InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal Court Holds Email Addresses Are PII Under California Credit Card Act
On October 21, the U.S. District Court for the Eastern District of California held that email addresses are personal identification information (PII) under California’s Song-Beverly Credit Card Act. Capp v. Nordstrom, Inc., No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013). In this case, a customer sued a retailer on behalf of a putative class after the retailer sought the customer’s email address in connection with a credit card transaction to provide the customer with an electronic receipt. The customer alleged that the retailer subsequently used the email address to send unsolicited marketing materials. Following the California Supreme Court’s ruling in Pineda v. Williams Sonoma, in which the court held that a ZIP code is part of a person’s address and constitutes PII, the court here predicted that the state supreme court also would hold that an email address constitutes PII. Citing the statute’s broad terms and its overarching objective to protect the personal privacy of consumers who make purchases with credit cards, the district court held that the alleged conduct directly implicated the purposes of the statute. The district court also rejected the retailer’s argument that, if email addresses constitute PII, then the customer’s claim would be preempted by the CAN-SPAM Act, which regulates unsolicited commercial electronic mail, i.e. “spam.” The court held that the Song-Beverly Act claims were not subject to the CAN-SPAM Act’s express preemption clause because the Song-Beverly Act applies only to email addresses and does not regulate the content or transmission of email messages.
NIST Releases Preliminary Cybersecurity Framework
On October 22, the National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework pursuant to President Obama’s Executive Order 13636 title Improving Critical Infrastructure Cybersecurity. The Preliminary Framework seeks to help critical infrastructure owners and operators reduce cybersecurity risks through voluntary best practices. The financial services sector is one of the many sectors identified as a critical sector, and NIST notes that the Preliminary Framework can be applied by organizations beyond those contemplated by the Executive Order. The Preliminary Framework outlines steps that can be customized to various sectors and adapted by organizations of any size while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The Preliminary Framework is intended to help all organizations identify and prioritize opportunities for improving cybersecurity risk management. NIST will accept public comments for 45 days, will hold a workshop on the Preliminary Framework on November 14 and 15 at North Carolina State University, and will release the finalized framework in February 2014, as required by the Executive Order.
EU Parliament Committee Approves Data Protection Overhaul
On October 21, the EU Parliament civil liberties committee voted overwhelmingly to adopt amendments to EU data protection rules and to require stiffer fines for non-compliance. The rules are designed to increase individual control over personal data while at the same time making it easier for companies to move across Europe, the committee explained. Under the adopted amendments, if a third country requests a company (e.g., a search engine, social network, or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorization from the national data protection authority before transferring any data and would have to inform the individual of the request. The amendments would grant any person the right to have their personal data erased if he/she requests it. It also would require that, where processing of personal information is based on consent, an organization or company could process the information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. Finally, the amendments would increase the cap for penalties for violations to $136.7 million or up to 5 percent of the violating company’s annual worldwide turnover, whichever is greater. The committee directed the EU Parliament to start negotiations with national governments in the European Council, which would be followed by inter-institutional talks. According to the committee release, Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. The 91 amendments are available in two parts, here and here.
CFPB Releases Money Transfer Exam Procedures, Launches New e-Regulations Tool
On October 22, the CFPB released the procedures its examiners will use in assessing financial institutions’ compliance with the remittance transfer requirements of Regulation E. Amendments to those regulations, finalized by the CFPB earlier this year, are set to take effect October 28, 2013. In general, the rule requires remittance transfer providers that offer remittances as part of their “normal course of business” to: (i) provide written pre-payment disclosures of the exchange rates and fees associated with a transfer of funds as well as the amount of funds the recipient will receive; and (ii) investigate consumer disputes and remedy errors. The rule does not apply to financial institutions that consistently provide 100 or fewer remittance transfers each year, or to transactions under $15.
The new examination procedures detail the specific objectives examiners should pursue as part of the examination, including to: (i) assess the quality of the regulated entity’s compliance risk management systems with respect to its remittance transfer business; (ii) identify acts or practices relating to remittance transfers that materially increase the risk of violations of federal consumer financial law and associated harm to consumers; (iii) gather facts that help to determine whether a supervised entity engages in acts or practices that are likely to violate federal consumer financial law; and (iv) determine whether a violation of a federal consumer financial law has occurred and, if so, whether further supervisory or enforcement actions are appropriate. In doing so, CFPB examiners will look not only at potential risks related to the remittance regulations, but also outside the remittance rule to assess “other risks to consumers,” including potential unfair, deceptive, or abusive acts or practices and Gramm-Leach-Bliley Act privacy violations. Finally, consistent with other examination procedures published by the CFPB, the examiners are instructed to conduct both a management- and policy-level review as well as a transaction-level review to inform the stated examination objectives.
Also on October 22, the CFPB announced a new tool designed to make it easier for the public to navigate the regulations subject to CFPB oversight. To start, the new eRegulations tool includes only Regulation E, which implements the Electronic Fund Transfer Act and includes the remittance requirements discussed above. Noting that federal regulations can be difficult to navigate, the CFPB redesigned the electronic presentation of its regulations, including by (i) defining key terms throughout, (ii) providing official interpretations throughout, (iii) linking certain sections of the “Federal Register preambles” to help explain the background of a particular paragraph, and (iv) providing the ability to see previous, current, and future versions. The CFPB notes that the tool is a work in progress and that suggestions from the public are welcome. Further, the CFPB encourages other agencies, developers, or groups to use and adapt the system.
New TCPA Express Written Consent Requirement Takes Effect
On October 16, new rules took effect that require businesses to obtain express written consent before making certain telemarketing calls to customers. The rules arise from a February 2012 Report and Order issued pursuant to the Telephone Consumer Protection Act (TCPA), in which the Federal Communications Commission (FCC): (i) required that businesses obtain prior express written consent for all autodialed or prerecorded telemarketing calls to wireless numbers and residential lines, (ii) allowed consumers to opt out of future robocalls during a robocall, and (ii) limited permissible abandoned calls on a per-calling campaign basis. While the consumer opt-out and abandoned calls limitations are already in effect, compliance with the express written consent requirement was not mandated until now. The rules require that the written consent be signed and be sufficient to show that the customer: (i) receives “clear and conspicuous disclosure” of the consequences of providing the requested consent and (ii) having received this information, agrees unambiguously to receive such calls at a telephone number the consumer designates. In addition, the rules require the written agreement to be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.” The FCC rule allows electronic or digital forms of signatures obtained in compliance with the E-SIGN Act—e.g. agreements obtained via a compliant email, website form, text message, telephone keypress or voice recording—to satisfy the written requirement. The FCC also removed an exemption that allowed businesses to demonstrate consent based on an “established business relationship” between the caller and customer.
EU Working Group Advises Companies On Obtaining Consent For Cookies
On October 8, the EU’s Article 29 Data Protection Working Party, which represents all 28 data protection authorities of the EU countries, released a document to provide guidance to website operators for obtaining consent for use of cookies on their websites. The guidance notes that implementation of the e-Privacy Directive that requires such consent varies by member state, and that practices for obtaining user consent for storage of or access to cookies also vary. The Working Party therefore identifies the main elements of valid consent, implementation of which would ensure compliance with each member state’s implementation of the directive: (i) specific information, (ii) timing, (iii) active choice, and (iv) freely given. The document provides further detail on each of the elements.
California Approves Petition for Personal Privacy Ballot Initiative
Recently, the California Secretary of State announced that the proponents of a new initiative regarding personally identifying information (PII) may begin collecting petition signatures for their proposed ballot measure. The potential ballot measure would propose a constitutional amendment that would create a presumption that an individual's PII—including financial or health information—is confidential when collected for a commercial or governmental purpose, and would create a presumption of harm when PII is disclosed without the subject’s authorization. The measure also would require a collector of PII to use all reasonably available means to protect it from unauthorized disclosure. The ballot measure proponents have until February 14, 2014 to collect 807,615 registered voters’ signatures in order to qualify it for the ballot.
Delaware Federal Court Holds No Harm From Third-Party Cookies' Collection Of Personal Information, Dismisses Broad Consumer Privacy Suit
On October 9, the U.S. District Court for the District of Delaware dismissed a broad, consolidated action against an Internet company alleged to have circumvented an Internet browser’s cookie blocker to collect personally identifiable information (PII) from the browser’s users. In re Google Inc. Cookie Placement Consumer Privacy Litig., No. 12-2358, slip op. (D. Del. (Oct. 9, 2013). The court held that the plaintiffs lacked Article III standing because they had not sufficiently alleged an injury-in-fact The court reasoned that while plaintiffs provided some evidence that the PII at issue has some value to the individual, they did not sufficiently allege that their ability to extract that value was diminished by the alleged collection by a third party. Despite its standing holding, the court continued its analysis and dismissed each of the plaintiffs federal and state privacy claims on the merits. The court held, for example, that the plaintiffs’ claims that the collection of URLs violated the Electronic Communications Privacy Act failed because URLs are not “contents” as defined by that Act. The court also held that the plaintiffs failed to identify any impairment of the performance or functioning of their computers and could not sustain a claim under the Computer Fraud and Abuse Act.
California Federal Court Denies Class Certification In Song-Beverly Credit Card Act Case
On October 4, the U.S. District Court for the Central District of California denied certification of a putative class of consumers that had alleged a major retailer’s policy of requiring online customers to provide their telephone numbers or addresses in connection with credit card purchase transactions violated the Song-Beverly Credit Card Act. Leebove v. Wal-Mart Stores, Inc., No. 13-1024, slip op. (C.D. Cal. Oct. 4, 2013). The court held that the commonality requirement for class certification was not satisfied. The court explained that the relevant provision of the Act prohibits collecting certain information from a “cardholder,” which includes only “natural persons,” and held that an individualized inquiry would need to be made regarding whether the card used by each class member was issued as a consumer or business card. The court further reasoned that individual inquiries would be required to determine whether each class member’s claim was barred under an exception that allows retailers to request certain otherwise prohibited personal information for use in shipping, delivering, servicing, or installing the purchased items.
California Enacts First Online Tracking Bill, Expands Breach Notice Requirements
On September 27, California became the first state to enact online tracking legislation, which requires website operators to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different sites or online services. The bill requires operators to disclose whether other parties have access to a consumer’s personally identifiable information when a consumer uses the operator’s site or service. The state also enacted SB 46, which expands the state’s data breach notice law (i) to apply to certain personal information that would permit access to an online account—user name or email address, in combination with a password or security question and answer, and (ii) to require that in such cases, security breach notification be made by sending notice using a method other than email. Both bills take effect on January 1, 2014.