Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 13, the California Governor signed AB 39, which will create a licensing requirement for businesses engaging in digital financial asset business activity. Crypto businesses will need to apply for a license with California’s Department of Financial Protection and Innovation (DFPI). The bill, among other things, (i) empowers DFPI to conduct examinations of a licensee; (ii) defines “digital financial asset” as “a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender, except as specified”; (iii) empowers DFPI to conduct enforcement actions against a licensee or a non-licensed individual who engages in crypto business with, or on behalf of, a California resident for up to five years after their activity; (iv) allows DFPI to assess civil money penalties of up to $20,000 for each day a licensee is in material violation of the law, and up to $100,000 for each day an unlicensed person is in violation; and (v) requires licensees to provide certain disclosures to California clientele, such as when and how users may receive fees and charges, and how they are calculated. The new law exempts most government entities, certain financial institutions, most people who solely provide connectivity software, computing power, data storage or security services, and people engaging with digital assets for personal, family, household or academic use or whose digital financial asset business activity is reasonably expected to be valued at no more than $50,000 per year. In September of last year, the California Governor vetoed a similar bill because creating a licensing framework was “premature” considering conflicting efforts.
Also effective on July 1, 2025 is SB 401, which was also enacted on October 13. SB 401 establishes regulations for crypto kiosks under the DFPI’s authority. It will, among other things, prohibit kiosk operators from accepting or dispensing more than $1,000 in a single day to or form a customer via a kiosk. Operators would be required to furnish written disclosures detailing the transaction's terms and conditions as well as transaction details. Kiosk operators will also be obligated to provide customers with a receipt for any transaction at their kiosk, including both the amount of a digital financial asset or USD involved in a transaction and, in USD, any fees, expenses, and charges collected by the kiosk operator. Finally, operators will be required to provide DFPI with a list of all its crypto kiosks in California, and such list will be made public.
On October 7, the California governor signed SB 33 to, among other things, continue to require covered providers offering commercial loans to disclose the total cost of financing expressed as an annualized rate indefinitely. Existing law currently required this disclosure only until January 1, 2024.
SB 33 is effective January 1, 2024.
The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.
Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.
The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.
On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that reveals a consumer’s citizenship or immigration status. AB 1194 will ensure that when a consumer’s personal information relates to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” business are obligated to comply with CPRA, except in cases where the information is in an aggregated, deidentified form and is not sold or shared. CRPA already empowers consumers to request the deletion of their personal information, with some exceptions to accommodate a business's obligations to adhere to federal, state, or local laws, fulfill court orders, respond to subpoenas for information, or cooperate with government agencies in emergency situations involving potential risks to a person's life or physical well-being.
AB 947 is effective January 1, 2024 and AB 1194 is effective July 1, 2024.
On October 7, the California governor approved SB 478 (the “Act”), enacting amendments to the Consumers Legal Remedies Act designed to prohibit “drip pricing,” which involves advertising a price that is lower than the actual price a consumer will have to pay for a good or service. The Act, with specified exceptions, will make advertising the price of a good or service excluding additional fees or charges other than taxes, unlawful. The California Legislature declared that the Act is not intended to prohibit any particular method of determining prices for goods or services, including algorithmic or dynamic pricing. Instead, it is intended to regulate how prices are advertised, displayed, and/or offered.
The Act is effective July 1, 2024.
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or request the deletion of their personal data held by individuals or entities. The Act will apply to those who conduct business in the State, that “produce products or services that are targeted to residents of the State [of Delaware] and that during the preceding calendar year,” processed personal data of more than 35,000 consumers, or processed the personal data of at least 10,000 consumers while deriving more than 20 percent of their gross revenue from personal data sales. Additionally, the Act mandates that the Delaware Department of Justice conduct public outreach programs to educate consumers and the business community about the Act, starting at least 6 months before the date on which the Act becomes effective.
The Act is effective on January 1, 2025.
On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others. There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.
On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures. Last month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
Highlights of the Act include:
- Applicability. The Act applies to persons conducting business or producing products or services intentionally directed at Oregon residents that either control or process personal data of more than 100,000 consumers per calendar year (“other than personal data controlled or processed solely for the purpose of completing a payment transaction”) or earn 25 percent or more of their gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more. Additionally, the Act provides several exemptions, including financial institutions and their affiliates, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, and protected health information processed by a covered entity in compliance with the Health Insurance Portability and Accountability Act, among others. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
- Consumer rights. Under the Act, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance.” Data controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. Additionally, the Act requires opt-in consent for using the personal data of a youth 13 to 15 years old for targeted advertising or profiling. The Act makes clear that consent means “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” This does not include the use of an interface “that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.” Controllers that receive a consent revocation from a consumer must process the revocation within 15 days.
- Controller responsibilities. Among the Act’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose and securing personal data from unauthorized access; (v) conducting and retaining data protection assessments where there is a heightened risk of harm and ensuring deidentified data cannot be associated with a consumer; and (vi) avoiding unlawful discrimination.
- Data processing agreements. The Act stipulates that processors must follow a controller’s instructions and help meet the controller’s obligations concerning the processing of personal data. The Act also sets forth obligations relating to contracts between a controller and a processor. Processors that engage a subcontractor must ensure the subcontractor meets the processor’s obligations with respect to personal data under the processor’s contract with the controller.
- Private right of action and state attorney general enforcement. The Act does not provide a private right of action to consumers. Instead, the Oregon attorney general may investigate violations and seek civil penalties of no more than $7,500 per violation. Before initiating such action, the attorney general may grant the controller 30 days to cure the violation.
The Act takes effect July 1, 2024.
On July 7, the Missouri governor signed SB 101 (the “Act”) into law, amending several provisions relating to property and casualty insurance, including requirements for lender-placed insurance. The Act defines “lender-placed insurance” as insurance secured by the lender/servicer when the mortgagor does not have valid or sufficient insurance on a mortgaged real property, and will include “insurance purchased unilaterally by the lender or servicer, who is the named insured, subsequent to the date of the credit transaction, providing coverage against loss, expense, or damage to collateralized property as a result of fire, theft, collision, or other risks of loss” that impairs such lender/servicer’s interest or adversely impacts the collateral, where such purchase is a result of a mortgagor’s failure to obtain required insurance under a mortgage agreement. Among other things, the Act stipulates that lender-placed insurance is not effective until the date a mortgaged real property is not insured, and that individual lender-placed insurance terminates on the earliest date out of listed periods. Also specified is that mortgagors cannot be charged for the policies outside of the scheduled term of the lender-placed insurance. The Act further states that the calculation of the lender-placed insurance premium “should be based upon the replacement cost value of the property,” and outlines how the premium should be determined. All insurers shall have separate rates for lender-placed insurance and voluntary insurance obtained by a mortgage servicer on real estate owned property, as defined in the Act.
Further regarding lender-placed insurance, the Act prohibits: (i) “insurers and insurance producers from issuing lender-placed insurance if they or one of their affiliates owns, performs servicing for, or owns the servicing right to, the mortgaged property;” (ii) “insurers and insurance producers from compensating lenders, insurers, investors, or servicers for lender-placed insurance policies issued by the insurer, and from sharing premiums or risk with the lender, investor, or servicer;” (iii) “payments dependent on profitability or loss ratios from being made in connection with lender-placed insurance;” (iv) [insurers from] provid[ing] free or below-cost services or outsourc[ing] its own functions at an above-cost basis”; and (v) [insurers from] mak[ing] any payments for the purpose of securing lender-placed insurance business or related services.
The Act requires lender-placed insurance policy forms and certificates to be mailed and filed with the Missouri Department of Commerce and Insurance and stipulates the requirements for insurers who must report information to the department as well. Lastly, the Act specifies potential penalties for violations of the Act, including monetary penalties and suspension or revocation of an insurer’s license. The Act becomes effective on August 28.
On July 3, the Hawaii governor signed HB 1027 (the “Act”) into law, amending several provisions relating to the Money Transmitters Modernization Act. The Act adds and amends several definitions. Changes include defining “money,” “receiving money or monetary value for transmission,” and “tangible net worth.” The definition of “money transmission” has also been amended to clarify its connection to business done in Hawaii, and “stored value” has been amended to mean monetary value “that represents a claim against the issuer evidenced by an electronic or digital record and that is intended and accepted for use as a means of redemption for money or monetary value, or payment for goods or services.” Stored value does not include “a payment instrument or closed loop stored value, or stored value not sold to the public but issued and distributed as part of a loyalty, rewards, or promotional program.”
Among the various exemptions, the Act also provides for an exemption for an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services, provided certain criteria is met. Additional exemptions include certain persons acting as intermediaries, persons expressly appointed as third-party service providers to an exempt entity, and registered futures commission merchants and securities broker-dealers, among others. Anyone claiming to be exempt from licensing may be required to provide information and documentation demonstrating their qualification for the claimed exemption.
The amendments outline numerous licensing application and renewal procedures, including largely adopting the net worth, surety bond, and permissible investment requirements set forth in the Money Transmission Modernization Act. Several other states have also recently enacted provisions relating to the licensing and regulation of money transmitters (see InfoBytes coverage here and here).
The Act took effect July 1.