Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Virginia establishes program to implement CDFI fund
On March 26, the Virginia governor signed HB 1411, which codifies the Virginia Community Development Financial Institutions Fund and creates the Virginia Community Development Financial Institutions Program to carry out the purposes of the fund. Among other things, the program will provide grants and loans to community development financial institutions (CDFIs) and other similar entities in order to fund small businesses, housing development and rehabilitation projects, and community revitalization real estate projects. Qualified recipients must emphasize microfinancing (defined as financing to small businesses in amounts of $100,000 or less) when using program funds. The Department of Housing and Community Development will oversee the fund and the program and is required to report annually on the fund’s use and impact. HB 1411 is effective July 1.
Virginia and Kentucky enact requirements for auto renewals
Recently, Virginia and Kentucky enacted measures relating to automatic renewal offers and continuous service offers.
HB 1517 was signed by the Virginia governor on March 27 to amend the Consumer Protection Act in the Virginia code. The amendments provide that all businesses offering automatic renewals or continuous service offers that include a free trial lasting longer than 30 days are required to notify consumers of their option to cancel the free trial within 30 days of the end of the trial period. Providing this notice will avoid obligating a consumer to pay for the goods or services. Failing to timely notify a consumer is a violation of the Virginia Consumer Protection Act. Additionally, a business also violates the statute should it fail “to disclose the total cost of a good or continuous service  to a consumer, including any mandatory fees or charges, prior to entering into an agreement for the sale of any such good or provision of any such continuous service.” HB 1517 is effective July 1.
SB 30 was signed by the Kentucky governor on March 23 to amend state law by adding sections addressing the termination of automatic renewal offers and continuous service officers. Among other things, the new sections define several terms, including “automatic renewal,” “automatic renewal offer terms,” “clear and conspicuous,” “consumer,” and “continuous service.” Businesses are required to provide clear and conspicuous automatic renewal or continuous service offer terms to consumers before the subscription or purchase agreement is fulfilled. Business also must obtain affirmative consent before charging a consumer’s credit or debit account or a consumer’s account with a third party. Additionally, businesses must (i) provide an acknowledgement that includes the terms, the cancellation policy, and information regarding how to cancel in a manner that can be retained by the consumer; (ii) give consumers appropriate mechanisms for cancellation; (iii) provide users who accept an automatic renewal or continuous service online the opportunity to terminate in the same medium; and (iv) provide a notice regarding material term changes. SB 30 outlines exemptions (including contracts entered into prior to the effective date), and states that first-time violators must “provide a prorated refund for the contract subject to an automatic renewal provision from the start of the most recent term to the date on which the business was notified of and corrects the error.” The state attorney general also may bring an action for injunctive and monetary relief against businesses that either fail to provide a prorated refund or where it is a business’s second or subsequent violation. SB 30 is effective January 1, 2024.
Wyoming to issue stable tokens
On March 17, the Wyoming governor signed SF 127 enacting the Wyoming Stable Token Act, creating the Wyoming stable token commission, and authorizing the issuance of stable tokens in the state. Under the Act, a Wyoming stable token is “a virtual currency representative of and redeemable for one (1) United States dollar held in trust by the state of Wyoming” that may only be issued in exchange for a USD. Stable tokens will be issued by the Wyoming stable token commission—created by the Act and to be comprised of no more than four virtual currency/fintech subject matter experts. The commission is authorized to, among other things, (i) establish “the means used to issue, maintain and manage the Wyoming stable tokens and the manner of and requirements for redemption”; (ii) select which financial institutions will manage the stable tokens, and make and enter into contracts and arrangements for such services; (iii) seek rulings and other guidance from federal agencies related to the provisions outlined in the Act; (iv) prior to issuing any such tokens, issue a comprehensive report to a select committee overseeing blockchain, financial technology, and digital innovation technology, among others, on all actions taken under the Act; and (v) promulgate rules and regulations as necessary to administer the Act and ensure compliance. The Act also outlines criteria relating to liability limitations and requires that the commission endeavor to issue at least one Wyoming stable token no later than December 31.
Iowa becomes sixth state to enact comprehensive privacy legislation
On March 28, the Iowa governor signed SF 262, establishing a framework for controlling and processing consumers’ personal data in the state. Iowa is now the sixth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, and Utah (covered by Special Alerts here and here and InfoBytes here, here, and here).
- Consumer rights. Iowa consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their personal data processed by a controller (“except as to personal data that is defined as personal information pursuant to section 715C.1 that is subject to security breach protection”); and (iv) opt out of the sale of their data.
- Controller responsibilities. The Act requires controllers—the persons that determine the purpose and means of processing personal data—to respond to consumers’ requests free of charge within 90 days (the response period may be extended an additional 45 days under extenuating circumstances). A controller must also provide a consumer, without undue delay, of its justification should it decline to take action regarding the consumer’s request, as well as instructions for appealing the decision. Controllers are also required to implement reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data, and must not process collected sensitive data without notifying the consumer and allowing for the opportunity to opt out of such processing (or in the case of data involving a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act). Controllers may not violate state and federal laws that prohibit discriminatory practices when processing personal data and may not discriminate against a consumer for exercising any of the provided consumer rights. Contacts that purport or waive or limit consumer rights shall be deemed void and unenforceable.
- Disclosures. Controllers are required to provide consumers “a reasonably accessible, clear, and meaningful privacy notice” that outlines the categories of personal data to be processed, the purpose for processing the data, and how consumers may submit requests to exercise their personal rights (a controller may not require a consumer to create a new account to exercise consumer rights). The privacy notice must also outline the categories of data that may be shared with third parties, as well as the categories of applicable third parties, and clearly disclose when personal data is being sold or used in targeted advertising to allow a consumer the right to opt out of such activity.
- Processor duties. Processors shall help controllers fulfill their obligations under the Act. A contract established between a controller and a processor will “govern the processor’s data processing procedures with respect to processing performed on behalf of the controller,” and must “clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.”
- Exemptions and limitations. The Act also outlines various processing exemptions, including those related to pseudonymous data, and addresses certain actions that a controller or processor is able to take with respect to complying with federal, state, or local laws, investigations, or law enforcement agency inquiries, among others. The Act also limits the collection of personal data to what is adequate, relevant and necessary in relation to the purposes for which such data is processed, and requires controllers to implement data security protection practices.
- Enforcement. Although the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 90 days to cure the alleged violation before the attorney general can file suit. Should the controller or processor continue to violate the Act, the attorney general may seek an injunction and civil penalties of up to $7,500 for each violation.
The Act takes effect January 1, 2025.
California OAL approves CCPA regulations
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials will be made available on the CPPA’s website as soon as they are processed.
The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.
Utah repeals some collection agency registration requirements
On March 17, the Utah governor signed HB 20 to repeal several of the state’s collection agency statutory provisions. Specifically, the bill repeals provisions that (i) require collection agencies to register with the Division of Corporations and Commercial Code and have on file sufficient bond in the amount of $10,000 (see Sections 12-1-1 and 12-1-2); (ii) stipulate bond terms and require certain records relating to registrations and bonds to be maintained with the Division and open to public inspection (see Sections 12-1-3, and 12-1-5); (iii) relate to violations and penalties and specify that “[a]ny person, member of a partnership, or officer of any association or corporation who fails to comply with any provision of this title is guilty of a class A misdemeanor (see Section 12-1-6); (iv) outline exceptions (see Section 12-1-7); (v) govern assignments of debts involving collection agencies and limit activities as to the assignments (see Section 12-1-8); (vi) specify that information about a consumer’s credit rating or credit worthiness sent to a consumer reporting agency is void if the collection agency does not have a bond on file (see Section 12-1-9); and (vii) require certain registration forms and application fees for collection agencies seeking approval to conduct business in Utah (see Section 12-1-10). Limitations and terms of collection fees and convenience fees imposed by creditors or third-party debt collection agencies will remain unchanged by the amendments (see Section 12-1-11). The changes take effect May 3.
Arkansas amends LO sponsorship licensing requirements
On March 21, Arkansas enacted HB 1439 to clarify the sponsorship process and amend licensing requirements under the state’s Fair Mortgage Lending Act. The amendments modify the definition of a “transitional loan officer license” to mean a license that is issued to an individual who is employed “and sponsored by” a licensed mortgage banker or mortgage broker. The term “sponsor” was also added and defined as a licensed mortgage broker or mortgage banker “that has assumed the responsibility for and agrees to supervise the actions of a loan officer or transitional loan officer.” HB 1439 also amends provisions relating to the termination of a loan officer’s license to provide that should the employment of a loan officer or a transitional loan officer be surrendered or canceled, a “sponsor shall terminate the sponsorship of the loan officer or transitional loan officer with the commissioner within thirty (30) days from the date that the loan officer or transitional loan officer ceased to be employed or ceased activities for the sponsor.” Sponsorship termination extinguishes any rights of a loan officer or a transitional loan officer to engage in mortgage loan activity. The license will be marked as “approved-inactive” until a licensed mortgage broker or mortgage banker files an application with the commissioner to sponsor the loan officer. The “approved-inactive” status may be changed to “approved” if a licensed mortgage broker or mortgage banker files an application for sponsorship, pays a $50 fee, and provides sponsorship notice to the commissioner. The amendments will take effect 90 days following the adjournment of the legislature.
Virginia amends remote work requirements for mortgage companies
On March 26, the Virginia governor signed HB 2389, which permits mortgage lenders and mortgage brokers to allow employees and exclusive agents to work remotely provided certain conditions are met. Requirements to conduct business out of a remote location include: (i) the establishment of written policies and procedures for remote work supervision; (ii) ensuring access to platforms and customer information adheres to the licensee’s comprehensive written information security plan; (iii) the employment of appropriate risk-based monitoring and oversight processes, as well as the agreement from employees or exclusive agents who will work remotely to comply with these established practices; (iv) banning in-person customer interaction at an employee’s or exclusive agent’s residence unless the residence is an approved office; (v) the proper maintenance of physical records; (vi) compliance with federal and state security requirements when engaging in customer interactions and conversations; (vii) access to the licensee’s secure systems via a virtual private network or comparable system with password protection; (viii) the installation and maintenance of security updates, patches, or other alterations; (ix) “the ability to remotely lock or erase company-related contents of any device or otherwise remotely limit access to a licensee’s secure systems"; and (x) the designation of the principal place of business as the mortgage loan originator’s registered location for the purposes of the Nationwide Mortgage Licensing System and Registry record, “unless such mortgage loan originator elects an office as a registered location.” The amendments also add definitions for “office” and “remote location.” The Act is effective July 1.
Oregon clarifies appraisal company registration authority
On March 13, the Oregon governor signed HB 2287 to clarify that the Appraiser Certification and Licensure Board (the “Board”) is the entity responsible for determining specified criteria for registration or certification of real estate appraisal management companies. In Oregon, “[a] person may not directly or indirectly engage in or attempt to engage in business as an appraisal management company or advertise or represent that the entity is an appraisal management company unless the person is” registered with the Board or is owned and controlled by an insured depository institution. The Act takes effect 91 days following adjournment of the legislature.
Law firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPPA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPPA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit