InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court: Unclear when networking site became aware of data scraping
On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.
As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.
In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
NYDFS issues RFI on private student loan refinancing
On November 8, NYDFS issued a request for information (RFI) to student loan advocates, lenders, regulators, servicers, and other stakeholders, seeking information regarding private student loan refinancing in New York. The Private Student Loan Refinancing Task Force, tasked with “study[ing] and analyz[ing] ways lending institutions that offer non-federal student loans to students of New York institutions of higher education can be incentivized and encouraged to create student loan refinance programs,” issued questions to solicit information from stakeholders to inform a forthcoming report. According to the announcement, the Task Force is seeking responses to questions concerning private sector refinancing of student loans. The questions include, among other things: (i) “What options are available for student loan borrowers to refinance private student loans both in New York State and outside the state?”; (ii) “What options are available for student loan borrowers to refinance federal student loans both in New York State and outside the state?”; (iii) “What is the volume of private student loans refinanced, the terms of the borrowers’ prior loans, the terms of the borrowers’ refinancing loans, the unmet need for student loan refinancing, and the impact of these refinancing loans in New York and nationwide?”; (iv) “What is the volume of federal student loans refinanced, the terms of the borrowers’ prior loans, the terms of the borrowers’ refinancing loans, the unmet need for student loan refinancing, and the impact of these refinancing loans in New York and nationwide?”; and (v) “What publicly available data should the Task Force review? Is there privately owned data that could be made available to the Task Force?” Responses are due by December 8.
Mortgage servicer must pay $4.5 million in payment service fee suit
On November 7, the U.S. District Court for the Southern District of West Virginia granted final approval of a class action settlement, resolving allegations that a defendant mortgage servicer charged improper fees for optional payment services in connection with mortgage payments made online or over the telephone. The plaintiffs' memorandum of law in support of its motion for final approval of the settlement alleges the defendant engaged in violations of the West Virginia Consumer Credit Protection Act, breach of contract, and unjust enrichment with respect to the fees. According to the memorandum, before deduction of attorneys’ fees and expenses, administrative costs, and any service award, the $4.5 million settlement fund represents approximately $216 per fee paid to the defendant by the putative class members. The court also approved $1.5 million in attorney’s fees, plus $4,519.20 in expenses, along with a $15,000 service award for the settlement class representative.
North Carolina Supreme Court orders appeals court to review HAMP fraud claims
On November 4, the Supreme Court of North Carolina determined that an appeals court erred by remanding a case concerning a defendant bank’s Home Affordable Modification Program to a trial court with instructions to make factual findings and conclusions of law on the defendant’s motion to dismiss. Plaintiffs sued the defendant alleging fraud and other related claims arising out of the bank’s mortgage modification program. The trial court dismissed the claims for failure to state a claim pursuant to North Carolina’s Rule of Civil Procedure 12(b)(6), after concluding that plaintiffs’ claims were time barred and “that ‘the claims of all [p]laintiffs who were parties to foreclosure proceedings [were] barred by the doctrines of res judicata and collateral estoppel.’” Plaintiffs appealed. A divided panel of the Court of Appeals remanded the case to the trial court claiming that “it could not ‘determine the reason behind the grant’ and could not ‘conduct a meaningful review of the trial court’s conclusions of law.’” The North Carolina Supreme Court countered, however, that there exists “no legal basis or practical reason for the Court of Appeals to remand the case to the trial court to make factual findings and conclusions of law” as “a trial court is not required to make factual findings and conclusions of law to support its order unless requested by a party”—a request neither party made. According to the North Carolina Supreme Court, the appeals court erred by not conducting a de novo review of the sufficiency of the plaintiffs’ allegations. The North Carolina Supreme Court ordered the appeals court to address whether the plaintiffs’ allegations, if treated as true, are sufficient to state a claim upon which relief can be granted.
Massachusetts settles with debt payment processor
On November 7, the Massachusetts attorney general announced a settlement with a payment processing company to resolve claims that it provided substantial assistance to a debt settlement provider engaged in unlawful business practices that charged consumers premature and inflated fees in violation of state and federal law. According to an assurance of discontinuance filed in Suffolk Superior Court, the company processed settlement and fee payments for consumers enrolled in various debt settlement programs, including those offered by a debt settlement provider that was previously fined $1 million by the AG’s office for allegedly harming financially-distressed consumers. (Covered by InfoBytes here.) The newest settlement resolves claims that the company transferred unlawful fee payments to the debt settlement provider despite having knowledge of the alleged misconduct and even after the provider was sued by the AG’s office. Without admitting any facts, liability, or wrongdoing, the company has agreed to pay $600,000 to the Commonwealth, and will, according to the announcement, “make meaningful business practice changes that would prevent it from transferring untimely fees from any Massachusetts consumer account to any debt settlement company.”
Pennsylvania amends privacy bill
On November 3, the Pennsylvania governor signed SB 696 to amend the Breach of Personal Information Notification Act. The bill, among other things, prohibits employees of the Commonwealth from using non-secured Internet connections. The bill also includes data storage policy provisions, which establish that an entity that maintains, stores, or manages computerized data on behalf of Pennsylvania that constitutes personal information must develop a policy to govern reasonably proper storage of the personal information. The bill further notes that a goal of the policy must be to reduce the risk of future breaches of the security of the system. The bill is effective 180 days after approval by the governor.
CPPA says comments on modified draft privacy rules due November 21
On November 3, the California Privacy Protection Agency (CPPA) Board officially posted updated draft rules for implementing the Consumer Privacy Rights Act of 2020, which amends and builds on the California Consumer Privacy Act of 2018. The draft rules were previously released in advance of a CPPA Board meeting held at the end of October (see previous InfoBytes coverage here for a detailed breakdown of the proposed changes). A few notable changes between the versions include:
- A requirement that a business must treat an opt-out preference signal as a valid request to opt out of sale/sharing for not only that browser or device but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
- A requirement that if a business does not ask a consumer to affirm their intent with regard to a financial incentive program, “the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or devise and any consumer profile the business associates with that browser or device.” However if a consumer submits an opt-out of sale/sharing request but does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal with respect to the consumer’s participation in the financial incentive program.
- The addition of the following provision: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Comments on the amended draft rules are due November 21 by 8 am PT.
4th Circuit vacates $10.6 million judgment, orders district court to reevaluate class standing
On October 28, the U.S. Court of Appeals for the Fourth Circuit remanded a $10.6 million damages award it had previously approved in light of the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez. As previously covered by InfoBytes, in January, the Supreme Court vacated the judgment against the defendants and ordered the 4th Circuit to reexamine its decision in light of TransUnion (which clarified the type of concrete injury necessary to establish Article III standing, and was covered by InfoBytes here). Previously, a divided 4th Circuit affirmed a district court’s award of $10.6 million in penalties and damages based on a summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act (covered by InfoBytes here). During the appeal, the defendants argued that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones, but the appellate court majority determined, among other things, that there was not a large number of uninjured members within the plaintiffs’ class because plaintiffs paid for independent appraisals and “received appraisals that were tainted.” At the time, the 4th Circuit “concluded that the ‘financial harm’ involved in paying for a product that was ‘never received’ was ‘a classic and paradigmatic form of injury in fact.’” On remand, the 4th Circuit considered questions of standing and ultimately determined that TransUnion requires the district court to reevaluate the standing of class members.
Pennsylvania sues lead generator for facilitating telemarketers’ robocalls
On November 3, the Pennsylvania attorney general announced a lawsuit against a New York-based lead generation company that connects advertisers to potential new customers through the consumers’ personal data for allegedly causing hundreds of thousands of robocalls to be placed to consumers in the Commonwealth. The defendant, along with several of its subsidiaries, allegedly collected personal information, including phone numbers and personal information of consumers on Pennsylvania’s Do Not Call List, that was then sold to telemarketing companies. According to the complaint, the defendants allegedly engaged in deceptive and misleading business practices in connection with their lead-generation practices, by obtaining consumers’ information through various promotional opportunities without clearly disclosing that by providing their contact information, consumers were consenting to receiving telemarketing calls from hundreds of potential sellers. The complaint alleges that from 2018 to 2021, over 4.2 million Pennsylvania consumers registered their information on one of the defendants’ websites. “Under the [Telemarketing Sales Rule (TSR)], a consumer’s express agreement to accept calls delivering a prerecorded message may not be obtained by a lead generator, who is not a seller or a telemarketer. The express agreement must be obtained directly by the seller or telemarketer from the consumer,” the complaint said. Moreover, even if the defendants were not directly making the telemarketing calls themselves, assisting and facilitating the calls is itself a violation of the rules, the complaint noted.
The defendants are charged with violating several federal and state telemarketing laws, including the TSR, and Pennsylvania’s Telemarketer Registration Act (TRA) and Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. The AG’s office seeks a declaration permanently enjoining the defendants from violating the telemarketing and consumer protection laws, along with civil penalties of $1,000 per violation and $3,000 per violation involving a victim age 60 or older. The suit also seeks disgorgement, costs, and a permanent bar on selling consumer data collected in violation of the TSR and TRA.
CSBS provides tips on NMLS annual renewal
On October 20, the Conference of State Bank Supervisors (CSBS) announced that individuals and businesses in the mortgage, money transmission, debt collection, and consumer financial services industry are encouraged by state regulators to prepare for November 1, which is the beginning of the Nationwide Multistate Licensing System (NMLS) annual license renewal. The announcement noted the number of individual state licenses eligible for renewal is 13 percent higher than the same time last year, while the number of company licenses eligible for renewal is up 16 percent compared to this time last year. CSBS provided five tips for licensees to prepare for NMLS renewal, which include, among other things, resetting NMLS passwords to conform with new requirements that went into effect this past March and to review state-specific renewal requirements. CSBS also noted that the renewal period in most states runs from November 1 to December 31.