Citizen Works has long advocated for a corporate crime database as part of our ongoing efforts to reduce corporate abuse and ensure transparency for consumers. On June 3rd, 2024, the Consumer Financial Protection Bureau finalized a rule that takes a step towards that goal.

The new rule creates a publicly available registry that tracks enforcement actions against non-bank lenders—like payday and auto loan venders—that have broken consumer protection law. The rule applies only to the non-bank lenders that the CFPB oversees but requires they report any action taken against them because they broke consumer protection laws—whether the CFPB was the one who acted.

Additionally, the rule requires that a senior executive at the lender report to the CFPB what steps are being taken to comply with enforcement actions. (See the rule)

While this rule is an important step towards reigning in corporate crime, Citizen Works still advocates for the creation of a comprehensive database to track corporate crime and anti-consumer behavior.

As cars become more technologically complex, they are increasingly able to gather information on drivers and their habits. Some metrics are what drivers are used to and often appreciate—such as fuel efficiency. But newer vehicles can also collect detailed data on how drivers behave—such as instances of rapid acceleration and braking or even location data.

How companies can use collected data like this is typically subject to privacy agreements included in terms and conditions at the time of purchase. Privacy agreements are typically long, expansive, and written in legalese, meaning when consumers read them—though they rarely do—it is unclear exactly what data is being collected, how it is being used, and, often, to whom it is being sold. Consumers often take it for granted that products like social media platforms collect and sell their data but may not expect that a product like their car is also collecting and storing their personal data.

In September of 2023, the Mozilla Foundation, a data privacy-focused non-profit, published a report on the data privacy practices of 25 automakers as part of their *Privacy Not Included series. After some tire-kicking, Mozilla labelled the auto industry the “worst product category” they had ever reviewed. The report brought forth an issue that has since drawn the interest of multiple government regulators and spurred multiple lawsuits in federal courts. (See the Mozilla report or details on what data is collected and how)

Mozilla’s report raised eyebrows in Congress. In December, Senator Ed Markey (D-MA), who sits on the Subcommittee on Consumer Protection, Product Safety and Data Security, asked 14 automakers doing business in the US to clarify their data collection policies. After lackluster responses from automakers, Sen. Markey sent a letter to the Federal Trade Commission asking it to investigate their data collection and privacy practices. (Read the letter and the responses from automakers)

In mid-May, the FTC released a blog post focused on data-rich vehicle manufacturers that reminded them that misuse of sensitive data will result in FTC action. The post referenced several recent situations where the FTC acted on misuse of data like geolocation by companies in other industries. While the notice did not announce any official actions or investigations, it was a strong reminder that corporate abuse of consumers’ private data will not go unnoticed. (Read the FTC’s post) The Federal Communications Commission also released a noticed of proposed rulemaking in April related to automobile data collection that would prevent victims of domestic abuse from having their connected vehicle data exploited by abusers, underscoring the need for robust data privacy practices. (See the rulemaking proposal)

Federal regulators may not have yet acted formally, but the drivers whose data is at risk have launched legal action against carmakers. In March, the New York Times reported General Motors had sold highly detailed and personalized driving data to third parties, including insurance companies, without their consent. (See the whole article.)

Multiple lawsuits in federal court, including some class action suits, have followed, claiming GM distributed driving data to two consumer credit reporting agencies who do business with auto insurance companies without the consent of vehicle owners. GM ran an opt-in program called OnStar Smart Driver which claimed to provide “customers with information about their driving behavior to help them maximize their vehicle’s overall performance, reduce vehicle wear and tear and encourage safer driving.” Consumers who enrolled in the program and subsequently sued GM say the terms and conditions did not give GM permission to give their data to insurance companies, and, in at least one case, say GM shared data even though they were never part of the program at all.

If true, these alleged claims would mean reckless misuse of drivers’ personal data by automakers for profit, underscoring the need for regulators and lawmakers to act to protect the privacy of consumers and reign in unfair practices.

Despite repeated efforts, Amtrak continues to require passengers to agree to an arbitration process to resolve claims against the rail service.

Amtrak added the Arbitration Agreement to the terms and conditions of its passenger tickets in 2019. The terms of the agreement state that it is “intended to be as broad as legally permissible, and, except as it otherwise provides, applies to all claims, disputes, or controversies, past, present, or future, that otherwise would be resolved in a court of law or before a forum other than arbitration.” In essence, the agreement forces all passengers who suffer injury from Amtrak to resolve their claims through a private arbitration process, not through the public courts system.

Forced arbitration can seriously limit consumers’ ability to win compensation for harm done by a corporation. Because the federal government owns a majority stake in Amtrak and it functions as a quasi-public corporation, some advocates contend that Amtrak’s Arbitration Agreement is unconstitutional and restricts citizens’ right to petition the government. (see Forced Arbitration)

In January of 2020, Public Citizen filed a lawsuit in the U.S. District Court for the District of Columbia on behalf of two customers challenging the legality of Amtrak’s Arbitration Agreement. Because Amtrak is majority owned by the federal government, the plaintiffs argued that the Arbitration Agreement violated Americans’ rights to petition the government through the judicial system. The District Court dismissed the lawsuit on procedural grounds for lack of an actual injury-in-fact or imminent future (standing to bring the lawsuit), and an appeals court upheld the District Court’s decision, leaving the legal question of the Arbitration Agreement unresolved. (See Weissman v. National Railroad Passenger Corp.).

The lawsuit, however, along with a public letter penned by Public Citizen and signed by more than 30 consumer advocacy organizations and written testimony submitted to a subcommittee of the House Judiciary Committee, brought Amtrak’s policy to the attention of lawmakers. Lawmakers in both houses introduced legislation to force Amtrak to amend their policy in 2020, and another bill was introduced in the Senate in 2021.

None were given a vote, and tickets purchased on Amtrak still carry a forced arbitration term that seriously restricts passengers’ ability to hold Amtrak accountable in court for injury or misconduct.

In June 2020, the Supreme Court released its opinion in the case of Seila Law vs. Consumer Financial Protection Bureau (CFPB), which questioned whether the leadership structure of the CFPB was constitutional. In a 5-4 decision along ideological lines, the Court—in an opinion authored by Chief Justice Roberts—ruled that the restrictions placed on the President’s ability to remove the Bureau’s director violated the Constitution’s separation of powers. The Court’s decision drastically increases the President’s power over the CFPB, limiting its independence and making it more vulnerable to political influence. (See Seila Law vs. CFPB)

Formed in 2011 by the Dodd-Frank Act in response to the 2008 financial crisis, the CFPB concentrated the regulation of consumer financial services in a single organization. The CFPB issues regulations for consumer financial products and levies fines to punish unfair or abusive lending practices. To insulate it from political pressure, Congress included two unusual provisions in the Bureau’s structure. First, the CFPB is funded outside of the traditional appropriations process, allowing it to pull money directly from the Federal Reserve without needing to seek approval from Congress.
The second was an independent directorship, nominated by the President for a five-year term and approved under the normal process for executive branch appointees by the Senate. Most executive appointees serve at the pleasure of the President—meaning the President can fire the official if a disagreement arises between them and the White House. The Bureau’s director was given for-cause protection, meaning that they can only be fired for neglect or malfeasance.

In 2017, the CFPB began investigating Seila Law, a firm that provides finance-related legal services. Seila Law challenged the authority of the Bureau to do so, arguing that its director structure was unconstitutional and therefore the Bureau was powerless. The case worked its way to the Supreme Court, which decided that there were two separate issues at hand.

The first question was whether the protections given by Congress to the Bureau’s director were constitutional. The Court ruled that the President has the power to oversee officials within the executive branch, and the limits on removal violated that power. In essence, Congress can not create an agency within the executive branch with the power to make rules and impose major fines and deny the President the authority to supervise that agency. The Court distinguished the CFPB from other nominally independent agencies that are run by multi-member boards like the Federal Trade Commission, which it had previously ruled can be protected by for-cause clauses. (See Humphrey’s Executor vs. United States)

The second question was whether the fact that the Bureau’s director was unconstitutionally protected posed an issue for the rest of the CFPB’s activities. In a 7-2 split, the Court’s liberal minority joined all but Justices Gorsuch and Thomas in affirming that the Bureau’s structure was governed by the principle of severability. Under this principle, an issue that invalidates one part of a law (in this case, the director’s protection from dismissal) does not jeopardize the entire law.

In the end, the Court struck down the director’s for-cause protections but did nothing more, denying the CFPB’s opponents a full-scale victory. The ruling, however, makes the CFPB much more vulnerable to political influence, as the President can now fire directors who run the Bureau in a way deemed unsatisfactory by the President. While the Court limited the independence of the CFPB’s director, it upheld the constitutionality of the Bureau’s unusual funding structure in another case decided in May 2024. (See CFPB vs. Community Financial Services Association of America)

On May 16, 2024, the Supreme Court released its decision in Consumer Financial Protection Bureau vs. Community Financial Services Association of America, a case that questioned the constitutionality of the funding structure of the Consumer Financial Protection Bureau (CFPB). In a 7-2 decision, the Court—in an opinion authored by Justice Clarence Thomas—roundly rejected CFSAA’s arguments that the CFPB’s unique funding process was unconstitutional. The Court’s ruling upheld the structure of the CFPB and fended off a challenge from an industry group hoping to limit the Bureau’s power to investigate and stop unfair and illegal lending practices. (See CFPB v. CFSAA)

In 2011, the Dodd-Frank Act—passed in response to the financial crisis—created the CFPB to regulate consumer-facing financial products such as payday loans, auto loans, and credit cards. Most government agencies are funded by annual appropriations from Congress, making them highly subject to the political agendas of lawmakers. To protect it from political pressure that could limit its ability to regulate unfair and illegal financial practices, Congress authorized the CFPB to pull money directly from the Federal Reserve each year. The Bureau’s director is given the authority to determine the amount, which is limited by an inflation-adjusted cap (for FY2024, that cap is about $785 million).

The Consumer Financial Services Association of America (CFSAA), a trade group of payday loan and other small-dollar lenders, had sued the Bureau in 2017 over regulations it published on certain high-interest loans. As part of the legal challenge, the CFSAA argued that the Bureau’s funding structure violated the Constitution’s Appropriations Clause—which requires that all money taken out of the Treasury be explicitly authorized by Congress—because it was too open-ended. The Court found no merit in CFSAA’s arguments.

Among other examples, the Court noted that the Postal Service funded itself through revenue from postal services as historical precedent. The Supreme Court’s ruling puts to rest a challenge that could have jeopardized the Bureau’s entire existence and re-affirms its independence. 


The Court had previously ruled in 2020 in Seila Law vs. Consumer Financial Protection Bureau that the Bureau’s leadership structure was unconstitutional. The CFPB had been created with a single independent director who was nominated for a five-year term but could only be removed under limited circumstances like neglect of duty or malfeasance. In Seila Law, the Court ruled that this structure violated the Constitution’s separation of powers by denying the President the power to oversee the Bureau’s director. The Court removed the restrictions on firing the Bureau’s director but noted that this issue did not affect the rest of CFPB’s operations. (See Seila Law vs. CFPB)