State Consumer Protection Laws Continue To Address Online Issues From Gamification To Data Privacy

Robinhood Financial LLC recently agreed to pay $7.5 million and significantly change its platform to settle a lawsuit brought against it by securities regulators in Massachusetts.

The plaintiffs contended that Robinhood's "gamification" features manipulated users. According to the allegations contained in the lawsuit, which was filed in 2020, Robinhood used "enticing gimmicks such as confetti animation and digital scratch tickets, which… exploited inexperienced traders."

The Massachusetts Fiduciary Rule set by the office of the Massachusetts Secretary of the Commonwealth holds broker-dealers to the same standards as investment advisers. Robinhood filed a lawsuit in 2021 contesting the rule, but the Massachusetts Supreme Judicial Court upheld the rule.

Robinhood decided to settle the Secretary of the Commonwealth's lawsuit, rather than appeal to the U.S. Supreme Court. The Secretary of the Commonwealth said the payment is an "administrative fine," and Robinhood's digital engagement practices will undergo significant changes.

Robinhood discontinued many of the "gamification" features on its platform after the lawsuit was filed. Per the terms of the settlement, Robinhood is prohibited from using "celebratory images linked to trading frequency, specific push notifications, or any features resembling gambling games," particularly for users in Massachusetts.

Robinhood also agreed to "implement transparent disclosures and engage an independent compliance consultant to review its digital engagement strategies," as well as submit to an independent review of its policies related to a November 2021 data breach that impacted approximately 117,000 Massachusetts residents. Irving Wilkinson "Robinhood Settles with Massachusetts, Agrees to Pay $7.5 Million Over 'Gamification' Practices" (Jan. 18, 2024).




In the above matter, Massachusetts' security laws were used to secure a fine, but to also eliminate online features of a trading platform.

Each state has consumer protection laws. A growing trend are consumer data privacy laws. Specifically, state online privacy laws are meant to protect consumers from many issues, including identity theft.

For example, several states, including California, Colorado, Connecticut, Utah, and Virginia, have comprehensive consumer data privacy laws that give consumers "the right to access and delete personal information and to opt-out of the sale of personal information." In addition, commercial websites and online services must post a privacy policy. "State Laws Related to Digital Privacy"

All organizations with an online presence in these states must make sure their website follows these requirements and others contained in their state's law. Task your cybersecurity team, or work with an outside digital expert, to determine all applicable laws governing your online practices and necessary policies and procedures to comply with them.

Also, work with your legal counsel to monitor legislation for any changes to these laws and promptly updating your policies and procedures to comply.


Finally, your opinion is important to us. Please complete the opinion survey:

What's New

LockBit Cybercrime Group Disrupted, For Now

A notorious "Ransomware as a Service" criminal gang was broken up in a multinational law enforcement operation, but the malware remains a threat to be guarded against.

Deepfake Tech Raising The Stakes On Impersonation Scams

The 2023 FTC stats show impersonation scams rising. No longer satisfied with targeting individuals, scammers now target employers, too. We examine.

Ask Jack: Does Language Play A Part In Cybersecurity?

New statistics show a language barrier in cybersecurity exists and may be playing a part in contributing to loss. Jack takes a look.