Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Recently, New York AB 2672 (the "Act") was enacted, and went into effect on February 11. The Act requires merchants that impose a credit surcharge fee to clearly and conspicuously post prices inclusive of a surcharge fee. The Act allows merchants to use a two-tier pricing system, in which two different prices display whether a consumer uses a credit card or another form of payment on a transaction. The Act also establishes a civil penalty not to exceed $500 for each violation.
Recently, the State of New York enacted SB 5941-B (the “Act”), which revises the general business law, focusing on the obligation of businesses to inform consumers about an impending automatic renewal or continuous service charge at least forty-five days before the charge is applied. The amendment states that in the case of a business allowing a consumer to accept an automatic renewal of six months or more, the business is required to notify the consumer about the upcoming automatic renewal or continuous service charge at least fifteen days, but not more than forty-five days, before the cancellation deadline for such automatic renewal. The notice must also include instructions on how the consumer can cancel the renewal charge. The new amendment does not apply to any business, or its subsidiary or affiliate, subject to regulation by the NY Department of Public Service or the FCC. The bill became effective upon enactment.
Recently, California enacted SB 455 to address mortgage servicing during a state of emergency. SB 455 will require a mortgage servicer (transferring a mortgage secured by a property within a proclaimed emergency zone) to provide the new servicer with written records between the borrower and the old servicer on the borrower’s election to use insurance proceeds to repair or replace property damaged by a disaster. Additionally, SB 455 prevents the new servicer from disregarding any prior written agreements between the original servicer and the borrower regarding property repairs that were approved by the owner of the promissory note. The SB 455 bill will be effective January 1, 2024.
On December 13, the New York governor signed into law S4907A, or the Fair Medical Debt Reporting Act (the “Act”), a medical debt credit reporting bill that will bar credit reporting agencies from directly or indirectly incorporating medical debt into consumer credit reports. The Act specifically prohibits hospitals, health care professionals, and ambulances from reporting medical debt to credit agencies. The Act defines medical debt as any amount owed or claimed by a consumer “related to the receipt of health care services, products, or devices provided to a person” by a hospital, health care professional, or ambulance service. Notably, obligations charged to a credit card are excluded from medical debts unless the card is specifically designated for health care expenses under an open-ended or closed-end plan.
On December 10, New York General Business Law § 520-e went into effect according to the Governor’s press release. The new law prevents credit card holders from losing unused earned credit card points and requires credit card issuers to send consumers a notice of any outstanding credit card points or rewards they have accrued in their accounts, even after the account is closed. Specifically, credit card issuers will have 45 days to provide notice of any outstanding credit card rewards or points following the closing of a consumer’s account. From the date of the issuer’s notice, consumers will have a 90-day grace period to redeem their points or rewards.
On November 20, DFPI announced it is seeking public comment before it begins its formal rulemaking process on its Digital Financial Assets Law (DFAL), which was enacted on October 13. As previously covered by InfoBytes, DFAL created a licensing requirement for businesses engaging in digital financial asset business activity and is effective on July 1, 2025.
For comments that recommend rules, DFPI encourages comments that “propose specific rule language and provide an estimate, with justification, of the potential economic impact on business and individuals that would be affected by the language.” Additionally, DFPI requests metrics, applicable information about economic impacts, or quantitative analysis to support comments. Among other topics, DFPI especially asks for comments related to (i) application fees and potential fee adjustments based on application complexity; (ii) surety bond or trust account factors; (iii) if capital minimums should vary by the type of activity requiring licensure; and (iv) its stablecoin approval process.
Comments must be received by January 12, 2024. On January 8, 2024, DFPI will host a Virtual Informal Listening Session with stakeholders to discuss feedback on this informal invitation for comments.
On October 13, the California Governor signed AB 39, which will create a licensing requirement for businesses engaging in digital financial asset business activity. Crypto businesses will need to apply for a license with California’s Department of Financial Protection and Innovation (DFPI). The bill, among other things, (i) empowers DFPI to conduct examinations of a licensee; (ii) defines “digital financial asset” as “a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender, except as specified”; (iii) empowers DFPI to conduct enforcement actions against a licensee or a non-licensed individual who engages in crypto business with, or on behalf of, a California resident for up to five years after their activity; (iv) allows DFPI to assess civil money penalties of up to $20,000 for each day a licensee is in material violation of the law, and up to $100,000 for each day an unlicensed person is in violation; and (v) requires licensees to provide certain disclosures to California clientele, such as when and how users may receive fees and charges, and how they are calculated. The new law exempts most government entities, certain financial institutions, most people who solely provide connectivity software, computing power, data storage or security services, and people engaging with digital assets for personal, family, household or academic use or whose digital financial asset business activity is reasonably expected to be valued at no more than $50,000 per year. In September of last year, the California Governor vetoed a similar bill because creating a licensing framework was “premature” considering conflicting efforts.
Also effective on July 1, 2025 is SB 401, which was also enacted on October 13. SB 401 establishes regulations for crypto kiosks under the DFPI’s authority. It will, among other things, prohibit kiosk operators from accepting or dispensing more than $1,000 in a single day to or form a customer via a kiosk. Operators would be required to furnish written disclosures detailing the transaction's terms and conditions as well as transaction details. Kiosk operators will also be obligated to provide customers with a receipt for any transaction at their kiosk, including both the amount of a digital financial asset or USD involved in a transaction and, in USD, any fees, expenses, and charges collected by the kiosk operator. Finally, operators will be required to provide DFPI with a list of all its crypto kiosks in California, and such list will be made public.
On October 7, the California governor signed SB 33 to, among other things, continue to require covered providers offering commercial loans to disclose the total cost of financing expressed as an annualized rate indefinitely. Existing law currently required this disclosure only until January 1, 2024.
SB 33 is effective January 1, 2024.
The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.
Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.
The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.
On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that reveals a consumer’s citizenship or immigration status. AB 1194 will ensure that when a consumer’s personal information relates to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” business are obligated to comply with CPRA, except in cases where the information is in an aggregated, deidentified form and is not sold or shared. CRPA already empowers consumers to request the deletion of their personal information, with some exceptions to accommodate a business's obligations to adhere to federal, state, or local laws, fulfill court orders, respond to subpoenas for information, or cooperate with government agencies in emergency situations involving potential risks to a person's life or physical well-being.
AB 947 is effective January 1, 2024 and AB 1194 is effective July 1, 2024.