InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB, EU start talks on AI, digital finance
On July 17, CFPB Director Rohit Chopra and Commissioner for Justice and Consumer Protection of the European Commission Didier Reynders issued a joint statement announcing the start of new dialogue on consumer financial protection with a primary focus on digital developments in the financial sector and ways to improve policy and regulatory cooperation.
Chopra and Reynders stressed that there are significant implications for both businesses and households from the digitalization of the financial services sector, including impacts on pricing, customer service, competition, and privacy. They noted that financial institutions are increasingly deploying automated decision-making processes, leveraging artificial intelligence technologies, and developing and introducing new financial products and services, such as Buy Now, Pay Later. Chopra and Reynders also commented that digital payments are becoming “increasingly offered and controlled by Big Tech.” They warned these developments, if not properly regulated, “could increase consumers’ exposure to fraud and manipulation, limit their product options over time, threaten their control over their own data, and force them to accept more expensive personalized pricing for the same products and services compared to other consumers.” Chopra and Reynders also cautioned that policymakers must do more to keep pace with evolving markets and ensure consumer protection.
The dialogue will address topics relating to:
- The deployment of automated decision-making and data processing and implications for consumers;
- Risks associated with emerging credit options, including the potential risks of over-consumption and over-indebtedness for consumers who use these products;
- Measures for exploring ways to assist over-indebted consumers in managing and repaying their debt sustainably;
- Digital transformation and access to fair financial services, including to unbanked and underbanked consumers, as well as those who prioritize protecting their personal data; and
- Competition, privacy, security, and financial stability implications associated with big tech companies that offer financial services.
Chopra and Reynders will meet informally at least once per year to share insights and experiences on consumer financial issues. According to the statement, the dialogue will also involve staff discussions, bilateral meetings with subject matter experts, and roundtables with stakeholders. The cooperation and exchanges within the informal dialogue are expected “to occur in parallel with other forms of cooperation and exchanges between the European Union and the United States on various digital and financial services policies and regulations,” the joint statement said.
European Commission approves transatlantic data-transfer framework
On July 10, the European Commission adopted an adequacy decision as part of the EU-U.S. Data Privacy Framework, concluding that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework.” In the announcement, European Commission President Ursula von der Leyen stated that the “new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.” She explained that with the new adequacy decision, personal data can now be transferred securely from the EU to U.S. companies participating in the framework without having to implement additional data protection safeguards. The framework will be administered by the Department of Commerce. Compliance by U.S. companies with their obligations under the framework will be enforced by the FTC.
As previously covered by InfoBytes, Presidents von der Leyen and Biden announced in March 2022 that they had reached an agreement in principle on a new transatlantic data flows framework to foster cross-border transfers of personal data from the EU to the U.S. Under the framework, the U.S. agreed to implement reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement followed negotiations that began after the Court of Justice of the EU issued an opinion in the Schrems II case in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.
The DOJ released a statement welcoming the European Commission’s adoption of the adequacy decision and expressing its eagerness to collaborate with the Commission, along with representatives from European data protection authorities, to ensure the ongoing implementation of data privacy safeguards.
1st Circuit confirms standing for data breach victims
On June 30, the U.S. Court of Appeals for the First Circuit overruled a district court’s dismissal of a putative class action against a home delivery pharmacy service for allegedly failing to prevent a 2021 data breach that exposed the personally identifiable information (PII) of over 75,000 patients. The class action complaint alleged state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, and sought damages and injunctive relief. The putative class was comprised of U.S. residents whose PII was compromised in the data breach. The two named plaintiffs were former or current patients whose PII were compromised in the data breach, and one of the two named plaintiffs had her stolen PII used to file a fraudulent tax return. The district court dismissed the lawsuit for lack of Article III standing.
Affirming in part and reversing in part, the 1st Circuit held that the complaint “plausibly demonstrates” the plaintiffs’ standing to seek damages, applying the principles articulated by the Supreme Court in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here).
First, the court concluded that, with respect to the named plaintiff whose PII was used to file a fraudulent tax return, the complaint’s “plausible allegations of actual misuse” of the stolen PII constituted a “concrete injury in fact” for purposes of Article III standing. According to the 1st Circuit, there existed “an “obvious temporal connection” between the timing of the data breach and the filed return, among other facts. The appellate court also found that the fraudulent tax return could make it probable that more of the named plaintiff’s information could be further misused—changing the risk of future misuse from speculative to “imminent and substantial.”
Second, with respect to the named plaintiff for whom there was no allegation of actual misuse of PII, the court reasoned that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of [plaintiff’s] PII and a concrete harm caused by exposure to this risk.” The appellate court also found that, because the data here was compromised in a “targeted attack,” then “it stands to reason that [such data] is more likely to be misused…and the risk of future misuse is heightened when the compromised data is particularly sensitive.”
Third, the court concluded that the complaint plausibly alleged a “separate concrete, present harm” caused by exposure to the risk of future harm, “based on the allegations of the plaintiffs’ lost time spent taking protective measures [against further identity theft] that would otherwise have been put to some productive use.” “The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury,” the appellate court wrote, adding that it joins other circuits in holding that time spent responding to a data breach is sufficient to establish standing.
Finally, the court held that plaintiffs lacked standing to pursue injunctive relief “because their desired injunctions would not likely redress their alleged injuries” as any such relief would only safeguard against future breaches and would not protect “plaintiffs from future misuse of their PII by the individuals they allege now possess it.”
Court delays enforcement of California privacy regulations
The Superior Court for the County of Sacramento adopted a ruling during a hearing held June 30, granting the California Chamber of Commerce’s (Chamber of Commerce) request to enjoin the California Privacy Protection Agency (CPPA) from enforcing its California Privacy Rights Act (CPRA) regulations until March 2024. Enforcement of the CPRA regulations was set to begin July 1.
The approved regulations (which were finalized in March and took effect immediately) update existing California Consumer Privacy Act regulations to harmonize them with amendments adopted by voter initiative under the CPRA in November 2020. (Covered by InfoBytes here.) In February of this year, the CPPA acknowledged that it had not finalized regulations regarding cybersecurity audits, risk assessments, and automated decision-making technology and posted a preliminary request for comments to inform this rulemaking. (Covered by InfoBytes here.) The June 30 ruling referred to a public statement issued by the CPPA, in which the agency explained that enforcement of those three areas would not commence until after the applicable regulations are finalized. However, the CPPA stated it intended to “enforce the law in the other twelve areas as soon as July 1.”
In March, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations. The Chamber of Commerce argued that the CPPA had finalized its regulations in March 2023 (rather than the statutorily-mandated completion date of July 1, 2022), and as a result businesses were not provided the required one-year period to come into compliance before the CPPA begins enforcement. The CPPA countered that the text of the statute “is not so straightforward as to confer a mandatory promulgation deadline of July 1, 2022, nor did the voters intend for impacted business to have a 12-month grace period between the [CPPA’s] adoption of all final regulations and their enforcement.”
The court disagreed, finding that the CPPA’s failure “to timely pass final regulations” as required by the CPRA “is sufficient to grant the Petition.” The court stated that because the CPRA required the CPPA to pass final regulations by July 1, 2022, with enforcement beginning one year later, “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” The court added that it was “not persuaded” by the CPPA’s argument “that it may ignore one date while enforcing the other.” However, staying enforcement of all the regulations for one year until after the last of the CPRA regulations have been finalized would “thwart the voters’ intent.” In striking a balance, the court stayed the CPPA’s enforcement of the regulations that became final on March 29 and said the agency may begin enforcing those regulations on March 29, 2024. The court also held that any new regulations issued by the CPPA will be stayed for one year after they are implemented. The court declined to mandate any specific date by which the CPPA must finalize the outstanding regulations.
Biden announces FTC nominees
On July 3, President Biden announced his intention to nominate Andrew N. Ferguson and Melissa Holyoak to serve as Republican members of the FTC. Ferguson currently serves as the solicitor general of the Commonwealth of Virginia where he oversees appellate litigation of the state and its agencies. Prior to his time as solicitor general, Ferguson served as chief counsel to U.S. Senate Republican Leader Mitch McConnell, chief counsel for nominations and constitution to then-Judiciary Committee Chairman Lindsey Graham (R-SC), and senior special counsel to then-Judiciary Committee Chairman Chuck Grassley (R-IA). Ferguson also has extensive antitrust experience, including in litigation before the FTC and DOJ.
Holyoak is currently the solicitor general with the Utah Attorney General’s Office where she oversees areas including civil appeals, criminal appeals, constitutional defense, and the antitrust and data privacy divisions. She is an experienced litigator, where much of her 20 years of practice has focused on consumer protection, Biden said. Before joining the Utah Attorney General’s Office, Holyoak was president and general counsel of the Hamilton Lincoln Law Institute, a Washington, D.C.-based public interest firm that represents consumers challenging unfair class actions and regulatory overreach.
Following the announcement, FTC Chair Lina M. Khan issued a statement congratulating the nominees. The two seats have been vacant since former Commissioner Christine Wilson announced her resignation earlier in the year (covered by InfoBytes here).
Nevada enacts health data privacy measures
On June 16, the Nevada governor signed SB 370 (the “Act”) to enact provisions imposing broad restrictions on the use of consumer health data. The Act is intended to cover health data and persons or entities not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as a person who conducts business in the state of Nevada or produces or provides products or services that are targeted to consumers in the state that “determines the purpose and means of processing, sharing or selling consumer health data.” Exempt from the Act’s requirements are government agencies, financial institutions and data that is collected, maintained or sold subject to the Gramm-Leach-Bliley Act and certain other federal laws, law enforcement agencies, and third parties that obtain consumer health data from a regulated entity through a merger, acquisition, bankruptcy or other transaction, among others.
The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain voluntary consent from consumers prior to collecting, sharing, and selling their health data, and are required to provide a means by which a consumer can revoke such authorization; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific security policies and procedures. Consumers are also empowered with the right to have their health data deleted and may request a list of all third parties with whom the regulated entity has shared or sold their health data. The Act details prohibited practices and outlines numerous compliance elements relating to access restrictions, responding to consumers, and processor requirements.
Furthermore, a violation of the Act constitutes a deceptive trade practice. While the Act does not create a private right of action, under existing law a court has authority “to impose a civil penalty of not more than $12,500 for each violation upon a person whom the court finds has engaged in a deceptive trade practice directed toward an elderly person or a person with a disability. Additionally, under existing law if a person violates a court order or injunction brought by the Commissioner of Consumer Affairs, the Director of the Department of Business and Industry, the district attorney of any county in the state or the attorney general, “the person is required to pay a civil penalty of not more than $10,000 for each violation.” Willful violations may incur an additional penalty of not more than $5,000, as well as injunctive relief.
The Act is effective March 31, 2024.
Nevada expands collection agency licensing requirements
On June 16, the Nevada governor signed SB 276 (the “Act”) to revise certain provisions relating to debt collection agencies and make amendments to the state’s collection agency licensing law. While existing law requires collection agencies to be licensed, the amendments expand the type of activities that trigger collection agency licensure. Notably, the Act now requires any “debt buyer” to hold a license, which is defined as “a person who is regularly engaged in the business of purchasing claims that have been charged off for the purpose of collecting such claims, including, without limitation, by personally collecting claims, hiring a third party to collect claims or hiring an attorney to engage in litigation for the purpose of collecting claims.” Mortgage servicers, however, are now exempt unless the “mortgage servicer is attempting to collect a claim that was assigned when the relevant loan was in default.” The amendments also repeal provisions governing foreign collection agencies and now require that such agencies be licensed in the same fashion as domestic collection agencies.
In addition to licensed mortgage servicers the amendments also exclude others from the definition of the term “collection agency,” including an expanded list of certain financial institutions (as well as their employees), persons collecting claims that they originated on their own behalf or originated and sold, and other persons not deemed to be debt collectors under federal law. The term “collection agent” has also been refined to exempt persons who do not act on behalf of a collection agency from requirements governing collection agents.
The Act revises requirements relating to “compliance managers” (formerly referred to as “collection managers”) – including an avenue to request a waiver from the Nevada compliance manager examination requirement if certain experiential requirements are met – and makes changes to certain record retention and application requirements, including amendments to the frequency with which the commissioner reviews a licensee’s required bond amount (annually instead of semiannually). A provision requiring applicants to pursue branch licenses for second or remote locations is also repealed. Instead, collection agencies must simply notify the commissioner of the location of the branch office. Further, collection agencies are now required to display license numbers and certificate identification numbers of compliance managers on any website maintained by the collection agency.
Additionally, the Act now authorizes collection agents to work remotely provided the agents meet certain criteria, including: (i) signing a written agreement prepared by the collection agency that requires the agent to maintain agency-appropriate security measures to ensure the confidentiality of customer information; (ii) refraining from disclosing details about the remote location to a debtor; (iii) refraining from conducting collection activity-related work with a debtor or customer in person at the remote location; (iv) allowing work conducted from the remote location to be monitored; and (v) completing various compliance and privacy training programs. Remote collection agents must adhere to certain practices requirements and restrictions set forth by both the Act and the FDCPA. Collection agencies must also maintain records of remote collection agents, provide oversight and monitoring of collection agents that work remotely, develop and implement a written security policy governing remote collection agents, and establish procedures to ensure collection agents working remotely are not acting in an illegal, unethical, or unsafe manner.
Finally, the Act imposes new prohibitions against collection agencies and their agents and employees. Among other things, a collection agency (and its compliance manager, agents, or employees) is banned from suing to collect a debt when it knows or should have known that the applicable statute of limitations has expired. The amendments further clarify that the applicable limitation period is not revived upon “payment made on a debt or certain other activity relating to the debt after the time period for filing an action based on a debt has expired.” Certain notice must also be given to a medical debtor notifying that such a payment does not revive the applicable statute of limitations. A collection agency may also not sell “an interest in a resolved claim or any personal or financial information related to the resolved claim.”
The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on October 1, 2023 for all other purposes. “Debt buyers” have until January 1, 2024 to submit a collection agency license application pursuant to the new provisions.
FTC orders sweepstakes company to pay $18.5 million for using “dark patterns”
On June 26, the FTC filed a complaint against a sweepstakes company alleging they used “dark patterns” (via the use of “manipulative phrasing and website design”) to trick consumers into purchasing products in order to enter the increase the chances of winning the company’s sweepstakes. The FTC further claimed the defendant engaged in other unlawful practices in violation of the FTC Act, including (i) failing to disclose the true price of goods and failing to inform consumers they were responsible for return shipping costs for unwanted products; (ii) misleading consumers with fictitious email subject lines; and (iii) sharing consumer data with third parties despite disclosing in its privacy policy prior to January 2019 that it did sell or rent consumer data to third parties.
Under the terms of the proposed court order filed June 27 stipulating to an injunction, monetary judgement, and other relief, the defendant would be required to pay $18.5 million in monetary relief and make numerous changes to its email and internet operations. Among other things, the defendant would be required to clearly and conspicuously disclose on every shopping page that a purchase is not required to enter a sweepstakes and that purchasing will not help a consumer win. Consumers would also be required, in many cases, to acknowledge this disclosure when responding to a call to action that results in an order. The defendant must also clearly disclose material costs and terms of purchase, as well as any additional fees, and cancellation and return policies. Additionally, the defendant would be required to delete all consumer data collected prior to January 1, 2019, unless required for processing transactions, and stop misrepresenting its data collection and sharing practices.
DOJ and FTC find UDAPs in handling of women’s health data
On June 23, the DOJ and FTC announced the government has obtained substantial injunctive relief, and that the department will collect $100,000 in civil penalties, from an Illinois-based healthcare corporation pursuant to a stipulated federal court order. In the complaint, the United States claimed that the corporation violated Section 5 of the FTC Act, in which the defendant engaged in unfair and deceptive acts in connection with its period and ovulation tracking mobile app. The government alleged that the corporation shared consumers’ persistent identifiers and sensitive personal information to third-party companies without user notice or consent. Additionally, the corporation allegedly failed to disclose how those third-party companies would use consumers’ personal information. The complaint also alleges the corporation failed to take “reasonable measures” surrounding data and privacy risk when they integrated third-party software into the mobile application, and that they violated the HBNR.
The order entered by the court requires that the corporation: (i) “implement a comprehensive privacy and data security program with safeguards to protect consumer data”; (ii) “hire an independent third-party to regularly assess its compliance with the privacy program for a period of 20 years”; (iii) “[is] enjoined from sharing health information with third-parties for advertising purposes, from sharing health information with third-parties for other purposes without obtaining users’ affirmative express consent, and from making misrepresentations about [the corporation’s] privacy practices”; and (iv) comply with the HBNR’s notification provisions in any future breach of Security.
Texas is most recent state to enact comprehensive privacy legislation
On June 18, the Texas governor signed HB 4 to enact the Texas Data Privacy and Security Act (TDPSA) and establish a framework for controlling and processing consumer personal data in the state. Texas follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, and Montana in enacting comprehensive consumer privacy measures. Earlier this month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
The TDPSA applies to a person that conducts business in the state or produces products or services consumed by state residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration, except to the extent that it sells sensitive data which requires consumer consent. Unlike other states, there is no data-processing volume threshold. The TDPSA only protects consumers acting in an individual or household capacity and does not cover individuals acting in a commercial or employment context. Additionally, the TDPSA provides several exemptions, including financial institutions or data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, higher education institutions, covered entities governed by the Health Insurance Portability and Accountability Act, and certain utility companies.
Highlights of the TDPSA include:
- Consumers’ rights. Under the TDPSA, consumers will be able to access their personal data; confirm whether their data is being processed; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling.
- Data controllers’ responsibilities. Data controllers under the TDPSA will be responsible for, among other things: (i) responding to consumer requests within 45 days (unless extenuating circumstances arise) and providing requested information free of charge; (ii) establishing a process to allow consumer appeals after a controller’s refusal to take action on a consumer’s request; (iii) providing at least two methods for consumers to exercise their rights; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) establishing easy opt-out methods that require consumers to affirmatively and freely choose to opt out of any processing of their personal data; (vii) processing data in compliance with state and federal anti-discrimination laws; (viii) obtaining consumer consent in order to process sensitive data; (ix) providing clear and reasonably accessible privacy notices; and (x) conducting and retaining data protection assessments and ensuring deidentified data cannot be associated with a consumer. The TDPSA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action. The TDPSA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the TDPSA, the attorney general must give the data controller notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit and seek up to $7,500 for each violation, as well as injunctive relief, attorney’s fees, and other expenses.
The TDPSA takes effect July 1, 2024, except for certain provisions relating to methods for submitting consumer requests, which shall take effect January 1, 2025.