InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States vow to enter information agreements with FCC against robocalls
On May 31, a coalition of 41 state attorneys generals, on behalf of the National Association of Attorneys General, sent a letter to the FCC commending the agency for its efforts in combating robocalls. Specifically, the AGs praised the FCC’s “leadership in encouraging states to enter into information sharing agreements to facilitate fast, effective information sharing during the course of robocall investigations.” The AGs stated that they “believe these information sharing agreements represent an important continuation of the progress made to date in combatting robocalls,” and entering the agreements “honor our country’s tradition of federalism and evidences a mutual commitment to working towards addressing complex issues collaboratively.” Not all the signatories had entered information sharing agreements with the FCC at the time the letter was sent, but the letter affirmed “their commitment to making a good faith attempt to sign the agreements,” and encouraged the FCC to reach out to the included point of contact for each state to move forward with the agreements.
California’s privacy agency posts CPRA proposal
Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the February meeting that the rulemaking process will extend into the second half of the year. An updated formal rulemaking timeline may be released during the June 8 meeting.
The draft regulations, which were introduced outside of the rulemaking process, set forth a working draft of the regulations to implement the CPRA and modify certain provisions and propose new regulations, including:
- Adding, amending, and striking certain definitions. The CPRA draft regulations modify the definitions in the CCPA regulations. Specifically, the amendments strike “affirmative authorization” and “household” from its list of definitions, but adds new terms such as “disproportionate effect,” “first party,” “frictionless manner,” “notice of right to limit,” “opt-out preference signal,” as well as terms related to a consumer’s right to request to correct, opt-in to sale/sharing, delete, know, or limit.
- Outlining restrictions on the collection and use of personal information. The draft regulations state that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate,” and “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses also must obtain a consumer’s explicit consent prior to collecting, using, retaining, and/or sharing the personal information for any purpose that is unrelated or incompatible with the original purpose for which the personal information was collected or processed.
- Providing disclosure and communications requirements. Disclosures and communications are required to be easy to read and understandable to consumers, be available in languages in which the business ordinarily provides information, and be reasonably accessible to consumers with disabilities. The draft regulations also stipulate requirements for website and mobile application links.
- Describing requirements for submitting CCPA requests and obtaining consumer consent. The draft regulations set forth methods for submitting CCPA requests and obtaining consumer consent, including requirements regarding the manner in which such requests and consents may be obtained. For example, the requests and consents must be easy to understand, must include symmetry in choice, and avoid confusing and manipulative language. Methods that do not comply with these requirements may be considered a “dark pattern” and will not constitute consumer consent.
- Amending requirements related to a business’s privacy notice. The draft regulations would amend the requirements related to the information that must be included in a privacy notice related to a business’s online and offline practices regarding the collection, use, sale, sharing, and retention of personal information; and an explanation of CPRA rights conferred on consumers regarding their personal information, how they can exercise their rights, and what they can expect from this process.
- Amending notices required by the CCPA. The draft regulations set forth additional requirements related to the notice at collection, the notice of right to opt-out of sale/sharing, and the “Do Not Sell or Share My Personal Information” link, such as updates to the content of the notices, location of the notices/links, and the effects of certain requests (e.g. “clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice”). The draft regulations would also amend the notice of financial incentive.
- Providing instructions for the Notice of Right to Limit Use of Sensitive Personal Information. The draft regulations outline requirements for businesses to comply with a consumer’s rights to limit the use of sensitive personal information. They also provide businesses the option to use an alternative opt-out link to allow “consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate…links.”
- Amending methods for handling consumer requests to delete, correct, and know. The draft regulations outline additional documentation requirements, as well as guidance on responding to consumer requests, including explanations for denying a request. Notably, in response to a request to know, “a business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Additionally, a company that intends to collect additional categories of information that are “incompatible” with the originally disclosed purpose must provide a new notice at collection and obtain new consent.
- Opt-out preference signals. The draft regulations set forth requirements for opt-out preference signals and how businesses should respond to such preferences. Specifically, the draft regulations provide that processing an opt-out preference must be done in a “frictionless manner” and includes examples.
- Addressing consumer requests for limiting the use and disclosure of sensitive personal information. Businesses will be required to provide two or more designated methods for submitting requests to limit and must, among other things, comply with a request to limit “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” All service providers, contractors, and third parties must comply as well. The regulations set forth exceptions to the limitations for using and disclosing sensitive personal information.
The draft regulations also amend provisions related to contract requirements for service providers/contractors/third parties, verification of requests, authorized agents, minor consumers, discriminatory practices, requirements for businesses collecting large amounts of personal information, and investigations and enforcement.
Maryland amends security procedures standards
On May 29, Maryland HB 962 was enacted under Article II, Section 17(c) of the Maryland Constitution - Chapter 502, which amends the Maryland Personal Information Protection Act. The bill, among other things, expands the types of businesses that are required to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized use. The bill also decreases the period within which certain businesses must provide required notifications to consumers after a data breach. Violation of the bill’s provisions are considered to be an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA), subject to MCPA’s civil and criminal penalty provisions. The law is effective October 1.
Florida amends money service businesses provisions to define “control persons”
On May 26, the Florida governor signed HB 389, which amends provisions related to money service businesses and related licensing requirements. The bill, among other things, replaces the term “officers” with “control person” and expands the definition of “control person” to designate the type of individuals that may be considered to control a licensee. As a result of this amendment, the bill sets forth and clarifies various requirements related to the vetting and reporting of control persons, as opposed to officers generally, going forward. The law is effective October 1.
DFPI requests comments on oversight of crypto asset-related financial products and services
On June 1, the California Department of Financial Protection and Innovation (DFPI) issued a request for public comments from stakeholders on developing guidance related to the oversight of crypto asset-related financial products and services. DFPI will proceed with rulemaking under the authority of the California Consumer Financial Protection Law (CCFPL). The request is in accordance with an executive order issued by the California governor last month, which called on the state to create a transparent and consistent framework for companies operating in blockchain, cryptocurrency, and related financial technologies. (Covered by InfoBytes here.) DFPI’s request outlines various topics and questions concerning regulatory priorities, CCFPL regulation and supervision, and marketing monitoring functions, but notes that stakeholders “may comment on any potential area for rulemaking relating to crypto asset-related financial products and services,” including under other statutes administered or enforced by DFPI such as the Corporate Securities Law, Escrow Law, California Financing Law, or Money Transmission Act. The deadline to submit comments is August 5.
DFPI issues NPRM to implement process for handling consumer complaints and inquiries under the CCFPL
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement and interpret certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, AB 1864 was signed in 2020 to enact the CCFPL, which, among other things: (i) establishes UDAAP authority for DFPI; (ii) authorizes DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful, arguably representing an enhancement of DFPI’s enforcement powers in contrast to Dodd-Frank and existing California law; (iii) provides DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that administration of the law will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), DFPI’s oversight authority was expanded to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.
The NPRM proposes new rules to implement section 90008, subdivisions (a), (b), and (d)(2)(D), of the CCFPL related to consumer complaints and inquires. According to DFPI’s notice, section 90008 subdivisions (a) and (b) authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries. Additionally, subdivision (d)(2)(D) “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
Among other things, the NPRM:
- Identifies entities exempt from the consumer complaints and inquiries requirements;
- Requires covered persons to respond to consumer complaints and to establish policies and procedures for receiving and responding to complaints, including providing a complaint form, acknowledging receipt of complaints, tracking complaints, the timeline for responding to complaints, the contents for such a response, and recordkeeping of such complaints;
- Sets forth requirements for responding to complaints, including documenting when complaints do not require further investigation, performing an investigation of a complaint if warranted, and requiring corrective action to resolve a complaint such as an account adjustment, credit, or refund, and appropriate steps to prevent recurrence of the issue, which may include policy changes and employee training;
- Requires designation of an officer with primary responsibility for the complaint process;
- Requires covered persons to submit to DFPI a quarterly complaint report, which will be made public, and an annual inquiries report;
- Sets forth requirements for covered persons to respond to inquiries from consumers and develop and implement written policies and procedures for responding to such inquiries;
- Provides that covered persons must develop and implement written policies and procedures for responding to requests from DFPI regarding consumer complaints; and
- Exempts certain information, such as nonpublic or confidential information, including confidential supervisory information, from disclosure to consumers.
Written comments on the NPRM are due by July 5.
NAAG establishes cyber training center to help states understand emerging and evolving technologies
Recently, the National Association of Attorneys General (NAAG) established a new center dedicated to the development of programs and resources for supporting states’ understanding of emerging and evolving technologies. The Center on Cyber and Technology will also assist with cybercrime investigations and prosecutions and “serve as an information clearinghouse for the attorney general community on trending technology issues.” Faisal Sheikh will serve as the Center’s first director, and “will be responsible for developing programming on cybersecurity, cybercrime, and new and emerging technologies, as well as forming strategic partnerships with other government agencies, academic institutions, nonprofit organizations, and private sector entities that focus on these issues.” According to NAAG Executive Director Chris Toth, “digital evolution has highlighted the need for a sustained approach to addressing cyber and technology issues.”
California Supreme Court: FTC Holder Rule does not limit attorney’s fees
On May 26, the California Supreme Court affirmed a trial court’s ruling that the FTC’s Holder Rule does not limit liability for attorney’s fees. According to the opinion, the plaintiff bought a used vehicle from the dealership (defendant) pursuant to an installment sales contract, which was subsequently assigned to a bank that became the “holder” of the contract. The plaintiff filed suit against the defendant and the bank, alleging misconduct by the dealership in the sale of the car regarding advertised features she needed due to a disability. A jury found for the plaintiff on one of her causes of action — breach of the implied warranty of merchantability under the Song-Beverly Consumer Warranty Act and awarded her $21,957.25 in damages. The plaintiff filed a posttrial motion seeking attorney’s fees in the amount of $169,602 under the Song-Beverly Act. The bank argued that it could not be liable for attorney’s fees based on the provision of the Holder Rule limiting recovery to the “amount[] paid by the debtor.” The trial court disagreed and granted the plaintiff’s motion.
The California Supreme Court granted review to resolve a split among the appellate courts on whether ‘“recovery’ under the Holder Rule includes attorney’s fees and limits the amount of fees plaintiffs can recover from holders to amounts paid under the contract.” The opinion noted the divide among the state’s appellate courts on this issue, citing on the one hand Pulliam v. HNL Automotive Inc. (holding that the Holder Rule does not limit the attorney’s fees a plaintiff may recover), and on the other hand, Lafferty v. Wells Fargo Bank, N.A. (stating that a debtor cannot recover damages and attorney fees for a Holder Rule claim that collectively exceed the amount paid by the debtor under the contract) and Spikener v. Ally Financial, Inc., (finding that the Holder Rule preempts California Civil Code section 1459.5, which authorizes a plaintiff to recover attorney fees on a Holder Rule claim even if it results in a total recovery that exceeds the amount the plaintiff paid under the contract, covered by InfoBytes here).
On appeal, the California Supreme Court unanimously concluded that “the Holder Rule does not limit the award of attorney’s fees where, as here, a buyer seeks fees from a holder under a state prevailing party statute,” as opposed to seeking fees under the Holder Rule itself. Specifically, “[t]he Holder Rule’s limitation extends only to ‘recovery hereunder.’” The California Supreme Court continued that “[t]his caps fees only where a debtor asserts a claim for fees against a seller and the claim is extended to lie against a holder by virtue of the Holder Rule. Where state law provides for recovery of fees from a holder, the [Holder] Rule’s history and purpose as well as the Federal Trade Commission’s repeated commentary make clear that nothing in the Rule limits the application of that law.”
District Court preliminarily approves $2 million debt collection settlement over garnishment issuance fees
On May 24, the U.S. District Court for the District of Oregon preliminarily approved a class action settlement resolving claims concerning a debt collection agency’s $45 garnishment “issuance fee.” According to the plaintiffs, the defendant issued garnishments to debtors’ employers and banks through its in-house attorneys to collect revenue for outstanding debts. While Oregon law allows debt collectors to charge fees as a means of compensating for the expense of hiring attorneys who issue such garnishments, the plaintiffs contended that the defendant’s “$45 fee is an abuse of the cost recovery statute because using in-house attorneys relieves defendant from ever incurring such an expense.” The plaintiffs alleged violations of the FDCPA, Oregon’s Unlawful Trade Practices Act, and Oregon’s Unlawful Debt Collection Practices Act. While the defendant denied any wrongdoing as part of the preliminarily approved settlement, it has agreed to pay $2 million to settle the claims. Class members, defined as more than 10,000 Oregonians allegedly injured by the $45 issuance fees between January 2018 and September 2019, will each receive “an amount three times greater than the actual damages caused originally by Defendant’s issuance fees.”
Arizona passes money transmitter licensure legislation
On May 20, the Arizona governor signed SB 1580, which revises provisions related to money transmitters. The bill, among other things, provides that “a person may not engage in the business of money transmission or advertise, solicit or hold itself out as providing money transmission unless the person is licensed." The provision does not apply to “a person that is an authorized delegate of a person licensed under this article that is acting within the scope of authority conferred by a written contract with the licensee,” and to exempt persons provided the person “does not engage in money transmission outside the scope of the exemption.” The bill also creates provisions related to consistent licensure, application for licensure, and information requirements for certain individuals.