries, but one of its former top executives as well. The complaint alleges that in a calculated risk, the executive decided that creating an opt-in button for a monthly subscription service, as the prior CFPB order required, would have negatively impacted revenues. So, he allegedly decided to delay or roll back compliance with the order. The CFPB, as well as Director Chopra's former agency, the Federal Trade Commission, has been fairly aggressive about naming individuals in fintech, advertising, and privacy cases. This case is likely meant to be a salvo from the CFPB against companies and executives that see non-compliance as a risk that may be worth taking.
• Dark Patterns: Some of the practices that TransUnion admitted to in the 2017 settlement and is accused of continuing in this latest complaint fall into an area of growing focus referred to as "dark patterns." Although "dark patterns" has no clear definition, it generally refers to ways in which online user interfaces are crafted to drive consumers to make choices they may not have intended. For instance, the CFPB alleged that TransUnion engaged in such activity by limiting the disclosure to consumers that they were signing up for a monthly subscription service to small, low-contrast text that loaded in an image about 30 seconds slower than the rest of the page. The CFPB and other enforcement agencies continue to have a growing interest in the use of dark patterns.

Conclusion

The CFPB's action against TransUnion is a shot across the bow from the Biden administration, as it takes aim at repeat offenders and companies both large and small for misleading disclosures to consumers. To avoid regulatory scrutiny, all companies should review their consumer interfaces to make sure they are free of dark patterns that could, intentionally or not, mislead consumers. For advice on these issues, please contact Maneesha Mithal, Chris Olsen, David Cornell, or any other member of Wilson Sonsini's privacy and cybersecurity practice.