InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Utah becomes fourth state to enact comprehensive privacy legislation
On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, and Virginia (covered by Buckley Special Alerts here and here and InfoBytes here). As previously covered by InfoBytes, under the UCPA, consumers will have rights to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data. The UCPA also outlines data controller responsibilities, including a requirement that data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The UCPA also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices. While the UCPA explicitly prohibits its use as the basis for a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. Additionally, upon discovering a potential violation of the UCPA, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The UCPA takes effect December 31, 2023.
Indiana enacts data breach disclosure requirements
On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security. The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.
Mississippi passes debt management provisions
Recently, the Mississippi governor signed HB 687, which establishes debt management services and licensing requirements. According to the bill, debt management service is defined as “[t]he receiving of money from a consumer for the purpose of distributing one or more payments to or among one or more creditors of the consumer in full or partial payment of the consumer's obligation,” among other things. A debt management service provider is “a person that provides or offers to provide to a consumer in this state any debt management services, in return for a fee or other consideration.” A debt management service provider does not include “[a]ny institution that is regulated, supervised or licensed by the department or any out-of-state institution that is insured by the Federal Deposit Insurance Corporation or the National Credit Union Administration,” among other things. Additionally, one cannot operate as a debt management service provider with respect to consumers who are residents of this state without a license. The bill is effective July 1.
Indiana passes loan broker provisions
On March 18, the Indiana governor signed HB 1092, which amends the provisions regarding loan brokers that include requirements for licensing, as well as contract for the services of a loan broker. Among other things, the bill establishes that a loan processing company notice filing must be made on a form prescribed by the commissioner and include the: (i) loan processing company's business name, address, and state of incorporation or business registration; (ii) names of the owners, officers, members, or partners who control the loan processing company; and (iii) name of each individual who is employed by the loan processing company, including the unique identifier from the Nationwide Multistate Licensing System (NMLS) of each loan processor. Additionally, when a contract for the services of a loan broker is assigned, the loan broker shall provide a copy of the signed contract and a written disclosure of any agreement entered into by the loan broker to procure loans exclusively from one lender to each party to the contract. The bill is effective July 22.
Wyoming enacts genetic data privacy provisions
On March 8, the Wyoming governor signed HB 86, which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To safeguard the privacy, confidentiality, security, and integrity of a consumer’s genetic data, businesses must, among other things, (i) provide clear, transparent information to consumers about the collection, use, or disclosure of genetic data before collecting it (including providing a publicly available privacy notice); and (ii) obtain express consent from a consumer before collecting genetic data, and receive separate express consent for transferring or disclosing genetic data to persons “other than the company’s vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses,” or for retaining genetic data after the initial testing service is completed. The Act outlines additional requirements and prohibitions on the disclosure and retention of genetic data and requires businesses to implement and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure. Additionally, the Act provides consumers with the statutory right to access and request deletion of genetic data when it is no longer being used or needed for the purpose for which it was collected and provides consumers with a private right of action to seek damages from businesses who violate the Act. Under the Act, businesses have 60 days from the date of notice to cure any alleged violations. The Wyoming attorney general also has the authority to enforce the Act and may seek penalties of up to $2,500 for each violation, as well as actual damages for harmed consumers on whose behalf the action was brought and attorneys’ fees and costs.
Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services that collect protected health information under HIPAA are exempt from the Act’s provisions. The Act takes effect July 1.
Virginia passes additional VCDPA amendments
On March 7, the Virginia House and Senate passed HB 714, which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.
As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor, and if enacted, will take effect January 1, 2023.
Florida house tries again on consumer privacy legislation
On March 2, the Florida house passed HB 9, which would, among other things, regulate the sale and sharing of consumers’ personal data and provide consumers the right to sue over alleged violations. This is the state’s latest attempt to pass comprehensive consumer privacy legislation. Last year, the Florida legislatures failed to reconcile differences in their bills before the session ended. Highlights of the bill (which include changes from last session’s versions) include:
- Applicability. The bill will apply to any entity meeting the definition of a controller, processor, or third party that buys, sells, or shares consumers’ personal information and (i) has global annual gross revenues exceeding $50 million; (ii) annually buys, receives, sells, or shares personal information of at least 50,000 consumers, households, or devices; or (iii) derives 50 percent or more of its global annual revenue from the selling or sharing of personal information. The bill sets forth numerous exemptions from its requirements, including personal information shared “with a financial service provided solely to facilitate short term, transactional payment processing for the purchase of products or services”; deidentified or aggregated personal information; data governed by certain federal, state, or local regulations or used to exercise or defend legal claims; certain personal information collected through a controller’s direct interaction with a consumer that is used to advertise or market products or services that are produced or offered directly by the controller; personal information used in the context of a consumer’s role or former role with the controller; specified protected health information; financial institutions covered by the Gramm-Leach-Bliley Act; personal information disclosed during intentional interactions or disclosed as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller; and personal information used to fulfill the terms of a written warranty, a product recall, or public- or peer-reviewed scientific or statistical research in the public interest.
- Consumer rights. Under the bill, consumers will be able to, among other things, access their personal data; request deletion or make corrections; and opt out of the sale or sharing of personal information to third-parties. Controllers will be required to deliver the requested information free of charge within 45-calendar days (a one-time additional 45-day extension may be granted), but are not required to provide personal information to a consumer more than twice in a 12-month period. Controllers will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances. Additionally, the bill will provide controllers the ability to charge a consumer who exercises any of their rights under the bill “a different price or rate, or provide a different level or quality of goods or services to the consumer” provided the “difference is reasonably related to the value provided to the controller by the consumer’s data or is related to a consumer’s voluntary participation in a financial incentive program, including a bona fide loyalty, rewards, premium features, discounts, or club card program offered by the controller.” Financial incentives that are not unjust, unreasonable, coercive, or usurious may also be offered as long as consumers give prior consent and are allowed to revoke consent at any time. The bill further stipulates that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Disclosures. The bill will require controllers that collect consumers’ personal information to disclose certain information regarding data collection and selling practices to consumers at or before the point of collection. This information “may be provided through a general privacy policy or through a notice informing the consumer that additional specific information will be provided upon a certain request.” Additionally, processors or third parties must require any subcontractor to meet the same obligations with respect to personal information. Businesses also will be prohibited from collecting or using additional categories of personal information without first notifying consumers.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information.
- Private cause of action, right to cure. The bill will provide a private right of action to allow consumers to bring a civil action under certain circumstances for injunctive or declaratory relief, and establishes a damage amount of either statutory damages of at least $100 but not more than $750 per consumer per incident, or actual damages, whichever is greater. Consumers may obtain specific relief from businesses with annual gross revenues greater than $50 million. In lawsuits involving businesses with annual gross revenues exceeding $500 million, consumers also are permitted to recover attorneys’ fees and costs. Civil actions must be filed within one year after discovery of the violation. The Department of Legal Affairs is also authorized to take action against a controller, processor, or third party for unfair or deceptive acts or practices. Fines may be tripled if a violation involves consumers 18 years of age or younger, or if a controller, processor, or third party fails to cure the violation upon written notice within 45 calendar days.
If enacted in its current form, the bill would take effect January 1, 2023. The bill must be approved by the Florida senate and any differences reconciled before being sent to the governor.
New Mexico caps interest rates on small-dollar loans at 36%
On March 1, the New Mexico governor signed HB 132, which amends certain provisions related to the state’s small dollar lending requirements. Among other things, the bill makes several amendments to the New Mexico Bank Installment Loan Act of 1959 (BILA) and the New Mexico Small Loan Act of 1955 (SLA) by raising the maximum installment loan amount to $10,000 and providing the following: (i) “no lender shall make a loan pursuant to the [BILA] to a borrower who is also indebted to that lender pursuant to the [SLA] unless the loan made pursuant to the [SLA] is paid and released at the time the loan is made”; (ii) only federally insured depository institutions may make a loan under the BILA with an initial stated maturity of less than one hundred twenty days; (iii) a lender that is not a federally insured depository institution may not make a loan under the BILA “unless the loan is repayable in a minimum of four substantially equal installment payments of principal and interest”; and (iv) lenders, aside from federally insured depository institutions, may not make a loan with an annual percentage rate (APR) greater than 36 percent (a specified APR increase is permitted if the prime rate of interest exceeds 10 percent for three consecutive months). When calculating the APR, a lender must include finance charges as defined in Regulation Z “for any ancillary product or service sold or any fee charged in connection or concurrent with the extension of credit, any credit insurance premium or fee and any charge for single premium credit insurance or any fee related to insurance.” Excluded from the calculation are fees paid to public officials in connection with the extension of credit, including fees to record liens, and fees on a loan of $500 or less, provided the fee does not exceed five percent of the loan’s total principal and is not imposed on a borrower more than once in a twelve-month period.
The act also expands the SLA’s scope on existing anti-evasion provisions to specify that a person may not make small dollar loans in amounts of $10,000 or less without first having obtained a license from the director. The amendments also expand the scope of the anti-evasion provisions to include (i) the “making, offering, assisting or arranging a debtor to obtain a loan with a greater rate of interest . . . through any method, including mail, telephone, internet or any electronic means, regardless of whether the person has a physical location in the state”; and (ii) “a person purporting to act as an agent, service provider or in another capacity for another entity that is exempt from the [SLA]” provided the person meets certain specified criteria, such as “the person holds, acquires or maintains, directly or indirectly, the predominate economic interest in the loan” or “the totality of the circumstances indicate that the person and the transaction is structured to evade the requirements of the [SLA].” Under the act, a violation of a provision of the SLA that constitutes either an unfair or deceptive trade practice or an unconscionable trade practice is actionable under the Unfair Practices Act.
The act also makes various amendments to a licensees’ books and records requirements to facilitate the examinations and investigations conducted by the Director of the Financial Institutions Division of the Regulation and Licensing Department. Failure to comply may result in the suspension of a license. Additionally, the act provides numerous amended licensing reporting requirements concerning the loan products offered by a licensee, average repayment times, and “the number of borrowers who extended, renewed, refinanced or rolled over their loans prior to or at the same time as paying their loan balance in full, or took out a new loan within thirty days of repaying that loan,” among other things. The act also outlines credit reporting requirements, advertising restrictions, and requirements for the making and paying of small dollar loans, including specific limitations on charges after judgment and interest.
The act takes effect January 1, 2023.
Utah legislature passes privacy bill
Recently, the Utah legislature passed SB 227, which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here.) Highlights of the bill include:
- Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that also “has annual revenue of $25,000,000 or more” and “controls or processes personal data of 100,000 or more consumers” or “derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.” Certain entities are exempt from the bill’s requirements, including governmental entities and third parties under contract with a governmental entity that acts on behalf of that entity; tribes; institutions of higher education; nonprofits; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; financial institutions and affiliates subject to federal privacy disclosure requirements; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
- Consumer rights. Under the bill, consumers will be able to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data.
- Controllers’ and processors’ responsibilities. Under the bill, data controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, “unless the request is the consumer’s second or subsequent request during the same 12-month period.” Data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing deidentified data or pseudonymous data.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it gives the Division of Consumer Protection investigative power and grants the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.
If enacted in its current form, the bill would take effect December 31, 2023.
Virginia passes amendments on CDPA for data deletion
On February 25, the Virginia House and Senate passed HB 381, which amends Section 59.1-577 of the Virginia Consumer Data Protection Act (VCDPA) related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA. As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor.