InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
State Law Update: New York Bans Yield Spread Premiums, Expands Consumer Privacy Protections
On August 17, New York Governor Andrew Cuomo signed Senate Bill 886, which prohibits any compensation paid to a mortgage broker or lender that is based on the terms of a mortgage, except for compensation linked to the principal balance of the loan. This prohibition of so-called yield spread premiums is a change from existing state law that prohibited “abusive” yield spread premiums in connection with high-cost mortgages.
On August 14, New York enhanced consumer privacy protections when it enacted Assembly Bill 8992. Just as the Federal Privacy Act of 1974 applies to federal, state, and local government agencies, this bill prohibits private businesses from conditioning the provision of services on a consumer’s willingness to disclose his or her Social Security number upon request. The law provides several exceptions, including when the collection of the Social Security Number is (i) otherwise required by law, (ii) requested in connection with the opening of a deposit account or a credit transaction initiated by the consumer, or (iii) required for any business function allowed under the Gramm Leach Bliley Act.
FTC Finalizes Privacy Settlement with Facebook
On August 10, the FTC approved a final settlement to resolve charges that Facebook deceived customers by failing to meet stated privacy protections. The FTC alleged, among other things, that Facebook shared personal information with advertisers despite assurances that it would not do so. The agreement does not include any monetary penalty, but Facebook is prohibited from making any deceptive privacy claim, and it must obtain consumers' approval before changing the way it shares their data. For the next twenty years, Facebook also must obtain periodic assessments of its privacy practices by independent auditors. One Commissioner objected, stating that because the agreement includes a denial of the allegations, the Commission does not have sufficient grounds under the FTC Act to accept the consent agreement. Further, the dissenting Commissioner stated that the settlement is insufficient because it does not clearly extend to all representations made in the Facebook environment and specifically may not cover third-party applications.
FTC Announces Settlement With Google Over Privacy Violations
On August 9, the FTC announced that it obtained from Google a $22.5 million civil penalty to resolve allegations that the company misrepresented certain privacy protections to consumers. According to the FTC, Google violated a previous FTC settlement and order when it placed advertising tracking cookies on the computers of Apple’s Safari Internet browser users, despite Google specifically telling users that they would be opted out of such tracking by default. The FTC states that the penalty is the largest it has ever obtained for violation of a previous order.
FTC Considers Additional Revisions to Children's Online Privacy Protection Rule
On August 1, the FTC announced that it is seeking public comment on additional proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule). In September 2011, the FTC sought comments on certain proposed changes to its COPPA Rule. In response to the hundreds of comments received, as well as subsequent efforts to enforce the rule, the FTC now is proposing to modify certain definitions to enhance protections related to the online collection, use, or disclosure of children’s personal information. The revised definitions include: (i) “operator”, (ii) “website or online service directed to children”, and (iii) “personal information.” For example, with regard to “personal information”, the definition would be altered to include a persistent identifier where it can be used to recognize a user over time or across different websites. The FTC is accepting comments on the proposal through September 10, 2012.
State Law Update: Hawaii and California Take Actions on Mortgages and Privacy
California AG Announces Privacy Enforcement Unit. On July 19, California Attorney General Kamala Harris announced the creation of the Privacy Enforcement and Protection Unit. The unit will combine the various existing privacy functions of the California Department of Justice to centrally enforce and protect consumer privacy. The unit will pursue civil prosecution of state and federal privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. These include laws relating to cyber privacy, financial privacy, identity theft, and data breaches, among others. The new unit will reside within the eCrime Unit, which was created in December 2011 to identify and prosecute identity theft crimes, cyber-crimes and other crimes involving the use of technology.
California Expands Servicemember Protections. On July 13, California enacted AB 2476, which expands the period of time during which servicemembers are protected from high interest rates. Under current law, a creditor cannot charge, during a servicemember’s period of military service, an interest rate in excess of 6% on any obligation or liability incurred by a servicemember before that person’s entry into service. The bill expands the interest rate protections to prevent an increase in any such rate on a mortgage, trust deed, or other security in the nature of a mortgage for one year after the period of military service.
Hawaii Enacts Multiple Mortgage-Related Bills and Legislation to Protect Personal Information. Recently, Hawaii enacted a set of bills related to mortgage origination and servicing. With regard to mortgage origination, S.B. 2763 amends the state SAFE Act to reflect changes to the federal law and to adjust originator registration fees. With regard to mortgage servicers, H.B. 2502 allows the Commissioner of Financial Institutions to require registration with the NMLS and makes it unlawful for a servicer to provide loan modifications without first complying with certain licensing requirements. Another bill, H.B. 1875 makes numerous changes to the state’s foreclosure laws, largely implementing recommendations from the Mortgage Foreclosure Task Force created by the state legislature in 2010. Finally, with regard to mortgages, H.B. 2375 establishes criminal penalties for certain violations of the state’s Mortgage Rescue Fraud Prevention Act. Hawaii also recently enacted S.B. 2419, which prohibits businesses from scanning a customer’s identification card or driver’s license with an electronic device capable of obtaining information electronically encoded on that identification card, except for specific purposes.
Senate Committee Explores Framework for Mobile Payments
On July 10, the Senate Banking Committee held the second hearing in a two-part series on developing a framework for safe and efficient mobile payment systems. A panel comprised of economic and legal experts in the area of mobile payments updated the Committee on the state of the market and provided ideas for establishing an appropriate regulatory framework that balances innovation and consumer protection. Among other topics, the panelists and Senators discussed information collection and use and the related privacy and data security risks to consumers, as well as to merchants taking mobile payments. At the first hearing in the series, held in March, the Committee received testimony from regulatory experts from the Federal Reserve System. During that hearing the Committee sought information about the current roles of regulators with regard to mobile payments, and potential gaps in the regulatory structure. The House Financial Services Committee recently concluded a similar series in which it explored the regulatory structure for mobile payments and assessed the market impacts of mobile payment advances.
Mobile App Developer Agrees to Stop Collecting and Using Children's Data in Settlement
On June 27, the New Jersey Attorney Generals office announced a consent decree and injunction against 24x7digital LLC, a mobile app company, settling charges under the Childrens Online Privacy Protection Act (COPPA). The company created a series of apps for children in preschool through second grade that encouraged children to provide their first and last names and photos for personal profiles. Under the settlement, the company agreed to stop collecting, using, and disclosing childrens personal information without verifiable parental consent. The company also agreed to provide direct notice to parents of the types of information it collects and what it does with that information.
State Law Update: NAAG to Focus on Privacy; Vermont, Connecticut, Oklahoma Make E-Commerce Changes
Incoming NAAG President to Focus on Privacy Issues. On June 22, after being elected president of the National Association of State Attorneys General (NAAG), Maryland Attorney General Doug Gansler announced a year-long Presidential Initiative titled “Privacy in the Digital Age.” The Initiative will explore the best ways to manage consumer privacy risks in light of “emerging technologies and business models” that are challenging consumers’ ability to control their personal information. Through the Initiative, state Attorneys General will attempt to ensure that “the Internet’s major players protect online privacy and provide meaningful options for privacy control” to consumers.
Two States Expand Data Breach Notification Requirements. Recently, Connecticut and Vermont altered state requirements for firms experiencing a data breach to report the breach. Connecticut’s revision – in the state’s annual budget bill, House Bill 6001 – expanded existing breach notification provisions to include notification to the state attorney general and takes effect October 1, 2012. Vermont amended, in House Bill 254, its breach notice law to require consumer notice of a security breach within 45 days and notification to the attorney general within 14 days of discovery of the incident. The Vermont requirement was effective as of May 8, 2012.
Oklahoma High Court Approves Rules for Electronic Filing and Signatures. On June 21, the Supreme Court of Oklahoma issued new state court rules governing the electronic filing of court documents in that state. These rules apply to a new statewide electronic management system that will replace the mix of electronic and paper-based record systems previously used in Oklahoma. Among other things, the rules provide for the use of electronic signatures where any statute or court rule requires a person’s signature in an Oklahoma state court. Like the new electronic system, the new rules will be phased in gradually; they become effective in each district and appellate court at the time the Oklahoma Unified Case Management System is implemented in that court.
NTIA Announces First Privacy Stakeholder Meeting
On June 15, the National Telecommunications and Information Administration (NTIA) announced that the first meeting of a privacy multistakeholder process will be held on July 12, 2012. The meeting is the first in a series intended to produce a code of conduct that will provide transparency in the handling of personal data by mobile application and services companies. The multistakeholder process derives from the White House’s Privacy Blueprint released in February 2012, which set forth a Consumer Privacy Bill of Rights and designed the multistakeholder process to develop legally enforceable codes of conduct across diverse business contexts.
Lawmakers Ask CFPB to Examine Student Debit Cards
On June 7, Senator Richard Durbin (D-IL) and Representative George Miller (D-CA) sent letters to the CFPB and the Department of Education requesting that those agencies examine the practices associated with bank-affiliated student debit cards. The letters cite a recent U.S. PIRG report that identified troubling practices with these products, including alleged use of improper fees and misleading marketing. The lawmakers pose a series of questions to define the scope of the examination, including, for example (i) whether campus-based debit cards provide adequate consumer protections, (ii) whether the fees and penalties associated wit such cards violate federal law, and (iii) whether the contractual agreements between schools and financial institutions violate student privacy rights.