US CFPB targets digital marketing vendors with new rule of interpretation – Financial Services

To print this article, all you need to do is be registered or log in to

On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued a rule of interpretation clarifying its position that digital marketers providing consumer financial services companies with customer targeting and ad serving services are subject to the Consumer Financial Protection Act (“CFPA”) as “providers Services”. Critically, the rule considers technology companies offering such marketing services to fall within the scope of the Bureau’s unfair, deceptive, and abusive acts or practices (“UDAAP”) enforcement authority. Interpretative rules are exempted from notice and comment rule-making procedures under the Administrative Procedure Act, but also do not have the force of law.

Presentation of the rule of interpretation

The CFPA, including its UDAAP prohibition, applies to “covered persons” who offer or provide financial products or services to consumers. The CFPA also applies to providers of services to covered persons. The CFPA defines “service provider” as “any person who provides a material service to a covered person in connection with that covered person’s offer or provision of a consumer financial product or service”. However, the term “service provider” does not include those who provide either “a support service of a type provided to general business or a similar ministerial service” or “time or space for an advertisement for a consumer financial product or service in print, newspaper, or electronic media.” The interpretative rule addresses the application of these exceptions to digital marketers.

The rule states that when digital marketers identify or select potential customers and/or select or place content to affect consumer engagement, they are providing an important service and, therefore, “material” to the people covered. The rule provides that such a “material” service is beyond the scope of the CFPA’s “corporate service” exception. The rule also explains that businesses providing such services do not fall under the “time or space” exception because they are providing a service that goes beyond the provision of “airtime or physical space” for a advertising. The rule of interpretation states that digital marketers are increasingly involved in the development of content strategy and, therefore, are increasingly likely to be service providers under the CFPA.

The rule provides a number of examples to illustrate the difference between “hard” services and those that could benefit from an exception. For example, if a digital marketer offered a covered person the option to choose to serve an advertisement on a particular web page or application of the covered person’s choice, with the advertisements seen by any user of that page or application, the rule suggests that this activity would fall under the “time or space” exception. However, if a digital marketer targets and serves advertisements to specific users based on certain characteristics, even if those characteristics are specified by the person covered, the rule states that this would likely amount to a “hardware” service. Where a digital marketer determines or suggests which users are the appropriate audience for certain advertisements (based, for example, on the marketer’s knowledge of user characteristics and behavior), the rule of interpretation states that this goes “far beyond” the provision of airtime or physical space and a marketer would generally be considered a service provider in these circumstances.

UDAAP Considerations

As noted above, one of the most important aspects of this rule is that it sets out the position that technology companies offering these types of marketing services fall within the scope of the supervisory authority and application of the Bureau’s UDAAP. Earlier this year, the CFPB announced that discriminatory behavior in the offer or provision of a financial product or service to consumers could constitute an unfair practice for the purposes of the UDAAP ban. The Office also expressed concern about algorithmic bias and so-called “digital redlining”. Taken together, these developments suggest that the CFPB may consider leveraging its UDAAP authority to target what it sees as potential discrimination resulting from tech companies’ use of consumer data and algorithms to target ads. on consumers.

What about Section 230?

In particular, the interpretative rule still leaves open how the CFPB intends to implement this new vision of “service providers”. For example, will the CFPB seek to use its UDAAP authority (both oversight and enforcement) against platforms that serve targeted advertisements created by other companies? If that is the intent, the rule does not explain the agency’s position regarding how Section 230 of the Communications Decency Act might affect those efforts. This law states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of information provided by another information content provider” and has been interpreted by many courts as prohibiting lawsuits against digital platforms in relation to content created by third parties.


This interpretive rule should be seen as another signal to tech companies that the Bureau is paying close attention to their use of consumer data and algorithms. This attention may result in increased enforcement activity by the CFPB and perhaps also by state regulators. By announcing the rule, Director Chopra said“When Big Tech companies use sophisticated behavioral targeting techniques to market financial products, they must comply with federal financial consumer protection laws… [f]Federal and state law enforcement can and should hold these companies accountable if they break the law. in a speech at the National Association of Attorneys General’s presidential summit, delivered the same day the rule was released, Director Chopra highlighted the rule and reaffirmed the Bureau’s support for state enforcement of the CFPA.

Visit us at

Mayer Brown is a global provider of legal services comprised of law firms that are separate entities (the “Mayer Brown Firms”). The Mayer Brown firms are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, two limited liability companies established in Illinois in the United States; Mayer Brown International LLP, a limited liability company incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales under number OC 303359); Mayer Brown, a SELAS based in France; Mayer Brown JSM, a partnership of Hong Kong and its associated entities in Asia; and Tauil & Checker Advogados, a Brazilian legal partnership with which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are registered trademarks of Mayer Brown law firms in their respective jurisdictions.

© Copyright 2020. Mayer Brown Practices. All rights reserved.

This article by Mayer Brown provides information and commentary on interesting legal issues and developments. The foregoing is not a complete treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action regarding the matters discussed here.

POPULAR ARTICLES ON: Finance and Banking of the United States

Health Regulatory Report | August 2022

McDermott Will & Emery

In 2018, a Missouri neurosurgeon was convicted and ordered to pay nearly $5.5 million for violating the AKS by submitting claims for the use of spinal implants that were distributed…