InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Oregon enacts new consumer finance protections related to wage garnishment
Recently, the Governor of Oregon enacted bill SB 1595 (the “Act”) that amended Oregon’s statutes to provide greater consumer protection rights for Oregonians working to pay back their debts. The Act was mostly comprised of new rights for wage garnishments. Section 10, which updated ORS 18.785, amended what a financial institution must do if it receives a writ of garnishment for a debtor, including checking for federal benefits and analyzing an account holder’s base protected account balance, among other provisions. Additionally, the Act protected $2,500 from a person’s bank account to help them meet basic needs. The law went into effect on April 4.
District Court denies motion to dismiss State Attorneys’ General case against “subprime lender”
On January 12, the U.S. District Court for the Eastern District of Pennsylvania denied a defendant’s motion to dismiss a case brought by five State Attorneys General (State AGs) from Pennsylvania, New Jersey, Oregon, Washington, and D.C. seeking to enforce the CFPA. The State AGs allege the defendant engaged in “predatory lending practices” that violate state and federal law. As covered by InfoBytes, in Spring 2022, the CFPB issued an interpretive rule clarifying that states have the authority to enforce federal financial consumer protection laws, such as the CFPA. This interpretive rule led to partisan attacks claiming the CFPB was “colluding” with state regulators, as covered by InfoBytes here.
The defendant is a state-licensed and regulated “subprime installment lender” operating in 28 states. As noted in the opinion, the defendant offers loans between $1,000 and $25,000, with terms between 12 and 60 months and charges interest at rates ranging from 18.99% to 35.99% with an average APR of 28%, and average loan size of around $3,650.
In addition to the complaint regarding subprime loans, the State AGs assert that the defendant “deceptively ‘adds-on’” various insurance options to consumers’ loans and targets a financially vulnerable population: those with a credit score of 629 or less who “often already have significant… debt[.]”. The State AGs seek injunctive and other relief.
Oregon amends money transmission law with respect to a required security device
On January 9, the State of Oregon enacted a new bill on money transmission licensing, specifically stating that “each license application shall be accompanied by a security device in the amount of $25,000.” A security device is defined by Oregon law as a surety bond or an irrevocable letter of credit. If an applicant engages in business at more than one location, the security device will increase by $5,000 per location, with a maximum of $150,000. The bill further states that in place of security devices, an applicant could deposit securities such as interest-bearing stocks, bonds, notes, etc., and be held under the same obligations as the security device. The bill concludes that the security device will remain in effect until its cancellation and remain in place no longer than five years following a licensee ceasing its money transmission operations in Oregon. In the event of the bankruptcy of the licensee, the security device will be held in trust for the benefit of purchasers and holders of the licensee’s outstanding payment instruments.
9th Circuit affirms summary judgment finding in favor of debt collector in lawsuit over retail card debt collection
On August 28, the U.S. Court of Appeals for the Ninth Circuit affirmed the decision of a district court to throw out a pair of consolidated punitive class action lawsuits brought against a nationwide debt collector company that alleged the company unlawfully attempted to collect debts incurred on retail-branded credit cards. A three-judge panel held that the debt collector did not “intentionally” violate provisions of the FDCPA when it circulated collection letters that did not disclose the time-barred natures of the debts under Oregon law and rejected the plaintiff’s argument that the district court had erred in granted summary judgment in favor of the company. The 9th Circuit noted that “mistakes about the time-barred status of a debt can be bona fide errors” and that the debt collector company presented evidence indicating that its failure to disclose that certain Oregon debts were time-barred were not intentional. Moreover, the 9th Circuit rejected plaintiff’s claim that a four-year statute of limitations applied to store-branded credit card accounts at the time the collection letters were sent, in part because the debt collector had sound reason to take the position that a six-year statute of limitations applied for an “account stated” under Oregon law. Ultimately, the applicable statute of limitations in this scenario remains “unsettled” under Oregon law. This, along with the fact that the 9th Circuit agreed that the company’s alleged violations were unintentional, resulted in the court’s decision to affirm the summary judgment finding in favor of the debt collector.
Oregon enacts registration requirements for data brokers
On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others. There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.
Oregon is 11th state to enact comprehensive privacy legislation
On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures. Last month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
Highlights of the Act include:
- Applicability. The Act applies to persons conducting business or producing products or services intentionally directed at Oregon residents that either control or process personal data of more than 100,000 consumers per calendar year (“other than personal data controlled or processed solely for the purpose of completing a payment transaction”) or earn 25 percent or more of their gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more. Additionally, the Act provides several exemptions, including financial institutions and their affiliates, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, and protected health information processed by a covered entity in compliance with the Health Insurance Portability and Accountability Act, among others. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
- Consumer rights. Under the Act, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance.” Data controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. Additionally, the Act requires opt-in consent for using the personal data of a youth 13 to 15 years old for targeted advertising or profiling. The Act makes clear that consent means “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” This does not include the use of an interface “that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.” Controllers that receive a consent revocation from a consumer must process the revocation within 15 days.
- Controller responsibilities. Among the Act’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose and securing personal data from unauthorized access; (v) conducting and retaining data protection assessments where there is a heightened risk of harm and ensuring deidentified data cannot be associated with a consumer; and (vi) avoiding unlawful discrimination.
- Data processing agreements. The Act stipulates that processors must follow a controller’s instructions and help meet the controller’s obligations concerning the processing of personal data. The Act also sets forth obligations relating to contracts between a controller and a processor. Processors that engage a subcontractor must ensure the subcontractor meets the processor’s obligations with respect to personal data under the processor’s contract with the controller.
- Private right of action and state attorney general enforcement. The Act does not provide a private right of action to consumers. Instead, the Oregon attorney general may investigate violations and seek civil penalties of no more than $7,500 per violation. Before initiating such action, the attorney general may grant the controller 30 days to cure the violation.
The Act takes effect July 1, 2024.
FTC, DOJ sue maker of health app over data sharing
On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized disclosures. According to the complaint, users were allegedly repeatedly and falsely promised via privacy policies that their health information would not be shared with third parties without the user’s knowledge or consent, and that any collected data was non-identifiable and only used for the defendant’s own analytics or advertising. The FTC charged the defendant with failing to implement reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools and for sharing health information used for advertising purposes without obtaining users’ affirmative express consent. Under the HBNR, companies with access to personal health records are required to notify users, the FTC, and media outlets in certain situations, if there has been an unauthorized acquisition of unsecured personal health information. The defendant also allegedly failed to impose limits on how third parties could use the data and failed to adequately encrypt data shared with third parties, thus subjecting the data to potential interception and/or seizure by bad actors.
The proposed court order would require the defendant to pay a $100,000 civil penalty, and would permanently prohibit the company from sharing personal health data with third parties for advertising and from making future misrepresentations about its privacy practices. The defendant would also be required to (i) obtain user consent before sharing personal health data; (ii) limit data retention; (iii) request deletion of data shared with third parties; (iv) provide notices to users explaining the FTC’s allegations and the proposed settlement; and (v) implement comprehensive security and privacy programs to protect consumer data. The defendant has also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon (who collaborated with the FTC on the action) for violating state privacy laws with respect to its data sharing and privacy practices.
Oregon clarifies appraisal company registration authority
On March 13, the Oregon governor signed HB 2287 to clarify that the Appraiser Certification and Licensure Board (the “Board”) is the entity responsible for determining specified criteria for registration or certification of real estate appraisal management companies. In Oregon, “[a] person may not directly or indirectly engage in or attempt to engage in business as an appraisal management company or advertise or represent that the entity is an appraisal management company unless the person is” registered with the Board or is owned and controlled by an insured depository institution. The Act takes effect 91 days following adjournment of the legislature.
Oregon issues remote work guidance to licensed loan originators
On September 21, the Oregon Department of Consumer and Business Services filed permanent administrative order FSR 3-2022 with the Secretary of State to allow licensed loan originators and employees to work from home. Under the order, Oregon licensed mortgage loan originators “may originate loans from a location other than from a licensed branch office if the location is the licensed mortgage loan originator’s home; the licensed mortgage loan originator is an employee of a mortgage banker or mortgage broker; and the mortgage banker or the mortgage broker complies with OAR 441-860- 0040, as applicable.” Mortgage bankers or brokers must have in place appropriate policies and procedures to supervise licensees working from home, including data security measures to protect consumers’ personal data. Additionally, licensees working from home “are prohibited from engaging in person with consumers for loan origination purposes at the home of the loan originator or employee, unless the home is licensed as a branch.” Licensees may, however, “engage with consumers for loan origination purposes at the home of the loan originator or employee by means of conference telephone or similar communications equipment that allows all persons participating in the visitation to hear each other, provided that participation is controlled and limited to those entitled to attend, and the identity of participants is determinable and reasonably verifiable.” Licensees who work from home are also prohibited from keeping any physical business records at any location other than a licensed location, and must also ensure that all origination records are available at a licensed location.
District Court rules non-judicial foreclosure claims fail
On August 30, the U.S. District Court for the District of Oregon granted defendants’ motion for summary judgment in an action concerning an allegedly unlawful non-judicial foreclosure. Plaintiffs obtained a cash-out loan in 2005 and modified their mortgage terms. The plaintiffs stopped making payments after one of the defendant loan servicer’s agents allegedly informed them that “help was only available if they were in default,” and the defendant loan servicer threatened foreclosure. Following several years of bankruptcy proceedings and foreclosure mediation, plaintiffs sued to stop the foreclosure proceedings, claiming “that the deed of trust was void and that defendants committed fraud in attempting to foreclos[e] on the debt.” The initial non-judicial foreclosure proceedings were rescinded after the suit was dismissed with prejudice, and the defendant loan servicer was eventually allowed to proceed with a second non-judicial foreclosure under Oregon law. Plaintiffs sent a dispute letter demanding that the foreclosure be rescinded because the order in which several notices of default showing the amounts due and the amounts necessary to reinstate were sent did not comply with state law. After the notice was rescinded and a new notice of default was issued and recorded, plaintiffs sued again, seeking to enjoin the defendant trustee’s sale and filing several claims, including breach of contract and violations of the Oregon Unfair Trade Practices Act (OUTPA), RESPA, and FDCPA.
In granting summary judgment to the defendants on each of the claims, the court determined that the breach of contract claim fails because plaintiffs acknowledged that because “they have not substantially performed under the relevant contract,” they are precluded from seeking damages. The FDCPA claim against the defendant trustee also fails “because it is based on a perceived lack of authority under the relevant contract, but as explained in the breach of contract claim, that authority was not lacking.” Finally, the OUTPA and RESPA claims both fail “because there is no evidence that they incurred damages arising out of either claim”—a required element under both statutes, the court said. According to the court, plaintiffs failed “to support their drastic allegations with relevant evidence” and failed to “point to specific evidence supporting valid legal claims.”