Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Feds, states launch “Operation Stop Scam Calls”

    Federal Issues

    On July 18, the FTC, along with over 100 federal and state law enforcement partners nationwide, including the DOJ, FCC, and attorneys general from all 50 states and the District of Columbia, announced a new initiative to combat illegal telemarketing calls, including robocalls. The joint initiative, “Operation Stop Scam Calls,” targets telemarketers and the companies that hire them, lead generators that provide consumers’ telephone numbers to robocallers and others who falsely represent that consumers consented to receive the calls. The initiative also targets Voice over Internet Protocol (VoIP) service providers that facilitate illegal robocalls, many of which originate overseas.

    In connection with Operation Stop Scam Calls, the FTC has initiated five new cases against companies and individuals allegedly responsible for distributing or assisting in the distribution of illegal telemarketing calls to consumers across the country. According to the announcement, the actions reiterate the FTC’s position “that third-party lead generation for robocalls is illegal under the Telemarketing Sales Rule (TSR) and that the FTC and its partners are committed to stopping illegal calls by targeting anyone in the telemarketing ecosystem that assists and facilitates these calls, including VoIP service providers.” The announcement also states that more than 180 enforcement actions and other initiatives have been taken by 48 federal and 54 state agencies as part of Operation Stop Scam Calls.

    Among the new actions announced a part of Operation Stop Scam Calls is a complaint filed against a “consent farm” lead generator, which allegedly uses “dark patterns” to collect consumers’ broad agreement to provide their personal information and receive robocalls and other marketing solicitations through a single click of a button or checkbox via its websites. Under the terms of the proposed order, the defendant would be required to pay a $2.5 million civil penalty and would be banned from engaging in, assisting, or facilitating robocalls. The defendant would also be required to implement measures to limit its lead generation practices, establish systems for monitoring its own advertising and that of its affiliates, comply with comprehensive disclosure requirements concerning the collection of consumers’ consent to the sale of their information, and delete all previously collected consumer information.

    Other actions were taken against a California-based telemarketing lead generator, a telemarketing company that provides soundboard calling services to clients who use robocalls to sell a range of products and services, a New Jersey-based telemarketing outfit that placed tens of millions of calls to consumers whose numbers are listed on the National Do Not Call Registry, and Florida-based defendants accused of assisting and facilitating the transmission of roughly 37.8 million illegal robocalls by providing VoIP services to over 11 foreign telemarketers.

    Federal Issues State Issues Courts FTC Enforcement Robocalls Consumer Protection State Attorney General TSR Telemarketing Lead Generation DOJ FCC

  • FTC fines company $7.8 million over health data and third-party advertisers

    Federal Issues

    On July 14, the FTC finalized an order against an online counseling service, requiring it to pay $7.8 million and prohibiting the sharing of consumers’ health data for advertising purposes. The FTC alleged that the respondent shared consumers’ sensitive health data with third parties despite promising to keep such information private (covered by InfoBytes here). The FTC said it will use the settlement funds to provide partial refunds to affected consumers. The order not only bans the respondent from disclosing health data for advertising and marketing purposes but also prohibits the sharing of consumers’ personal information for re-targeting. The order also stipulates that the respondent must now obtain consumers’ affirmative express consent before disclosing personal information, implement a comprehensive privacy program with certain data protection measures, instruct third parties to delete shared data, and adhere to a data retention schedule.

    Federal Issues Privacy, Cyber Risk & Data Security FTC Enforcement Consumer Protection Telehealth FTC Act Deceptive Advertisement Third-Party

  • Illinois Supreme Court declines to reconsider BIPA accrual ruling

    Privacy, Cyber Risk & Data Security

    On July 18, the Illinois Supreme Court declined to reconsider its February ruling, which held that under the state’s Biometric Information Privacy Act (BIPA or the Act), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Three justices, however, dissented from the denial of rehearing, writing that the ruling leaves “a staggering degree of uncertainty” by offering courts and defendants little guidance on how to determine damages. The putative class action stemmed from allegations that the defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting plaintiff’s biometric data and disclosing the data to a third-party vendor without first obtaining her consent. While the defendant challenged the timeliness of the action, the plaintiff asserted that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.”

    In February, a split Illinois Supreme Court held that claims accrue under BIPA each time biometric identifiers or biometric information (such as fingerprints) are scanned or transmitted, rather than simply the first time. (Covered by InfoBytes here.) The dissenting judges wrote that they would have granted rehearing because the majority’s determination that BIPA claims accrue with every transmission “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns.” The dissenting judges further maintained that the majority’s February decision is confusing and lacks guidance for courts when determining damages awards. While the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” it also said that it continues “to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature,” and that it “respectfully suggest[s] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”

     

    Privacy, Cyber Risk & Data Security Courts State Issues Illinois BIPA Enforcement Consumer Protection Class Action

  • Oregon is 11th state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures. Last month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.

    Highlights of the Act include:

    • Applicability. The Act applies to persons conducting business or producing products or services intentionally directed at Oregon residents that either control or process personal data of more than 100,000 consumers per calendar year (“other than personal data controlled or processed solely for the purpose of completing a payment transaction”) or earn 25 percent or more of their gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more. Additionally, the Act provides several exemptions, including financial institutions and their affiliates, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, and protected health information processed by a covered entity in compliance with the Health Insurance Portability and Accountability Act, among others. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
    • Consumer rights. Under the Act, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance.” Data controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. Additionally, the Act requires opt-in consent for using the personal data of a youth 13 to 15 years old for targeted advertising or profiling. The Act makes clear that consent means “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” This does not include the use of an interface “that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.” Controllers that receive a consent revocation from a consumer must process the revocation within 15 days.
    • Controller responsibilities. Among the Act’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose and securing personal data from unauthorized access; (v) conducting and retaining data protection assessments where there is a heightened risk of harm and ensuring deidentified data cannot be associated with a consumer; and (vi) avoiding unlawful discrimination.
    • Data processing agreements. The Act stipulates that processors must follow a controller’s instructions and help meet the controller’s obligations concerning the processing of personal data. The Act also sets forth obligations relating to contracts between a controller and a processor. Processors that engage a subcontractor must ensure the subcontractor meets the processor’s obligations with respect to personal data under the processor’s contract with the controller. 
    • Private right of action and state attorney general enforcement. The Act does not provide a private right of action to consumers. Instead, the Oregon attorney general may investigate violations and seek civil penalties of no more than $7,500 per violation. Before initiating such action, the attorney general may grant the controller 30 days to cure the violation. 

    The Act takes effect July 1, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Oregon Consumer Protection

  • Gensler highlights challenges of AI-based models

    Securities

    On July 17, SEC Chair Gary Gensler spoke before the National Press Club, where he discussed opportunities and challenges stemming from the use of artificial intelligence (AI)-based models. While Gensler acknowledged that AI has the potential to promote greater financial inclusion and enhance user experience, he warned that there are also challenges associated with AI advancements that need to be considered at both the individual and broader economic levels. At the individual (micro) level, Gensler explained that AI’s predictive capabilities allow for personalized communication, product offerings, and pricing. However, this individualized approach (also known as “narrowcasting”) also raises questions about how individuals will respond to tailored messages and offers, he said, pointing out that when AI models are used to make important decisions such as job selection, loan approvals, credit decisions, and healthcare allocation, issues related to explainability, bias, and robustness become a concern. Gensler elaborated that AI models often produce unexplainable decisions and outcomes due to their nonlinear and hyper-dimensional nature. Furthermore, AI may also make it more difficult to ensure fairness and can inadvertently perpetuate biases present in historical data or use latent features that act as proxies for protected characteristics, Gensler said, adding that “the challenges of explainability may mask underlying systemic racism and bias in AI predictive models.”

    Gensler explained that these data analytics challenges are not new and that in the late 1960s and early 1970s, the Fair Housing Act, FCRA, and ECOA were, in part, driven by similar issues. He warned advisers and brokers that as they incorporate these technologies into their services, they must ensure that when offering advice and recommendations (whether or not based on AI) they consider the best interests of their clients and retail customers and not place their interests ahead of investors’ interests.

    Securities Federal Issues Fintech Consumer Finance Risk Management Artificial Intelligence

  • FSB finalizes crypto framework

    Federal Issues

    On July 17, the Financial Stability Board (FSB) released its global regulatory framework for promoting comprehensive, international consistency of regulatory and supervisory approaches for crypto-asset activities and stablecoins, while also supporting responsible innovations potentially brought by technological changes. Based on the principle of “same activity, same risk, same regulation,” FSB’s framework consists of two distinct sets of recommendations. The first set of recommendations focuses on regulating, supervising, and overseeing crypto-asset activities and markets at a high level. The recommendations establish a global regulatory baseline for promoting a framework that is technology-neutral and focuses on underlying activities and risks (FSB notes that some jurisdictions may choose to take more restrictive regulatory measures). The second set provides revised high-level recommendations specifically for the regulation, supervision, and oversight of “global stablecoin” arrangements. The recommendations also seek to promote consistent and effective regulation, supervision and oversight of global stablecoin arrangements across jurisdictions to address potential financial stability risks posed at both the domestic and international level, while further “supporting responsible innovation and providing sufficient flexibility for jurisdictions to implement domestic approaches.”

    The final recommendations “take account of lessons from events of the past year in crypto-asset markets, as well as feedback received during the public consultation of the FSB’s proposals,” the announcement said, noting that central bank digital currencies are not subject to these recommendations. The FSB and sectoral standard-setting bodies (SSBs) will continue to coordinate work to promote the development of a comprehensive and coherent global regulatory framework that is appropriate for the risks associated with crypto-asset market activities, including providing more detailed guidance through SSBs and monitoring and public reporting.

    Federal Issues Digital Assets Financial Stability Board Supervision Cryptocurrency CBDC Of Interest to Non-US Persons Fintech

  • Washington releases FAQs for My Health My Data Act

    Privacy, Cyber Risk & Data Security

    On June 20, the Washington attorney general published a series of Frequently Asked Questions (FAQs) related to the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data (covered by InfoBytes here). The FAQs include information on the law’s effective dates and applicability. According to the AG, “all persons, as defined in the Act, must comply with section 10 beginning July 23, 2023. Regulated entities that are not small businesses must comply with sections 4 through 9 beginning March 31, 2024. Small businesses, as defined in the Act, must comply with sections 4 through 9 beginning June 30, 2024. For sections 4 through 9, the effective dates apply to the entirety of the section and are not limited to the subsections in which the effective dates appear.” Additionally, the FAQs clarify that a business that is covered by the Act must provide a link to its consumer health data privacy policy on its homepage.

    The FAQs also address a potential conflict between Sections 6 and 9 of the Act regarding the right to delete and consumers’ authorizations to sell data, respectively. Section 9 mandates that any person, not just regulated entities, must obtain consumer authorization before selling or offering to sell their data. Both the seller and purchaser are required to retain a copy of the authorization, which may contain consumer health data for  six years. However, Section 6 stipulates that consumer health data should be deleted from a regulated entity’s network upon the consumer’s request. The FAQs advise that in cases where a consumer requests deletion under Section 6, any authorizations stored under Section 9 must be redacted to eliminate any information related to the data that was sold.

    Privacy, Cyber Risk & Data Security State Issues Washington Consumer Protection Medical Data State Attorney General

  • California probes employers’ CCPA compliance

    Privacy, Cyber Risk & Data Security

    On July 14, the California attorney general announced it recently sent inquiries to several large employers as part of an investigation into companies’ compliance with their legal obligations under the California Consumer Protection Act (CCPA). The investigation centers on how companies handle the personal information of employees and job applicants. As previously covered by InfoBytes, temporary exemptions related to human resource and business-to-business data provided by the CCPA and the California Privacy Rights Act expired on January 1 of this year. Amendments were introduced last legislative session that would have extended the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role . . . [in] that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” However, the amendments were not adopted, and the exemptions expired.

    The AG said they are sending the inquiry letters “to learn how employers are complying with their legal obligations.” Covered businesses subject to the CCPA are required to comply with the statute’s privacy protections as they relate to employee data, including providing notice of privacy practices and honoring consumer requests to exercise their rights to access, delete, and opt out of the sale and sharing of their personal information.

    Privacy, Cyber Risk & Data Security State Issues California State Attorney General CCPA Consumer Protection

  • Biden administration releases roadmap for National Cybersecurity Strategy

    Privacy, Cyber Risk & Data Security

    On July 13, the Biden administration published the National Cybersecurity Strategy Implementation Plan (NCSIP), outlining a roadmap for carrying out the administration’s National Cybersecurity Strategy. The strategy was released earlier this year to introduce several key pillars for countering threats to the digital ecosystem and improving the nation’s digital security (covered by InfoBytes here). Designed to build and enhance collaboration, the NCSIP identifies 65 federal initiatives assigned to various agencies with timelines for completion. According to the announcement, 18 agencies are spearheading initiatives in this “whole-of-government” plan, which also factors in “continued collaboration with the private sector, civil society, international partners, Congress, and state, local, Tribal, and territorial governments.”

    Pillars include measures to:

    • Defend critical infrastructure (the Cybersecurity and Infrastructure Security Agency will implement measures to update the National Cyber Incident Response Plan to, among other things, provide clear guidance to external partners on the roles and capabilities of federal agencies in incident response and recovery);
    • Disrupt and dismantle threat actors (including focusing on virtual asset providers that enable the laundering of ransomware proceeds);
    • Shape market forces and drive security and resilience;
    • Invest in a resilient future (the National Institute of Standards and Technology will convene an interagency working group to coordinate major issues in international cybersecurity standardization); and
    • Forge international partnerships to facilitate coordination with partner nations. The administration expects to update the plan annually.

    Privacy, Cyber Risk & Data Security Federal Issues Fintech Biden Of Interest to Non-US Persons

  • 9th Circuit denies en banc hearing on COPPA preemption question

    Courts

    On July 13, a panel of the U.S. Court of Appeals for the Ninth Circuit entered an order amending an opinion filed on December 28, 2022 and denied a petition for rehearing en banc in a putative class action accusing a multinational technology company and search engine and its affiliated video-sharing platform of collecting children’s data and tracking their online behavior surreptitiously without parental consent in violation of state law and the Children’s Online Privacy Protection Act (COPPA). The panel unanimously voted against defendant’s en banc rehearing request, commenting that no other 9th Circuit judge has requested a vote on whether to consider the matter en banc.

    Claiming the defendant used “persistent identifiers” — which the FTC’s regulations define as information “that can be used to recognize a user over time and across different Web sites or online services” — class members alleged state law claims arising under the constitutional, statutory, and common laws of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee. Last December, the three-judge panel reversed and remanded the district court’s dismissal of the suit, disagreeing that the allegations were squarely covered, and preempted, by COPPA (covered by InfoBytes here.) On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. The panel determined that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The panel further noted that the U.S. Supreme Court and others have long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted.”

    The panel, however, amended its prior opinion to note that the FTC supports its conclusion that COPPA does not preempt the asserted state law privacy claims on the basis of either express preemption or conflict preemption. At the end of May, at the 9th Circuit’s request, the FTC filed an amicus brief (covered by InfoBytes here) arguing that COPPA does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The panel concluded that neither express preemption nor conflict preemption bar the plaintiffs’ claims.

    Courts Privacy, Cyber Risk & Data Security Appellate Ninth Circuit COPPA State Issues Class Action FTC Preemption

Pages

Upcoming Events