Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 21, the CFPB announced the beginning of its anticipated rulemaking regarding consumer reporting, including a proposal to remove medical bills from credit reports. This announcement builds upon a hearing the CFPB held in July 2023 on medical billing and collections, highlighting its range of negative impact on marginalized communities (covered by InfoBytes here). In the CFPB’s announcement, Director Rohit Chopra emphasized the inconsequential “predictive value” of medical bills in credit reports despite their prevalence in American households, thus the agency's goal is to alleviate the burden on individuals facing medical debt. The Bureau’s press release highlighted components to its outline of proposals and alternatives under consideration, such as (i) prohibiting consumer reporting companies from including medical bills in consumers’ credit reports; (ii) prohibiting creditors from relying on medical bills for underwriting decisions; and (iii) prohibiting debt collectors from leveraging the credit reporting system to pressure consumers into paying their debts. The rule would not prevent creditors from accessing medical bill information, such as validating need for medical forbearances, or evaluating loan applications for paying medical debt.
In addition to the proposed removal of medical debt from consumer reports, the Bureau’s outline includes other notable proposals regarding consumer reports. The Bureau’s proposals include”
- As previously covered by InfoBytes, applying the FCRA to data brokers by altering the FCRA definitions of “consumer report” and “consumer reporting agency”, to “address whether and how the FCRA applies to newer actors and practices in the credit reporting marketplace, including questions such as coverage of data brokers and certain consumer reposting agency practices regarding marketing and advertising.” In particular, the Bureau is also considering a proposal that would provide that data brokers selling “consumer reports” containing consumers’ payment history, income, and criminal records would be considered a consumer reporting agency. The Bureau is also exploring clarifications on when data brokers qualify as consumer reporting agencies and furnish consumer reports.
- Clarifying whether “credit header data” qualifies as a consumer report, which could limit the disclosure or sale of credit header data without valid reasoning.
- Clarifying that certain targeted marketing activities that do not directly share information with a third party nevertheless are subject to the FCRA.
- Proposing a definition of the terms “assembling” and “evaluating” to include intermediaries or vendors that “transmit consumer data electronically between data sources and users.”
- Clarifying whether and when aggregated or anonymized consumer report information constitutes or does not constitute a consumer report. Specifically, the Bureau contemplates providing that a data broker’s sale of particular data points such as “payment history, income, and criminal records” would “generally be a consumer reports, regardless of the purpose for which the data was actually used or collected, or the expectations of that data broker
- Establishing the steps that a company must take to obtain a consumer’s written instructions to a obtain a consumer report.
- Addressing a consumer reporting agency’s obligation under the FCRA to protect consumer reports from a data breach or unauthorized access.
On September 20, the SEC adopted amendments (as set forth in the final rule and as discussed in the fact sheet) to the Investment Companies Act rule that requires investment companies whose names suggest a focus in a particular type of investment to adopt a policy to invest not less than 80 percent of the value of their assets in those investments (the “Names Rule”). The agency said amendments to the Names Rule will enhance its protections by addressing gaps in the current requirements and will “help ensure that a fund’s portfolio aligns with a fund’s name.”
The Names Rule promotes truth-in-advertising by ensuring that a fund whose name accurately suggests a focus on a particular type of investment adopt a policy to align its portfolio to put 80 percent of its assets toward the cause suggested by its name (the “80 percent investment policy”).
The SEC said, “the amendments will enhance the rule’s protections by requiring more funds to adopt an 80 percent investment policy, including funds with names suggesting a focus in investments with particular characteristics, for example, terms such as 'growth' or 'value,' or certain terms that reference a thematic investment focus, such as the incorporation of one or more Environmental, Social, or Governance factors.”
The amendments will expand the requirement to adopt an 80 percent investment policy to more funds, including those with names suggesting a focus in investments with particular characteristics (e.g., “growth” or “value”), or certain terms that reference the incorporation of one or more ESG factors. The amendments will also (i) require that a fund conduct a quarterly review of its portfolio assets’ treatment under its 80 percent investment policy; (ii) establish deadlines for getting back into compliance if a fund departs from its 80 percent investment policy; (iii) enhanced prospectus disclosure requirements to require that terminology used in fund names that suggest an investment focus must be consistent with the plain English meaning or established industry use of such terms.
The amendments will become effective 60 days after publication in the Federal Register. Fund groups with more than $1 billion in assets under management will have two years to comply with the rule. Funds that manage less than $1 billion will be given 30 months to comply with the rule.
On September 20, the SEC announced the approval of its revised Privacy Act rules, which govern the handling of personal information in the federal government. Among other things, the final rule will update, clarify, and streamline the SEC’s Privacy Act Regulations by (i) clarifying the purpose and scope of the regulations; (ii) updating definitions to plainly describe regulation processes; (iii) allowing for electronic methods to verify requesters identities and submit Privacy Act requests; and (iv) providing for a shorter response time to Privacy Act requests. The final rule will also update fee provisions and eliminate unnecessary provisions. The SEC last updated its Privacy Act rules in 2011, and due to the extent of the provisions, the final rule will replace the commission’s current Privacy Act regulations entirely.
The revised rule will take effect 30 days after publication in the Federal Register.
The EU-US Data Privacy Framework (the “Framework”) sets forth a set of principles and requirements that US organizations can comply with and, following certification, be permitted to join the Framework. On October 12, the UK extension to the Framework will come into effect following the UK digital minister’s submission of regulation and the US Attorney General’s designation of the UK as a “qualifying state.”
This data bridge and the associated framework ensures that the level of protection for UK individual’s personal data, as provided for under UK GDPR, is maintained. The FTC and U.S. Department of Transportation are the independent supervisory authorities for the UK extension, which is administered by the U.S. Department of Commerce.
On September 19, the U.S. District Court for the District of Columbia denied a motion for summary judgment from the National Association of Mutual Insurance Companies arguing that the Department of Housing and Urban Development’s disparate-impact rule conflicts with the limits of the Fair Housing Act as interpreted at the Supreme Court. The rule, promulgated in 2013 and reinstated under the Biden administration, a policy is unlawful if it has a “discriminatory effect” on a protected class and was not necessary to achieve a “substantial, legitimate, nondiscriminatory” interest or if there is a less discriminatory alternative. Judge Richard J. Leon held that the rule does not exceed limitations on disparate-impact liability under the FHA placed by the Supreme Court in Texas Department of Housing & Community Affairs v. Inclusive Communities Project, Inc., 576 U.S. 519 (2015) where those limitations avoid potential constitutional issues and prevent the Act from forcing housing authorities to reorder their legitimate priorities.
On September 19, the CFPB published a recent decision and order denying the petition of one of the nation’s largest private student loan servicers to set aside the CFPB’s civil investigative demand (CID) in connection with its investigation into potential violations of the CFPA’s prohibition of unfair, deceptive, and abusive acts and practices for attempting to collect on loans that had been previously discharged in bankruptcy. The order instructs the servicer to “comply in full” with the requests for documents and information set forth in the Bureau’s June 2023 CID.
The servicer objected to the CFPB’s investigation, arguing, among other things, that the Bureau lacks authority to enforce the U.S. Bankruptcy Code. The servicer also argued that the Bankruptcy Code displaces the CFPA if the reason a debt is not owed is due to a bankruptcy discharge.
The Bureau rejected the servicer’s arguments, stating “[t]he Bureau seeks to determine whether a student loan servicer violated the prohibition on unfair, deceptive, and abusive acts and practices not just by making individual attempts to collect discharged debts from individual debtors, but also, more globally, by having no policies and procedures in place to determine whether loans in the servicer’s portfolio are dischargeable in bankruptcy via standard bankruptcy orders, a practice that could put entire populations of borrowers at risk of harmful and unlawful collection efforts.” It went on to say “[t]he bureau does not seek to investigate potential violations of the Bankruptcy Code, but rather potential violations of the CFPA.” The CFPB also noted that courts have “repeatedly held that the Bureau can bring CFPA claims based on companies’ attempts to collect debts that consumers do not owe due to the impact of some other statute.”
On September 14, U.S. District Judge Karen K. Caldwell issued an order granting an injunction sought by the Kentucky Bankers Association and eight Kentucky-based banks to enjoin the CFPB from implementing and enforcing requirements for small business lenders until the U.S. Supreme Court rules on the CFPB’s funding structure (previously covered by InfoBytes here and here).
As previously covered by InfoBytes, the plaintiff banks filed their motion for a preliminary injunction seeking an order to enjoin the CFPB from enforcing the Small Business Lending Rule against them for the same reasons that a Texas district court enjoined enforcement of the rule (Texas decision covered by InfoBytes here). The CFPB argued, among other things, that the plaintiff banks failed to satisfy the factors necessary for preliminary relief, that the plaintiff banks are factually wrong in asserting that the Rule would require lenders to compile “‘scores of additional data points’ about their small business loans,” and the “outlier ruling of the 5th Circuit” in the Texas case does not demonstrate that the plaintiff banks are entitled to the relief they seek.
In the order granting the preliminary injunction, Judge Caldwell discussed the factors for determining whether injunctive relief is appropriate. Notably, Judge Caldwell determined that the irreparable harm factor weighs in favor of the plaintiffs, stating “[p]laintiffs are already incurring expenses in preparation for enforcement of the Rule and will not be able to recover upon a Supreme Court ruling that the CFPB’s funding structure is unconstitutional.” Additionally, Judge Caldwell indicated that the likelihood of success factor “does not tip the scale in either direction,” and the substantial harm to others if the preliminary injunction is granted, and the public interest factors “carry little weight” because “[b]efore the Rule becomes enforceable, a decision on the merits will be issued by the highest court in the land.”
Judge Caldwell found that the imposition of the preliminary injunction “will create no harm to the CFPB nor the public since the rule would not otherwise be enforceable in the interim” and granted the preliminary injunction “in the interest of preserving the status quo until the Supreme Court has made its decision.”
On September 14, 2023, in the U.S. District Court of the Northern District of California, San Jose Division, plaintiffs filed a motion for preliminary approval of a proposed Class Action Settlement Agreement and Release pursuant to which a tech giant will pay $62 million to resolve claims that it illegally tracked and stored such users’ private location information even after users opted out. According to the filing, the proposed settlement “would be used to pay for the costs of Notice and Settlement administration, any Court-awarded attorneys’ fees and expenses and Class Representative Service Awards” with the balance being “distributed to one or more Court-approved cy pres recipients” each of which must be “independent 501(c)(3) organizations with a track record of addressing privacy concerns on the Internet.”
The company also agreed to injunctive relief for a period of at least three years, requiring it to, among other things: (i) “maintain a policy whereby (a) Location Information stored through Location History (“LH”) and Web & App Activity (“WAA”) is automatically deleted by default after a period of at least 18 months when users opt into these settings for the first time, and (b) users can set their own auto-delete periods;” (ii) provide users with instructions on how to disable each data collection setting, delete the data collected, and set retention limits; and (iii) confirm that the company “does not now share users’ precise Location Information collected in LH or WAA with third parties (except for valid legal reasons).” The settlement class includes as many as 247 million smartphone users whose location information the company stored “while “Location History” was disabled” from January 1, 2014, through the notice date.
In a statement on September 15, a spokesperson for the company said “[c]onsistent with improvements we've made in recent years, we have settled this matter, which was based on outdated product policies that we changed years ago."
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or request the deletion of their personal data held by individuals or entities. The Act will apply to those who conduct business in the State, that “produce products or services that are targeted to residents of the State [of Delaware] and that during the preceding calendar year,” processed personal data of more than 35,000 consumers, or processed the personal data of at least 10,000 consumers while deriving more than 20 percent of their gross revenue from personal data sales. Additionally, the Act mandates that the Delaware Department of Justice conduct public outreach programs to educate consumers and the business community about the Act, starting at least 6 months before the date on which the Act becomes effective.
The Act is effective on January 1, 2025.
Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.
The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.
The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.