State Consumer Protection Laws Continue To Address Online Issues From Gamification To Data Privacy

Robinhood Financial LLC recently agreed to pay $7.5 million and significantly change its platform to settle a lawsuit brought against it by securities regulators in Massachusetts.

The plaintiffs contended that Robinhood's "gamification" features manipulated users. According to the allegations contained in the lawsuit, which was filed in 2020, Robinhood used "enticing gimmicks such as confetti animation and digital scratch tickets, which… exploited inexperienced traders."

The Massachusetts Fiduciary Rule set by the office of the Massachusetts Secretary of the Commonwealth holds broker-dealers to the same standards as investment advisers. Robinhood filed a lawsuit in 2021 contesting the rule, but the Massachusetts Supreme Judicial Court upheld the rule.

Robinhood decided to settle the Secretary of the Commonwealth's lawsuit, rather than appeal to the U.S. Supreme Court. The Secretary of the Commonwealth said the payment is an "administrative fine," and Robinhood's digital engagement practices will undergo significant changes.

Robinhood discontinued many of the "gamification" features on its platform after the lawsuit was filed. Per the terms of the settlement, Robinhood is prohibited from using "celebratory images linked to trading frequency, specific push notifications, or any features resembling gambling games," particularly for users in Massachusetts.

Robinhood also agreed to "implement transparent disclosures and engage an independent compliance consultant to review its digital engagement strategies," as well as submit to an independent review of its policies related to a November 2021 data breach that impacted approximately 117,000 Massachusetts residents. Irving Wilkinson "Robinhood Settles with Massachusetts, Agrees to Pay $7.5 Million Over 'Gamification' Practices" alphabetastock.com (Jan. 18, 2024).

 

Commentary

 

In the above matter, Massachusetts' security laws were used to secure a fine, but to also eliminate online features of a trading platform.

Each state has consumer protection laws. A growing trend are consumer data privacy laws. Specifically, state online privacy laws are meant to protect consumers from many issues, including identity theft.

For example, several states, including California, Colorado, Connecticut, Utah, and Virginia, have comprehensive consumer data privacy laws that give consumers "the right to access and delete personal information and to opt-out of the sale of personal information." In addition, commercial websites and online services must post a privacy policy. "State Laws Related to Digital Privacy" www.ncsl.org.

All organizations with an online presence in these states must make sure their website follows these requirements and others contained in their state's law. Task your cybersecurity team, or work with an outside digital expert, to determine all applicable laws governing your online practices and necessary policies and procedures to comply with them.

Also, work with your legal counsel to monitor legislation for any changes to these laws and promptly updating your policies and procedures to comply.

 

Finally, your opinion is important to us. Please complete the opinion survey:

News

Data Compliance Audit: A Double-Edge Sword When Defending Data Security Claims

A new report claims a surge in ransomware attacks. Compliance audits are necessary to limit risk, but there is a dark side to audits if organizations are not ready to comply. Read More

"Juice Jacking" Alert: FBI Warns Of Bad Public Charging Ports

In an unusual move, the FBI warns the general public to stay clear of public USB charging ports. We explain why "juice jacking" is a threat. Read More

Biometric Authentication: Still Not Ready For Prime Time

A bank's choice to rely solely on biometric authentication was quickly shown to be a risk. We explain. Read More