InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California amends protections for servicemembers and veterans
On September 27, the California governor signed SB 1311 to enact the Military and Veteran Consumer Protection Act of 2022. The Act updates several provisions related to servicemembers and veterans, including amending existing law to provide that a person will be liable for an additional civil penalty of up to $2,500 for each violation if the person engages in “unfair competition, including any unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue, or misleading advertising,” against one or more servicemembers or veterans. Additionally, the Act amends certain provisions related to enforcement of the federal Military Lending Act (MLA). Specifically, the bill makes “any security interest in personal property other than a motor vehicle, off-highway vehicle, trailer, or aircraft void if it would cause a loan procured by specified service members in the course of purchasing the personal property to be exempt from the [MLA].” The Act also makes “any security interest in a motor vehicle void if it would cause a loan procured by specified service members in the course of purchasing the motor vehicle to be exempt from the [MLA] and the loan also funds the purchase of a credit insurance product or credit-related ancillary product.” The Act takes effect January 1, 2023.
DC passes debt collection bill
On September 23, the District of Columbia mayor signed B24-0357, which updates the District’s collection laws by expanding protections to cover most consumer debt, in addition to strengthening existing protections for DC consumers. Among other things, the bill: (i) prohibits deceptive behavior from debt collectors, such as making threats; (ii) clarifies that no one can be jailed for failing to pay a debt; (iii) prohibits debt collectors from communicating any information regarding a person’s debt to employers or family members; and (vi) clarifies that debt buyers are required to follow all laws applicable to debt collectors. The law is currently effective.
California updates mortgage licensing requirements
On September 23, the California governor signed SB 1495. The bill, among other things (i) updates requirements that the assurances required as a condition of license renewal would be that the licensee had, during the preceding 2-year period, informed themselves of those developments; (ii) expands the scope of the crime of perjury, thereby imposing a state-mandated local program; (iii) refers to the Nationwide Mortgage Licensing System and Registry in the provisions of the Real Estate Law as the “Nationwide Multistate Licensing System and Registry”’; and (iv) for real estate broker license applicants, moves the component on state and federal fair housing laws to the real estate practice course instead of the legal aspects of real estate course, and delays the revision to the real estate practice course until 2024. The bill also updates definitions of “SAFE Act,” and “mortgage loan originator.” The bill is effective January 1, 2023.
California passes UDAAP legislation
On September 15, the California governor signed AB 1904, which amends Section 1770 of the Civil Code relating to financial institutions and addresses certain provisions under the Consumers Legal Remedies Act. Among other things, the bill prohibits a covered person or a service provider from engaging in unlawful, unfair, deceptive, or abusive acts or practices regarding consumer financial products or services, such as, among other things: (i) misrepresenting the source, sponsorship, approval, or certification; (ii) using deceptive representations of geographic origin; (iii) representing that goods are original or new if they have deteriorated unreasonably or are altered; (iv) advertising goods or services with the intent not to sell them as advertised; and (v) making false or misleading statements of fact concerning reasons for, existence of, or amounts of, price reductions. The bill authorizes the California Department of Financial Protection and Innovation to bring a civil action for a violation of the law. The bill would also make unlawful the failure to include certain information, including a prescribed disclosure, in a solicitation by a covered person, or an entity acting on behalf of a covered person, to a consumer for a consumer financial product or service.
New York expands access to PSLF program
On September 15, the New York governor signed S.8389-C/A. 9523-B , which amends the Public Service Loan Forgiveness (PSFL) program statewide. Among other things, the legislation: (i) adds clarifying legal definitions, such as “certifying employment,” “employee,” “full-time,” “public service employer,” “public service loan forgiveness form,” and “public service loan forgiveness program”; (ii) establishes a standard hourly threshold for full-time employment at thirty hours per week for the purposes of accessing PSLF; and (iii) permits public service employers to certify employment on behalf of individuals or groups of employees directly with the U.S. Department of Education. The legislation is effective immediately.
California amends GAP disclosure legislation
On September 13, the California governor signed AB 2311, which amends provisions regarding vehicle finance disclosures. The bill establishes provisions to govern the offer, sale, provision, or administration, in connection with a conditional sale contract, of a guaranteed asset protection waiver (GAP waiver). Specifically, the bill requires creditors to automatically refund the unearned portion of a GAP waiver if a consumer pays off or otherwise terminates their auto loan early. The bill prohibits: (i) conditioning the extension of credit, the term of credit, or the terms of a conditional sale contract upon the purchase of a GAP waiver; and (ii) the sale of a GAP waiver pursuant to certain provisions where the loan-to-value ratio exceeds the maximum loan-to-value ratio of the GAP waiver. The bill, among other things, authorizes the buyer to recover three times the amount of any GAP charges paid. The bill is effective January 1, 2023.
California adopts “first-in-nation” act to safeguard children’s online data and privacy
On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services that are “likely to be accessed by children” under 18 years of age based on certain factors. These factors include whether the feature is: (i) “directed to children,” as defined by the Children’s Online Privacy Protection Act (COPPA); (ii) “determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children”; (iii) advertised to children; (iv) is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children; (v) designed to appeal to children; or (vi) determined to be, based on internal company research, significantly accessed by children. Notably, in contrast to COPPA, the Act more broadly defines “child” as a consumer who is under the age of 18 (COPPA defines “child” as an individual under 13 years of age).
The Act also outlines specific requirements for covered businesses, including:
- Businesses must configure all default privacy settings offered by the online service, product, or feature to one that offers a high level of privacy, “unless the business can demonstrate a compelling reason that a different setting is in the best interests of children”;
- Businesses must “concisely” and “prominently” provide clear privacy information, terms of service, policies, and community standards suited to the age of the children likely to access the online service, product, or feature;
- Prior to offering any new online services, products, or features that are likely to be accessed by children before July 1, 2024, businesses must complete a Data Protection Impact Assessment (DPIA) on or before the same date. Businesses must also document any “risk of material detriment to children” that arises from the DPIA, create a mitigation plan, and, upon written request, provide the DPIA to the state attorney general;
- Businesses must “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers”;
- Should an online service, product, or feature allow a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, businesses must provide an obvious signal to the child when the child is being monitored or tracked;
- Businesses must “[e]nforce published terms, policies and community standards established by the business, including, but not limited to, privacy policies and those concerning children”; and
- Businesses must provide prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns.
Additionally, covered businesses are prohibited from using a child’s personal information (i) in a way that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being; or (ii) for any reason other than a reason for which the personal information was collected, unless a business can show a compelling reason that using the personal information is in the “best interests of children.” The Act also places restrictions on profiling, collecting, selling, or sharing children’s geolocation data, or using dark patterns to encourage children to provide personal information beyond what is reasonably expected.
The Act also establishes the California Children’s Data Protection Working Group, which will study and report to the legislature best practices for implementing the Act, and will also, among other things, evaluate ways to leverage the expertise of the California Privacy Protection Agency in the long-term development of data privacy policies that affect the privacy, rights, and safety of children online. The state attorney general is tasked with enforcing the Act and may seek an injunction or civil penalty against any business that violates its provisions. Violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and up to $7,500 per affected child for each intentional violation; however, businesses may be provided a 90-day cure period if they have achieved “substantial compliance” with the Act’s assessment and mitigation requirements.
The Act takes effect July 1, 2024.
Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023
The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.
According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.
As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.
California broadens DFPI commissioner’s enforcement authority
On August 26, the California governor signed AB 2433, which broadens DFPI’s unlawful practices oversight and enforcement power over any person currently engaging in or having engaged in the past, in unlicensed activity. Among other things, the bill amends the DFPI commissioner’s enforcement of various laws, such as the California Commodity Law, Escrow Law, California Financing Law (CFL), Property Assessed Clean Energy (PACE), Student Loan Servicing Act, and California Residential Mortgage Lending Act. The bill establishes that the commissioner may act “upon having reasonable grounds to believe that a broker-dealer or investment advisor has conducted business in an unsafe or injurious manner.” The bill also permits the DFPI to “act upon having cause to believe that a licensee or other person has violated the CFL.” The CFL provides for the licensure and regulation of finance lenders, brokers, and specified program administrators by the Commissioner of Financial Protection and Innovation to issue a citation to the licensee or person and to assess an administrative fine, as specified, among other things. The CFL also regulates certain persons acting under the PACE program, including PACE solicitors and PACE solicitor agents. The new bill establishes that “if the commissioner, upon inspection, examination, or investigation, has cause to believe that a PACE solicitor or PACE solicitor agent is violating any provision of that law, or rule or order thereunder, the commissioner or their designee is required to exhaust a specified procedure before bringing an action.” Additionally, bill specifies that certain “procedures apply when the commissioner has cause to believe that a PACE solicitor or solicitor agent has violated any provision of that law or rule or order thereunder.” The bill also mentions the Student Loan Servicing Act, which “provides for the licensure, regulation, and oversight of student loan servicers by the commissioner,” and establishes that the commissioner is required, upon having reasonable grounds after investigation to believe that a licensee is conducting business in an unsafe or injurious manner, to direct, by written order, the discontinuance of the unsafe or injurious practices. This bill specifies “that these procedures also apply if, after investigation, the commissioner has reasonable grounds to believe that a licensee has conducted business in an unsafe or injurious manner.” The bill is effective immediately.
California issues remote work guidance to CFL licensees
On August 26, the California governor signed AB 2001, which amends the California Financing Law (CFL) regarding remote work. According to the bill, a licensee would be authorized “under the CFL to designate an employee, when acting within the scope of employment, to perform work on the licensee’s behalf at a remote location, as defined, if the licensee takes certain actions, including that the licensee prohibits a consumer’s personal information from being physically stored at a remote location except for storage on an encrypted device or encrypted media.” Currently, the CFL provides that a licensee cannot engage in loan business or administer a PACE program in any office, room, or place of business that any other business is solicited or engaged in, or in association or conjunction therewith, under certain circumstances. Additionally, “a finance lender, broker, mortgage loan originator, or program administrator licensee shall not transact the business licensed or make any loan or administer any PACE program provided for by this division under any other name or at any other place of business than that named in the license except pursuant to a currently effective written order of the commissioner authorizing the other name or other place of business.”