InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB may revisit EWA guidance
On January 18, acting CFPB General Counsel Seth Frotman sent a letter to consumer advocates responding to their concerns that the Bureau’s November 2020 advisory opinion on earned wage access (EWA) products was being misused as justification for passage by proponents of a pending New Jersey bill that would permit third-party earned wage access companies to charge fees or permit “tips” for their products without having to abide by the state’s 30 percent usury cap. As previously covered by InfoBytes, the Bureau issued an advisory opinion on EWA products to address the uncertainty as to whether EWA providers that meet short-term liquidity needs that arise between paychecks “are offering or extending ‘credit’” under Regulation Z, which implements TILA. The advisory opinion stated that “‘a Covered EWA Program does not involve the offering or extension of ‘credit,’” and noted that the “totality of circumstances of a Covered EWA Program supports that these programs differ in kind from products the Bureau would generally consider to be credit.” In December 2020, the Bureau approved a compliance assistance sandbox application, which confirmed that a financial services company’s EWA program did not involve the offering or extension of “credit” as defined by section 1026.2(a)(14) of Regulation Z. The Bureau noted that various features often found in credit transactions were absent from the company’s program, and issued a two-year approval order, which provides the company a safe harbor from liability under TILA and Regulation Z, to the fullest extent permitted by section 130(f) as to any act done in good faith compliance with the order (covered by InfoBytes here).
In his letter, Frotman stated that “[i]t appears from your recounting of the legislative history that the advisory opinion has created confusion, as proponents of the bill seem to have misunderstood the scope of the opinion. The CFPB’s advisory opinion, by its terms, is limited to a narrow set of facts—as relevant here, earned wage products where no fee, voluntary or otherwise, is charged or collected.” Frotman acknowledged that the Bureau’s advisory opinion has also received pushback from consumer groups who sent a letter last year urging the Bureau to rescind the advisory opinion and sandbox approval and regulate fee-based EWA products as credit subject to TILA (covered by InfoBytes here). “Given these repeated reports of confusion caused by the advisory opinion due to its focus on a limited set of facts, I plan to recommend to the Director that the CFPB consider how to provide greater clarity on these types of issues,” Frotman wrote. He further stated that the advisory opinion did not purport to interpret whether the covered EWA products would be “credit” under other statutes other than TILA, including the CFPA or ECOA, or whether they would be considered credit under state law.
New York reduces judgment interest on debts
On December 31, the New York governor signed S5724A, which amends the civil practice law and rules relating to the rate of interest applicable to money judgments arising out of consumer debt. Specifically, the bill provides that the interest rate that can be charged on unpaid money judgments is 2 percent and applies to judgments involving consumer debt, which is defined as “any obligation or alleged obligation of any natural person to pay money arising out of a transaction in which the money, property, insurance or services which are the subject of the transaction are primarily for personal, family or household purposes […], including, but not limited to, a consumer credit transaction, as defined in [section 105(f) of the civil practice law and rules].” The bill is effective April 30.
New York establishes task force for private student loan refinance
On December 22, the New York governor signed SB 2767, which established a private student loan refinance task force. Among other things, the bill created the task force to study and report on ways lending institutions offering private student loans to graduates of institutions of higher education can be encouraged to create student loan refinancing programs. According to the bill, the private student loan refinance task force is instructed to issue a report of its findings and recommendations to the New York governor, the temporary president of the senate, and the speaker of the assembly. The bill is effective immediately and will expire on January 1, 2023.
Ohio enacts robocall legislation
On December 1, Ohio’s governor signed into law SB 54, which, under most circumstances, prohibits companies from knowingly transmitting Caller ID information that is either misleading or inaccurate through a telecommunication service or voiceover Internet protocol service. Among other things, the bill creates additional penalties for inaccurate caller ID, provides the Ohio attorney general the authority to file civil actions in state or federal court, provides state criminal penalties in certain instances, and requires entities that use a telephone number that is identified as “unknown” or “blocked” to leave voicemail messages and include the person's identity. The law is effective March 2, 2022.
Virginia Consumer Data Protection Act Work Group issues final report
Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in March and covered by InfoBytes here, created the Work Group to study findings, best practices, and recommendations before the VCDPA’s January 1, 2023 effective date. The report summarizes information that arose during six Work Group meetings held this year, including the following:
- Establishing an education initiative led by leadership outside of the Office of Attorney General (OAG) to help small to medium-sized businesses comply with the VCDPA.
- Allowing the OAG to pursue actual damages, should they exist, based on consumer harm.
- Employing an “ability to cure” option for violations where a potential cure is possible.
- Authorizing consumers to assert, and requiring companies to honor, a global opt-out setting as a single-step for consumers to opt-out of data collection.
- Sunsetting the “right to cure” provision following the first few years after the VCDPA’s enactment to prevent companies from exploiting the provision.
- Amending “‘the right to delete’ provision to be a ‘right to opt out of sale’ in order to promote compliance and restrict further dissemination of consumer personal data.”
- Studying specific data privacy protections for children.
- Encouraging the development of third-party software and browser extensions to enable users to universally opt out of data collection instead of opting out on each website.
- Recruiting nonprofit consumer and privacy organizations to address concerns related to the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information,” and whether general demographic data used when promoting diversity and outreach to underserved populations should be included in the definition of “sensitive personal information.”
- Creating an education website containing information about consumers’ rights under the VCDPA. Additionally, the website could provide guidance for smaller businesses seeking to comply with the VCDPA, including sample data protection forms.
- Directing an agency to promulgate regulations because the VCDPA does not currently grant the OAG such authority.
The Work Group’s recommendations will be presented during the upcoming legislative session.
New York expands consumer protections
On November 8, the New York governor signed several pieces of legislation relating to consumer protection. Among those, S.153 enacts The Consumer Credit Fairness Act, which expands consumer protections against abusive debt collection by, as explained by NYDFS acting Superintendent Adrienne A. Harris, “address[ing] known predatory debt collection practices, barring an abusive common tactic engaged by predatory debt collectors which is to sue on time-barred consumer debts for which they lack even the most basic of documentation.” Certain parts of the Consumer Credit Fairness Act are effective immediately. S.4823, effective 30 days after being signed into law, prohibits utility companies from engaging in harassment, oppression, or abuse when coordinating with a residential customer. According to the press release, this legislation responds “to various unscrupulous practices that utility corporations engage in, such as creating a ‘payment agreement’ with customers that encourage customers to take large down payments in exchange for utilities such as energy not being shut down.” S.1199 requires the Public Service Commission to have at least one member who is an expert in consumer advocacy. It will also go into effect 30 days after being signed into law.
Illinois enacts the Protecting Household Privacy Act
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.
New York enacts robocall measures
On November 8, the New York governor signed measures to help prevent robocalls and increase consumer protections. The measures build upon federal actions to combat robocalls and “will enable telecom companies to prevent these calls from coming in in the first place, as well as empower our state government to ensure that voice service providers are validating who is making these calls so enforcement action can be taken against bad actors,” Governor Kathy Hochul stated.
S.6267a requires telecommunication companies to block certain calls, including those from (i) numbers that are not valid North American numbering plan numbers; (ii) numbers that are not allocated to a provider by the North American numbering plan administrator or the pooling administrator; and (iii) unused numbers that are allocated to a provider. According to the governor’s press release, the act codifies into state law the provisions of an FCC 2017 rule that took effect in June 2021 and allows telecommunications companies to proactively block calls from certain numbers. (Covered by InfoBytes here.) These types of numbers, the release states, “are indicative of ‘spoofing’ schemes in which the true caller identity is masked behind a fake, invalid number.” The act takes effect immediately.
The second act, S.4281a, requires voice services providers to authenticate calls using the STIR/SHAKEN call authentication framework. As previously covered by InfoBytes, in 2020, the FCC, pursuant to the TRACED Act, adopted new rules requiring providers to implement the STIR/SHAKEN framework by June 2021. Under New York’s new measure, providers have up to 12 months to implement this framework or an “alternative technology that provides comparable or superior capability to verify and authenticate caller identification in the internet protocol networks of voice service providers.” Violators face a fine of up to $100,000 for each offense per day that the framework is not in place. This act is also effective immediately.
New York requires private employers to provide electronic monitoring notice
On November 8, the New York governor signed S.2628, which requires employers to notify their employees in writing upon hiring of their intention to monitor or intercept telephone or email conversations or transmissions, or monitor the use or access of other electronic devices. Employers must receive acknowledgement from the employee either in writing or electronically and are also required to post the notice of electronic monitoring in a conspicuous area where it can be viewed by employees. The act applies to any individual, corporation, partnership, firm, or association with a place of business in New York, but does not include the state or political subdivisions of the state. Also exempt are processes “designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.” The attorney general is authorized to enforce the act and fine employers found to be in violation of the provisions. The act takes effect in 180 days.
North Carolina creates regulatory sandbox
On October 15, the North Carolina governor signed HB 624, which creates a regulatory sandbox program and establishes the North Carolina Innovation Council (Council). Under the North Carolina Regulatory Sandbox Act of 2021, participants will have 24 months from the date an application is approved (unless granted an extension) to test an innovative product or service on consumers in the state without being subject to state laws and regulations that normally would regulate such products or services. The waiver “shall be no broader than necessary to accomplish the purposes” established under the Act. The Act notes that legislative findings determined that existing legal and regulatory frameworks restrict innovation because they “were established largely at a time when technology was not a fundamental component of industry ecosystems, including banking and insurance,” and that innovators would benefit from a flexible regulatory regimen to test new products, services, and emerging technologies. In addition, the Council will provide support for innovation, encourage participation in the regulatory sandbox, and set standards, principles, guidelines, and policy priorities for the types of innovations supported by the regulatory sandbox. The Council will also be responsible for admission into the regulatory sandbox and for assigning selected participants to the appropriate state agency. The program stipulates that innovative products or services may only be offered to state residents, with the exception of products and services associated with a money transmitter, “in which case only the physical presence of the consumer in the [s]tate at the time of the transaction may be required.” The program also allows participants and the applicable state agency to mutually agree to an extension or an increase in the numbers of consumers or dollar limits for a particular product or service. Among other things, participants may also request an extension of not more than 12 months to obtain a license or other authorization required by law to continue to market the product or service. The Act is effective immediately.