InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NACHA Finalizes Guidelines for Use of Quick Response Codes for Consumer Bill Pay
Recently, NACHA – The Electronic Payments Association’s Council for Electronic Billing and Payment, released final guidelines to facilitate the use of Quick Response (QR) codes for a variety of consumer bill payment functions, including viewing bills, making payments, enrolling for eBills, and setting up payees in online banking. The guidelines provide voluntary standards for using QR codes in both biller direct and consolidator/aggregator billing and payment models, and provides recommends for (i) QR code size, (ii) data to be included in the QR code, and (iii) layout of the data represented in the QR code. The guidelines are intended to establish a single QR code format that can be printed on a paper bill and scanned by a consumer’s mobile phone using a biller, mobile banking, or generic QR code reader to allow billers and service providers to enable QR encoding in a standardized format, provide certainty for biller and banking clients, and ensure a consistent consumer experience.
California Supreme Court Holds Online Download Purchase Transactions Not Covered By Song-Beverly Credit Card Act
On February 4, the California Supreme Court held, in a 4-3 split ruling, that the personal privacy protections afforded consumers by the Song-Beverly Credit Card Act do not apply when the item purchased is downloaded via the Internet. Apple Inc. v. Sup. Ct. Los Angeles Cty., No. S199384, 2013 WL 406586 (Cal. Feb. 4, 2013). However, the court did not consider whether the Song-Beverly Act privacy provisions apply to the broader category of online transactions that do not involve a downloadable product. In this case, a customer filed a putative class action against an online digital media retailer, alleging that the retailer’s practice of requiring customers to provide their telephone number and address before accepting credit card payment for downloadable media purchases violates Section 1747.08 of the Song-Beverly Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions. Citing the statutory language and legislative history, the court explained that while Song-Beverly was intended to protect personal privacy, it was not meant to do so at the risk of increasing fraud. Further, the court determined that fraud protections provided in Song-Beverly, which allow retailers to request proof of identification, are not available to online retailers selling downloadable products. The court also reasoned that in later enacting the California Online Privacy Protection Act, the state legislature demonstrated that it can unambiguously address online transactions, and that it sought to strike a different balance between privacy protections and online commerce than did the Song-Beverly Act. Therefore, the court held, online transactions involving downloadable products fall outside the scope of Song-Beverly. The court invited the legislature to revisit consumer privacy in connection with online transactions.
FTC Announces Mobile Privacy Enforcement Action, Issues Mobile Privacy Staff Report
On February 1, the FTC announced that it is requiring a social networking application company to pay $800,000 and make certain compliance enhancements to resolve allegations that the firm (i) misled and deceived users by automatically collecting and storing personal information from users’ mobile device address books even if the users had not selected that option and despite claims that the application collected only certain non-personal user information, and (ii) violated the Children’s Online Privacy Protection Act Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Pursuant to the consent decree, in addition to the monetary penalty, the company must establish a comprehensive privacy program, and obtain independent privacy assessments every other year for the next 20 years.
Concurrently, the FTC released a staff report that provides disclosure policy and other guidance to mobile platforms, application developers, advertising networks and analytics companies, and application developer trade associations. For example, the report urges platforms to (i) provide just-in-time disclosures to consumers and obtain affirmative express consent before allowing applications to access sensitive content like geolocation; (ii) consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers may find sensitive; and (iii) consider developing icons to depict the transmission of user data. With regard to application developers, the report recommends, for example, that developers (i) provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information; and (ii) improve coordination and communication with advertising networks and other third parties that provide services for applications. During a call announcing the report, the FTC explained that the report is intended to influence industry standards, and that the Commission staff will reference the report for future policymaking. The FTC also noted that the National Telecommunications and Information Agency is developing a code of conduct on mobile application transparency, and, if strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with its law enforcement work.
New TCPA Action against Card Issuer Highlights Growing Area of Litigation Risk
On January 29, a credit card holder filed a putative class action against a card issuer that funds consumer retail credit accounts for customers of a major retail chain, alleging that the issuer violated the Telephone Consumer Protection Act in attempting to collect on the card holder’s credit card debt. Complaint, French v. Target Nat’l Bank, No. 13-233 (S.D. Cal. filed Jan. 29, 2013). The named plaintiff claims that after she fell behind on her payments, the issuer began making numerous calls daily to her personal cell phone, a number she claims not to have provided to the issuer. The issuer allegedly used an “automatic telephone dialing system” to make the calls, which the card holder claims continued even after she notified the issuer that it was not authorized to contact her on her cellular phone, and asked that the calls cease. The card holder alleges that in doing so, the issuer violated the TCPA, which requires express written consent from a consumer prior to receiving calls from an automated dialing system or an artificial or prerecorded voice. On behalf of the proposed class, the card holder is seeking $500 in statutory damages for each and every alleged negligent violation, and treble damages for each alleged knowing or willful violation. The suit is the latest in a growing number of cases to be filed in recent years, particularly in California, and highlights a significant litigation risk for card issuers and debt collectors.
Maryland AG Establishes Privacy Unit
On January 28, Maryland Attorney General (AG) Doug Gansler announced a new unit in his office dedicated to online privacy enforcement and policy. The AG stated that the new unit will (i) monitor companies to ensure they are in compliance with state and federal consumer privacy laws, (ii) examine weaknesses in online privacy policies and work alongside major industry stakeholders and privacy advocates to provide outreach and education to businesses and consumers to broaden awareness about privacy rights, and (iii) pursue enforcement actions where appropriate. The unit announced by the AG appears similar to one formed by California Attorney General Kamala Harris, which recently has been active with regard to mobile application privacy. Last year, AG Gansler announced “Privacy in the Digital Age” as his central initiative as President of the National Association of Attorneys General.
California District Court Holds Song-Beverly Credit Card Act Does Not Prohibit Post-Transaction Collection of Zip Codes, Denies Class Certification
On January 28, the U.S. District Court for the Northern District of California denied a motion for class certification filed by a group of plaintiffs seeking to challenge, on behalf of similarly situated individuals, a retailer’s policy that required cashiers to request consumer zip codes in connection with a purchase transaction. Gormley v. Nike, Inc., No, 11-893, 2013 WL 322538 (N.D. Cal. Jan. 28, 2013). The court held that the named plaintiffs failed to demonstrate typicality because their experiences were inconsistent with the policy they sought to challenge. The court explained that while the policy required cashiers to request zip codes after providing the purchased merchandise and a receipt to the customer, each plaintiff testified that the cashier asked for a zip code prior to providing those items. The court disagreed with the plaintiffs’ argument that the timing of the request was irrelevant based on the plaintiffs’ assertion that the California Supreme Court held in Pineda v. Williams-Sonoma Stores Inc. that a request for a card holder’s zip code violates the Song-Beverly Credit Card Act. The court explained that Pineda only addressed whether zip codes constituted personal identification information, and then chose to follow subsequent district court decisions holding that the Song-Beverly Act prohibits only a request for personal identification information as a condition to completing a credit card transaction.
Federal Regulators Propose Guidance for Social Media Use
On January 22, the FFIEC proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions, as well as nonbanks supervised by the CFPB. With regard to compliance and legal risks, the guidance addresses (i) the applicability of existing federal laws and regulations to the use of social media for marketing and originating new deposit and lending products and the use of social media to facilitate consumer use of payment systems; (ii) the need to apply BSA/AML internal controls to customers engaging in electronic banking through the use of social media, and e-banking products and services offered in the context of social media, as well as BSA/AML risks emerging through the growing use of social media; (iii) CRA monitoring of social media sites run by an institution; and (vi) customer privacy issues associated with social media. The guidance also reviews reputational risks related to social media, including risks related to (i) fraud and brand identity; (ii) social media vendor monitoring; (iii) privacy; (iv) consumer complaints; and (v) employee use of social media. Finally, the guidance addresses the vulnerability of social media to malware and the resultant operational risk. The FFIEC is accepting comments for 60 days after publication in the Federal Register. After the comment period, the agencies will issue supervisory guidance and will urge state regulators to follow.
Virginia Publishes Electronic Notarization Standard
On January 21, the Virginia Secretary of the Commonwealth released the Virginia Electronic Notarization Assurance Standard. Citing challenges faced by notaries to “preserve and strengthen the role of the notary in the rapidly emerging digital economy and to ensure reliability and cross-border recognition of notarized electronic documents in a global economy,” the standards are intended to support transition of notaries in Virginia to performing electronic notarizations that have the same legal effect as traditional notarizations. They set forth registration and performance requirements, electronic signature and seal requirements, online notarization procedures, and notarized electronic document requirements. According to the Secretary, the Virginia standards (i) reflect the National Association of Secretaries of State Electronic Notarization Standard for Document Security; (ii) incorporate aspects of standards previously adopted by seven other states; and (iii) are consistent with the federal ESIGN Act, the UETA, and the Uniform Real Property Electronic Recording Act.
Retail Customers Obtain Unusually Favorable Settlement in Zip Code Collection Case
On January 11, the U.S. District Court for the Northern District of California approved a settlement between a retailer and a class of customers to resolve allegations that the retailer violated the California Song-Beverly Credit Card Act by collecting customer zip codes as part of credit card purchase transactions and storing that information in a customer databases. Burdewick v. Kohl’s Dep’t Stores, Inc., No. 12-119, Final Order and Judgment (Jan. 11, 2013). The settlement is the most recent in a series following the California Supreme Court’s 2011 decision in Pineda v. Williams-Sonoma Stores Inc. that zip codes constitute "personal identification information" under the Act. In this case, class members can submit claims to obtain a gift card from a common $650,000 fund. The exact amount of the gift card will depend upon the number of valid claims, but actual payments are expected to far exceed the $10-$20 amounts typically provided by most similar settlements to date. Moreover, the settlement places no restriction on the use or transferability of the cards. The court also approved a $215,000 award to class counsel, and a $7,500 incentive award to the class representative.
President Signs Video Privacy Protection Act Amendments
On January 10, President Obama signed H.R. 6671, which amends the Video Privacy Protection Act to facilitate compliance for modern video service providers. The Act was originally passed in 1988 to limit the disclosure of information about consumers’ “video tape rental or sales records,” and its application to certain modern video service providers (e.g. Netflix) is not clear. The amendments allow such providers to obtain consumer consent to disclosure through electronic means using the Internet. Such consent must be in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer. Consumers can provide consent in advance, but not for more than two years or until consent is withdrawn by the consumer, and service providers must provide an opportunity for the consumer to withdraw consent on a case-by-case basis or to withdraw from ongoing disclosures, at the consumer's election.