Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California enacts amendments to the Consumers Legal Remedies Act: Advertisements

    State Issues

    On October 7, the California governor approved SB 478 (the “Act”), enacting amendments to the Consumers Legal Remedies Act designed to prohibit “drip pricing,” which involves advertising a price that is lower than the actual price a consumer will have to pay for a good or service. The Act, with specified exceptions, will make advertising the price of a good or service excluding additional fees or charges other than taxes, unlawful. The California Legislature declared that the Act is not intended to prohibit any particular method of determining prices for goods or services, including algorithmic or dynamic pricing. Instead, it is intended to regulate how prices are advertised, displayed, and/or offered.

    The Act is effective July 1, 2024.

    State Issues State Legislation Advertisement Unfair California Consumer Protection

  • Delaware Personal Data Privacy Act to protect consumers

    State Issues

    On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or request the deletion of their personal data held by individuals or entities. The Act will apply to those who conduct business in the State, that “produce products or services that are targeted to residents of the State [of Delaware] and that during the preceding calendar year,” processed personal data of more than 35,000 consumers, or processed the personal data of at least 10,000 consumers while deriving more than 20 percent of their gross revenue from personal data sales. Additionally, the Act mandates that the Delaware Department of Justice conduct public outreach programs to educate consumers and the business community about the Act, starting at least 6 months before the date on which the Act becomes effective.

    The Act is effective on January 1, 2025.

    State Issues Privacy, Cyber Risk & Data Security Delaware Consumer Protection State Legislation

  • Oregon enacts registration requirements for data brokers

    State Issues

    On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others.  There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.

    Licensing State Issues Data Brokers Consumer Data Consumer Protection State Legislation Oregon

  • Oregon is 11th state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures. Last month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.

    Highlights of the Act include:

    • Applicability. The Act applies to persons conducting business or producing products or services intentionally directed at Oregon residents that either control or process personal data of more than 100,000 consumers per calendar year (“other than personal data controlled or processed solely for the purpose of completing a payment transaction”) or earn 25 percent or more of their gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more. Additionally, the Act provides several exemptions, including financial institutions and their affiliates, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, and protected health information processed by a covered entity in compliance with the Health Insurance Portability and Accountability Act, among others. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
    • Consumer rights. Under the Act, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance.” Data controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. Additionally, the Act requires opt-in consent for using the personal data of a youth 13 to 15 years old for targeted advertising or profiling. The Act makes clear that consent means “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” This does not include the use of an interface “that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.” Controllers that receive a consent revocation from a consumer must process the revocation within 15 days.
    • Controller responsibilities. Among the Act’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose and securing personal data from unauthorized access; (v) conducting and retaining data protection assessments where there is a heightened risk of harm and ensuring deidentified data cannot be associated with a consumer; and (vi) avoiding unlawful discrimination.
    • Data processing agreements. The Act stipulates that processors must follow a controller’s instructions and help meet the controller’s obligations concerning the processing of personal data. The Act also sets forth obligations relating to contracts between a controller and a processor. Processors that engage a subcontractor must ensure the subcontractor meets the processor’s obligations with respect to personal data under the processor’s contract with the controller. 
    • Private right of action and state attorney general enforcement. The Act does not provide a private right of action to consumers. Instead, the Oregon attorney general may investigate violations and seek civil penalties of no more than $7,500 per violation. Before initiating such action, the attorney general may grant the controller 30 days to cure the violation. 

    The Act takes effect July 1, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Oregon Consumer Protection

  • Missouri will regulate lender-placed insurance

    State Issues

    On July 7, the Missouri governor signed SB 101 (the “Act”) into law, amending several provisions relating to property and casualty insurance, including requirements for lender-placed insurance. The Act defines “lender-placed insurance” as insurance secured by the lender/servicer when the mortgagor does not have valid or sufficient insurance on a mortgaged real property, and will include “insurance purchased unilaterally by the lender or servicer, who is the named insured, subsequent to the date of the credit transaction, providing coverage against loss, expense, or damage to collateralized property as a result of fire, theft, collision, or other risks of loss” that impairs such lender/servicer’s interest or adversely impacts the collateral, where such purchase is a result of a mortgagor’s failure to obtain required insurance under a mortgage agreement. Among other things, the Act stipulates that lender-placed insurance is not effective until the date a mortgaged real property is not insured, and that individual lender-placed insurance terminates on the earliest date out of listed periods. Also specified is that mortgagors cannot be charged for the policies outside of the scheduled term of the lender-placed insurance. The Act further states that the calculation of the lender-placed insurance premium “should be based upon the replacement cost value of the property,” and outlines how the premium should be determined. All insurers shall have separate rates for lender-placed insurance and voluntary insurance obtained by a mortgage servicer on real estate owned property, as defined in the Act.

    Further regarding lender-placed insurance, the Act prohibits: (i) “insurers and insurance producers from issuing lender-placed insurance if they or one of their affiliates owns, performs servicing for, or owns the servicing right to, the mortgaged property;” (ii) “insurers and insurance producers from compensating lenders, insurers, investors, or servicers for lender-placed insurance policies issued by the insurer, and from sharing premiums or risk with the lender, investor, or servicer;” (iii) “payments dependent on profitability or loss ratios from being made in connection with lender-placed insurance;” (iv) [insurers from] provid[ing] free or below-cost services or outsourc[ing] its own functions at an above-cost basis”; and (v) [insurers from] mak[ing] any payments for the purpose of securing lender-placed insurance business or related services.

    The Act requires lender-placed insurance policy forms and certificates to be mailed and filed with the Missouri Department of Commerce and Insurance and stipulates the requirements for insurers who must report information to the department as well. Lastly, the Act specifies potential penalties for violations of the Act, including monetary penalties and suspension or revocation of an insurer’s license. The Act becomes effective on August 28.

    State Issues State Legislation Missouri Lender Placed Insurance Mortgages Mortgage Servicing Consumer Finance

  • Hawaii amends money transmitter provisions

    On July 3, the Hawaii governor signed HB 1027 (the “Act”) into law, amending several provisions relating to the Money Transmitters Modernization Act. The Act adds and amends several definitions. Changes include defining “money,” “receiving money or monetary value for transmission,” and “tangible net worth.” The definition of “money transmission” has also been amended to clarify its connection to business done in Hawaii, and “stored value” has been amended to mean monetary value “that represents a claim against the issuer evidenced by an electronic or digital record and that is intended and accepted for use as a means of redemption for money or monetary value, or payment for goods or services.” Stored value does not include “a payment instrument or closed loop stored value, or stored value not sold to the public but issued and distributed as part of a loyalty, rewards, or promotional program.”

    Among the various exemptions, the Act also provides for an exemption for an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services, provided certain criteria is met. Additional exemptions include certain persons acting as intermediaries, persons expressly appointed as third-party service providers to an exempt entity, and registered futures commission merchants and securities broker-dealers, among others. Anyone claiming to be exempt from licensing may be required to provide information and documentation demonstrating their qualification for the claimed exemption.

    The amendments outline numerous licensing application and renewal procedures, including largely adopting the net worth, surety bond, and permissible investment requirements set forth in the Money Transmission Modernization Act. Several other states have also recently enacted provisions relating to the licensing and regulation of money transmitters (see InfoBytes coverage here and here).

    The Act took effect July 1.

    Licensing State Issues Digital Assets Fintech State Legislation Hawaii Money Service / Money Transmitters

  • Illinois amends mortgage licensing provisions

    On June 30, HB 2325 (the “Act”) was signed by the Illinois governor to amend The Residential Mortgage License Act of 1987. According to the amendments, residential mortgage licensees in Illinois must register every physical office where they conduct business with the Secretary of Financial and Professional Regulation. However, they are allowed to permit mortgage loan originators to work from a remote location if certain conditions are fulfilled. Conditions include but are not limited to: (i) the licensee must have written policies and procedures for supervising remote mortgage loan originators; (ii) access to company platforms and customer information must comply with the licensee's information security plan; (iii) mortgage originators' residences cannot be used for in-person customer interactions unless the residence is a licensed location; (iv) physical records cannot be stored at remote locations; and (v) electronics used at remote locations must be able to securely access the company’s systems. Moreover, "remote location" is not considered a full-service office as defined by the regulations. If the loan originator works remotely, their primary office is the office registered on the Nationwide Multistate Licensing System and Registry record, unless they choose another licensed branch.

    The Act is effective January 1, 2024.

    Licensing State Issues State Legislation Mortgages Loan Origination Illinois NMLS

  • Nevada requires licenses for EWA providers

    The Nevada governor recently signed SB 290 (the “Act”) outlining several requirements for providers of earned wage access (EWA) products. EWA products allow individuals to access their earned income before receiving their regular paycheck. To operate such services in Nevada, providers must obtain a license from the Nevada Commissioner of Financial Institutions. The licensing requirements apply to both “employer-integrated” services, where the provider receives verified data directly from the employer or the employer’s payroll service to deliver unpaid wages, and “direct-to-consumer” services where the provider delivers unpaid wages after verifying the earned income based on data not obtained from the employer or their payroll service. Notably, the Act specifies that EWA products are not loans or money transmissions under Nevada law and are not subject to existing laws governing these products. The Act outlines application and fee requirements (licenses will be issued via the Nationwide Multistate Licensing System and Registry) and requires licensed EWA providers to submit annual reports to the commissioner by April 15 of each year.

    Providers of EWA products are also subject to certain prohibitions, which include: (i) sharing any fees, voluntary tips, gratuities, or other donations with an employer; (ii) the use of credit reports or credit scores to determine eligibility for an EWA service; (iii) the imposition of late fees or penalties for nonpayment by users; (iv) the reporting of a user’s nonpayment to a consumer reporting agency or a debt collector; (v) coercion of users to make payments through civil action; and (vi) restrictions on using a third-party collector or debt buyer to pursue collections from a user.

    Additionally, EWA providers must, among other things, (i) implement policies and procedures to respond to questions and complaints raised by users (responses must be provided within 10-business days of receipt); (ii) disclose to the user his or her rights, as well as all related fees, prior to entering an agreement; (iii) allow users to cancel their EWA agreements at any time without being charged a fee; (iv) conspicuously disclose that any tips, gratuities, or donations paid by the user do not directly benefit any specific employee of the EWA provider or any other person (providers must also allow users to select $0 as an amount for such a tip); (v) comply with the EFTA when seeking payment of outstanding proceeds, fees, or other payments from a user’s depository account; and (vi) reimburse users for any overdraft or non-sufficient funds fees incurred as a result of the provider attempting to collect payment on a date earlier than disclosed to the user or in an amount different from what was disclosed.

    On or before September 30, the commissioner is required to prescribe application requirements. EWA providers who were engaged in the offering of EWA services as of January 1, 2023, may continue to provide services until December 31, 2024, if the provider submits an application for licensure by January 1, 2024, and otherwise complies with the Act’s provisions. The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on July 1, 2024, for all other purposes.

    Licensing State Issues State Legislation Nevada Earned Wage Access Consumer Finance NMLS

  • Connecticut implements measures for auto-renewals

    State Issues

    On June 28, the Connecticut governor signed HB 5314 (the “Act”), enacting measures relating to automatic renewal offers and consumer agreements. The Act, among other things, includes newly defined terms such as “automatic renewal provision.” The Act stipulates that any business that enters into a consumer agreement that contains an automatic renewal or continuous services provision must provide various consumer notices and enable any consumer who enters into such an agreement online to terminate online. Notices include a description of the actions the consumer must take to terminate, and if disclosed electronically, a link or other electronic means. Also, to be disclosed before renewal, in any consumer agreement containing an automatic renewal provision, must be the amount of the recurring charge and the amount of the change if the charges are subject to change (if such change in amount is known by the business). The business must further disclose the length of the term for such an agreement, unless the consumer chooses the length of the term, as well as any minimum purchase obligations and contact information for the business. The business must also establish a means for communication with consumers, such as email, toll-free phone number, or website if the agreement is contracted online. The Act also stipulates the nature of the disclosures for consumers before entering such an agreement, before the business makes a material change to the terms of the agreement, and before a consumer enters an agreement that offers a gift or free trial period. Additionally, the Act provides that no person doing business can impose any charge or fee for providing bills to consumers in paper form.

    The Act is effective October 1.

    State Issues State Legislation Connecticut Consumer Finance Auto-Renewal

  • Texas enacts data broker requirements

    State Issues

    The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The Act’s provisions apply to data brokers that derive, in a 12-month period, (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains. Among other things, the Act requires covered entities to post conspicuous notices on websites or mobile applications disclosing that they are a data broker. Data brokers must also register annually with the secretary of state and pay required fees. Additionally, data brokers must implement a comprehensive information security program to protect personal data under their control and conduct ongoing employee and contractor education and training. Data brokers are required to take measures to ensure third-party service providers maintain appropriate security measures as well.

    The Act does not apply to deidentified data (provided certain conditions are met), employee data, publicly available information, inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information, and data subject to the Gramm-Leach-Bliley Act. Additionally, the Act does not apply to service providers that process employee data for a third-party employer, persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared, governmental entities, nonprofits, consumer reporting agencies, and financial institutions.

    The Texas attorney general has authority to bring an action against a data broker that violates the Act and impose a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties may not exceed $10,000 in a 12-month period. By December 1, the secretary of state is required to promulgate rules necessary to implement the Act. The Act is effective September 1.

    State Issues Privacy, Cyber Risk & Data Security State Legislation Texas Data Brokers Third-Party


Upcoming Events