InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
9th Circuit reverses decision in COPPA suit
In December, the U.S. Court of Appeals for the Ninth Circuit reversed and remanded a district court’s decision to dismiss a suit alleging that a multinational technology company used persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of the Children’s Online Privacy Protection Act (COPPA). According to the opinion, the company used targeted advertising “aided by sophisticated technology that delivers curated, customized advertising based on information about specific users.” The opinion further explained that “the company’s technology ‘depends partly on what [FTC] regulations call ‘persistent identifiers,’ which is information ‘that can be used to recognize a user over time and across different Web sites or online services.’” The opinion also noted that in 2013, the FTC adopted regulations under COPPA that barred the collection of children’s “persistent identifiers” without parental consent. The plaintiff class claimed that the company used persistent identifiers to collect data and track their online behavior surreptitiously and without their consent, and alleged state law claims arising under the constitutional, statutory, and common law of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee, in addition to COPPA violations. The district court ruled that the “core allegations” in the third amended complaint were squarely covered, and preempted, by COPPA.
On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. To determine this, the appellate court examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The appellate court stated that it was not “persuaded that the insertion of ‘treatment’ in the preemption clause here evinces clear congressional intent to create an exclusive remedial scheme for enforcement of COPPA requirements.” The opinion noted that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.”
District Court issues judgment against debt-collection law firm
On January 11, the U.S. District Court for the Southern District of New York entered a proposed stipulated final judgment and order against a defendant New York debt-collection law firm. As previously covered by InfoBytes, the Bureau’s complaint alleged that between 2014 and 2016 the defendant initiated over 99,000 collection lawsuits in an attempt to collect debts by relying on “non-attorney support staff, automation, and both a cursory and deficient review of account files,” in violation of both the FDCPA and the Consumer Financial Protection Act. The Bureau alleged the lawsuits contained names and signatures of attorneys despite those attorneys “not being meaningfully involved in reviewing the merits of the lawsuits,” including not reviewing pertinent documentation related to the debts, such as account applications, billing statements, payment histories, and the terms and conditions governing an account. Moreover, the defendant allegedly did not perform reviews of the contracts related to debt sales, despite filing lawsuits on behalf of debt buyers that have been accused of unlawful debt collection practices.
In order to continue with debt-collection litigation, for each collection suit, the settlement requires the defendant to possess documents with specific information about the debt, including the name of the original creditor, evidence that the consumer authorized the debt, the chain of assignment supporting any sale of the debt, and a break-down of how the debt amount was calculated. The defendant must also certify that the attorney whose name appears on the complaint reviewed the supporting documentation and ensure the complaint is consistent with that documentation. Any pending lawsuit in which the defendant does not certify its compliance with the specific information and meaningful attorney review requirements must be voluntarily dismissed. The also order requires the defendant to pay a $100,000 penalty to the Bureau.
Education Dept. releases IDR proposal
On January 10, the Department of Education (DOE) announced a notice of proposed rulemaking (NPRM) to reduce the cost of federal student loan payments. According to the DOE, the regulations fulfill President Biden’s plan to provide student debt relief for approximately 40 million borrowers and to make the student loan system more manageable for student borrowers. As previously covered by InfoBytes, the three-part debt relief plan was announced in August to provide, among other things, up to $20,000 in debt cancellation to Pell Grant recipients with loans held by the DOE, and up to $10,000 in debt cancellation to non-Pell Grant recipients for borrowers making less than $125,000 a year or less than $250,000 for married couples. Plaintiffs, whose loans are ineligible for debt forgiveness under the program, sued the DOE and the DOE secretary claiming the agency violated the Administrative Procedure Act’s notice-and-comment rulemaking procedures and arbitrarily decided the program’s eligibility criteria. Plaintiffs further contended that the DOE secretary does not have the authority under the HEROES Act to implement the program. Specifically, the NPRM would establish that those making less than $30,577 as an individual or a family of four making less than $62,437 would have their monthly payments reduced to $0.
According to the NPRM, the DOE is proposing to amend the regulations governing income-contingent repayment plans by amending the Revised Pay as You Earn (REPAYE) repayment plan. The NPRM noted that the DOE is looking to restructure and rename the repayment plan regulations under the William D. Ford Federal Direct Loan Program, including combining the Income Contingent Repayment (ICR) and the Income-Based Repayment (IBR) plans under the umbrella term of IDR plans. The NPRM would ensure that a borrower’s balance would not grow due to accumulation of unpaid interest if the borrowers otherwise make their monthly payments. Additionally, the NPRM would also establish that for individuals who borrow $12,000 or less, loan forgiveness can occur after making the equivalent of 10 years of payments. That period increases by one year for each additional $1,000 that is borrowed. The DOE released a Fact Sheet on increasing college accountability, which clarifies information on identifying the lowest-financial-value programs, protecting students and delivering value through greater accountability, increasing collaboration with accreditors, and building a record of action.
The DOE also released a request for information (RFI) to solicit comments on identifying the best ways to calculate the metrics that may be used to identify low-financial-value programs and inform technical considerations. Finally, the DOE released a Fact Sheet on transforming IDR. Among other things, the Fact Sheet discusses decreasing undergraduate loan payments, stopping unpaid interest accumulation, and lowering the number of monthly payments required to receive forgiveness for borrowers with smaller loan balances. Comments are due 30 days after publication in the Federal Register.
FTC seeks to ban noncompete clauses
On January 5, the FTC announced a notice of proposed rulemaking (NPRM) regarding banning the use of noncompete clauses in employment contracts. Among other things, the NPRM, would make it illegal for employers to: (i) enter into, or attempt to enter into, a noncompete agreement with a worker; (ii) maintain a noncompete agreement with a worker; or (iii) represent to a worker that the worker is subject to a noncompete agreement. The NPRM also would require employers to rescind existing noncompete agreements and notify workers that those agreements are no longer in effect. The NPRM extends to both paid and unpaid workers as well as independent contractors. It also extends to non-disclosure agreements or agreements to repay training costs upon early termination of employment if such agreements amount de facto to a noncompete. Finally, the NPRM extends to noncompetes related to the sale of a business unless they involve a person who owns at least 25 percent of the sold business. The ban would be pursuant to Sections 5 and 6(g) of the FTC Act, which declare “unfair methods of competition in or affecting commerce” to be unlawful, and authorize the FTC to issue rules prohibiting such methods.
According to FTC Chair Lina M. Khan, noncompete clauses “block workers from freely switching jobs, depriving them of higher wages and better working conditions, and depriving businesses of a talent pool that they need to build and expand.” She noted that by ending noncompete clauses, “the FTC’s proposed rule would promote greater dynamism, innovation, and healthy competition.” According to Commissioner Christine S. Wilson’s dissent, the NPRM is a “radical departure from hundreds of years of legal precedent that employs a fact-specific inquiry into whether a noncompete clause is unreasonable in duration and scope, given the business justification for the restriction.”
Comments are due by March 10.
CFPB says ruling on funding structure doesn’t affect debt collector’s CID
In December, the CFPB denied a petition by a debt collection agency to set aside a civil investigative demand (CID) issued last October. The company challenged the Bureau’s authority to issue the CID on the grounds that the agency’s funding mechanism is unconstitutional. The company’s argument relied on a decision issued by the U.S. Court of Appeals for the Fifth Circuit on October 19 (covered by a Buckley Special Alert), which found that the Bureau is unconstitutionally funded and vacated the CFPB’s Payday Lending Rule. The Bureau submitted a petition for a writ of certiorari in November asking the U.S. Supreme Court to review the 5th Circuit decision (covered by InfoBytes here).
The debt collection agency and the CFPB held a “meet and confer” at the end of October, and the company argued that during the meet and confer the parties did not agree on two of the company’s objections: (i) the inadequate Notification of Purpose Pursuant to 12 C.F.R. §1080.5 contained in the CID; and (ii) the Bureau’s unconstitutional funding mechanism. The company filed a petition to set aside the CID, arguing that because the Bureau’s funding mechanism is unconstitutional, the Bureau lacks enforcement authority and the CID should be set aside in its entirety. The company claimed a similar nexus exists between the Bureau’s unconstitutional funding mechanism and the concrete harm suffered by the company. Just as the Payday Lending Rule was vacated by the 5th Circuit and set aside as unenforceable, “but for the Bureau’s unconstitutional spending, the CID would not have been issued,” the company said.
In rejecting the company’s arguments, the Bureau commented that it “has consistently taken the position that the administrative process … for petitioning to modify or set aside a CID is not the proper forum for raising and adjudicating challenges to the constitutionality of the Bureau’s statute.” In declining to set aside the CID on constitutional grounds, the Bureau wrote that should it later determine that it is necessary to obtain a court order compelling compliance with the CID, the company will have an opportunity to raise any constitutional arguments as a defense in district court.
FTC finalizes data breach order with online alcohol marketplace
On January 10, the FTC announced it has finalized an order with a company that operates an online alcohol marketplace, along with its CEO, related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. As previously covered by InfoBytes, the FTC alleged the respondents were alerted to problems with the company’s data security procedures following an earlier security incident in 2018, which involved hackers accessing company servers to mine cryptocurrency until the company changed its cloud computing account login information. The FTC asserted, however, that the company failed to take appropriate measures to address its security problems even though it publicly claimed it had appropriate security protections in place. Among other things, the respondents allegedly violated the FTC Act by (i) failing to implement basic security measures or put in place reasonable safeguards to secure the personal information it collected and stored; (ii) storing critical database information, including login credentials, on an unsecured platform; (iii) failing to monitor its network for security threats or unauthorized attempts to access or remove personal data; and (iv) exposing customers to hackers, identity thieves, and malicious actors who use personal information to open fraudulent lines of credit or commit other fraud. The respondents neither admit nor deny the allegations.
The terms of the final decision and order prohibit the company from making any misrepresentations in connection with any offered product or service related to how it collects, uses, discloses, maintains, deletes, or permits or denies access to personal information. Additionally, the company is required to destroy any collected personal data that is not necessary for providing products or services to consumers, and must refrain from collecting or maintaining personal information unless it is necessary for specific purposes provided in a data retention schedule. The company must also implement and maintain a comprehensive information security program, establish security safeguards to protect against specified security incidents, obtain initial and biennial third-party information security assessments, and publicly detail on its website information on its data collection practices. The order also requires the CEO to implement an information security program at any relevant business for which he is a majority owner, CEO, or senior officer with information security responsibilities.
DOJ says court will oversee social media company’s housing ads into 2026
On January 9, the DOJ informed a New York federal judge that it had reached a follow-up agreement with a global social media company to ensure its compliance with a June 2022 settlement that required the company to stop using a tool that allowed advertisers to exclude certain users from seeing housing ads based on their sex and estimated race/ethnicity. Explaining that the tool violated the Fair Housing Act, the letter said the company agreed to allow the tool to expire and agreed to build a system to reduce variances in its housing ad delivery system related to sex and estimated race/ethnicity. A follow-up agreement reached between the parties on compliance targets established that the company will be subject to court oversight and regular compliance review through June 27, 2026. The company released a statement following the settlement announcing it is making changes “in part to address feedback we’ve heard from civil rights groups, policymakers and regulators about how our ad system delivers certain categories of personalized ads, especially when it comes to fairness.” The company further noted that “while HUD raised concerns about personalized housing ads specifically, we also plan to use this method for ads related to employment and credit. Discrimination in housing, employment and credit is a deep-rooted problem with a long history in the US, and we are committed to broadening opportunities for marginalized communities in these spaces and others.”
District Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including names, Social Security numbers, driver’s license numbers, dates of birth, and username/password information. According to plaintiffs’ amended complaint, the defendant insurance software providers failed to notify affected individuals about the data breach until on or after May 10, 2021, despite commencing an investigation in March. Plaintiffs maintained that the defendants’ alleged failure to comply with FTC cybersecurity guidelines and industry data protection standards put at risk their financial and personal records, and said they now face years of constant surveillance to prevent potential identity theft and fraud. Under the terms of the settlement (see also plaintiffs’ memorandum of law in support of the motion for final approval), class members will each receive up to $5,000 for out-of-pocket expenses, including up to eight hours of lost time at $25/hour, as well as 12 months of financial fraud protection. Members of a California subclass will receive additional benefits of between $100 and $300 each. The defendants are also responsible for paying each named plaintiff a $2,000 service award and must pay over $3 million in attorney fees, costs, and expenses.
NY restricts lenders’ ability to reset statute of limitations on foreclosures
In December, the New York governor signed A 7737-B, the “Foreclosure Abuse Prevention Act,” which amends the rights of parties in foreclosure actions. Among other things, the law provides that a lender or servicer’s voluntary discontinuance of a foreclosure action does not reset New York’s 6-year statute of limitations on foreclosures, according to New York CPLR §213. Further, pursuant to the new law, if an action to foreclose a mortgage or recover any part of the mortgage debt is time-barred, any other action seeking to foreclose the mortgage or recover the debt is also time-barred. The amendments are effective immediately and, notably, apply to all pending actions in which a final judgment of foreclosure and sale has not been enforced.
District Court stays stablecoin suit pending arbitration proceedings
On January 6, the U.S. District Court for the Northern District of California granted a defendant cryptocurrency exchange’s motion to compel arbitration in a class action alleging the exchange, along with the issuer of a stablecoin cryptocurrency, misrepresented the stability of the coin when offering it on the exchange’s platform. The defendants filed separate motions to compel arbitration, however, the plaintiffs claimed, among other things, that since they opened their accounts, the exchange’s user agreement, which contains an arbitration agreement, “has been unilaterally modified more than 20 times.” They further maintained that the exchange’s motion to compel arbitration should be denied because the arbitration provision is “unconscionable and thus unenforceable” and “the delegation clause is inapplicable and unconscionable.”
In granting the exchange’s motion to compel arbitration, the court found that the plaintiffs are parties to the exchange’s terms of use, which specify that an arbitrator, not a court, must decide whether any disputes a customer has with the exchange should be resolved via arbitration. “Plaintiffs do not dispute they agreed to [the] User Agreement, nor do they contest that … it contains an arbitration and a delegation clause,” the court said, noting that since arbitrability must be determined first, it has not reached “the issue of whether the arbitration agreement as a whole is unconscionable.” However, the court denied the defendant issuer’s motion to compel arbitration after finding that the user agreement “contains clear-cut language showing an intent to arbitrate disputes between the signatories [i.e., the exchange and its customers] only.” The user agreement does not state that obligations and rights are extended to a nonsignatory, such as the issuer, the court said—additionally staying all other judicial while arbitration proceedings between the exchange and the plaintiffs are pending.