Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Recently, Maryland, Hawaii, and Virginia introduced privacy legislation designed to strengthen consumer access and control over personal data, joining efforts by Washington and New York to pass privacy bills containing provisions that differ from those in the California Consumer Privacy Act (CCPA), which took effect January 1. (See InfoBytes coverage on Washington here, New York here, and the CCPA here.)
On January 17, Maryland introduced HB 249 to amend the state’s Commercial Law by adding a section titled “Consumer Personal Information Privacy.” Under the proposed bill, consumers would be provided the right to opt-out of the disclosure of their personal information to third parties. HB 249 defines “disclosure” as “a transfer of a consumer’s personal information by a business to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.” The bill clarifies that disclosure does not include (i) a transfer of personal information to a service provider by a business for an operational purpose; (ii) identification of a consumer who has opted-out to alert third parties; and (iii) a transfer of personal information to a third party “as an asset that is part of a transaction in which the third party assumes control of all or part of the business.” The bill also stipulates requirements for businesses related to the consumer opt-out process, and states that a violation of the bill’s provisions would constitute an unfair or deceptive trade practice under Maryland’s Consumer Protection Act.
The same day, SB 2451 was introduced in the Hawaii Senate to add a new section to Chapter 487J of the Hawaii Revised Statutes, which stipulates that third parties cannot use or sell personal information purchased from a business unless a consumer receives explicit notice, provides express written consent, and chooses not to opt-out after given the opportunity to do so. The proposed bill also provides consumers the opportunity to, at any time, opt-out of the sale of their personal information to third parties. Among other things, the bill outlines provisions related to the sale of personal information for consumers less than 16 years of age, as well as specific compliance requirements for businesses when providing notice to consumers. SB 2451 also defines a third party as one that is (i) not a “business that collects personal information from consumers”; or (ii) not a person who receives personal information from a business for a business purpose pursuant to a written contract that restricts further use of the personal information.
Earlier, on January 3, HB 473, known as the “Virginia Privacy Act,” was introduced. Among other things, the bill requires data controllers to be transparent about their processing activities and be responsible for, upon verified request from the consumer, (i) confirming the uses of personal data; (ii) correcting inaccuracies; (iii) deleting unnecessary personal data or data for which the consumer has withdrawn consent; (iv) limiting the processing of personal data to what is required and relevant for a specified purpose; and (v) obtaining consumer consent in order to process sensitive data. HB 473 also provides consumers the right to object at any time to the processing of personal data, including the sale of data to third parties for targeted advertising, and stipulates that third parties must honor objection requests received from third-party controllers. The bill also requires controllers to conduct risk assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.” If enacted, violations of HB 473 would “constitute a prohibited practice” pursuant to Virginia Consumer Protection Act (VCPA) Section 59-1-200 and violators would be subject to any and all of the VCPA’s enforcement provisions.
On February 2, the CFPB and the Attorney General of Virginia filed a lawsuit and proposed stipulated final judgment against a Virginia pawnshop for deceiving consumers about the actual annual costs of its loans. This complaint is one of many similar lawsuits filed recently against several Virginia pawnbrokers (see November 11 and December 23 Infobytes posts). The complaint alleges violations of TILA, the Dodd-Frank Act, Virginia’s pawnbroker statutes, and the Virginia Consumer Protection Act. The proposed stipulated final judgment orders the company to pay over $56,000 in restitution, forfeit over $17,000 in ill-gotten gains, and pay a $5,000 civil penalty.
- Jonice Gray Tucker to moderate “Pandemic relief response and lasting impacts on access, credit, banking, and equality” at the American Bar Association Business Law Section Spring Meeting
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference