InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Wisconsin declares money laundering a state crime; provides penalties
On March 3, the Wisconsin governor signed SB 368, which criminalizes money laundering in the state and specifies penalties based on the amount of proceeds involved. Among other things, SB 368 outlines the contours of prohibited “money laundering” conduct, and establishes that any transaction where the proceeds of a money laundering transaction exceed $2,500 is a felony. Each of the provisions detailing the prohibited conduct contains a knowledge requirement. Both “proceeds” and “transaction” are defined terms under the new law. The bill is effective as of March 5.
California Senate confirms Manuel Alvarez as DBO Commissioner
On February 24, the California State Senate voted to confirm Manuel Alvarez as Commissioner of the California Department of Business Oversight (DBO). As previously covered by InfoBytes, the California governor announced the appointment in March 2019. The DBO issued an announcement following the confirmation vote, in which Commissioner Alvarez discussed financial service innovations California companies have made over the past decade, including those in the area of mobile payments and online lending to cryptocurrencies. Commissioner Alvarez stated that the changes “hold both promise and peril,” and explained that it is his “goal as Commissioner . . . to strike a sensible balance between consumer protections, which preserve the integrity of [California’s] financial ecosystem, and responsible technological innovation in financial services, which may increase access to quality and affordable financial products.”
As covered by a recent Buckley Special Alert, a trailer bill accompanying the governor’s proposed 2020-2021 state budget was recently released. The bill would enact the California Consumer Financial Protection Law and rename and expand the DBO’s authority to protect consumers from predatory practices and foster the responsible development of new financial products.
South Dakota amends real estate licensing provisions
On March 2, the South Dakota governor signed SB 28, which amends certain statutory provisions related to real estate licensing in the state. Among other things, SB 28 outlines reasons why an application for a license may be denied, including if an applicant “has been disciplined by a regulatory agency in relation to activities as a real estate salesperson or broker, broker associate, firm, appraiser, mortgage broker, or any other regulated licensee, including insurance, securities, law and commodities trading.” SB 28 also stipulates that the state’s real estate commission may issue restricted broker’s licenses, as well as administer and enforce outlined provisions. Licensure exemptions are also set forth. The amendments take effect July 1.
Special Alert: Trailer bill would enact California Consumer Financial Protection Law
A trailer bill accompanying the governor’s proposed 2020-2021 state budget would expand the Department of Business Oversight’s (DBO) authority and enact the California Consumer Financial Protection Law (Law).
Specifically, the provisions outlined in the proposed Law would revamp and rename the state’s DBO, expand its authority to protect consumers from predatory practices, and foster the responsible development of new financial products. Under California’s Constitution, a trailer bill — which provides for an appropriation related to the budget bill — takes effect immediately after a simple majority vote and the governor’s signature.* * *
Click here to read the full special alert.
If you have any questions regarding the California Consumer Financial Protection Law or other related issues, please visit our Consumer Finance practice page or contact a Buckley attorney with whom you have worked in the past.Four trade groups sue Maine over privacy law
On February 14, four trade groups filed suit against Maine in the U.S. District Court for the District of Maine, alleging that a recently enacted state privacy law (covered by InfoBytes here) infringes the rights of Internet Service Providers (ISPs). The complaint claims that L.D. 946 “imposes unprecedented and unduly burdensome restrictions on ISPs’, and only ISPs’, protected speech,” and is “not remotely tailored to protecting consumer privacy.” Among other things, the trade groups claim that because the law only stifles the use of consumer data by ISPs and not by other similarly situated companies, it violates their First Amendment protected speech rights. The groups also argue that the Maine law is much stricter to ISPs than other state privacy laws which “provide opt-out rights for most consumer data and reserve opt-in consent for a narrow subset of sensitive personal information,” whereas L.D. 946 uses an opt-in system. L.D. 946 also restricts the ISPs’ use of non-sensitive information that is not personally identifying and prohibits the ISPs from providing customer discounts or rewards programs to consumers who opt-in to sharing information.
Maryland, Hawaii, and Virginia are latest states to introduce privacy legislation
Recently, Maryland, Hawaii, and Virginia introduced privacy legislation designed to strengthen consumer access and control over personal data, joining efforts by Washington and New York to pass privacy bills containing provisions that differ from those in the California Consumer Privacy Act (CCPA), which took effect January 1. (See InfoBytes coverage on Washington here, New York here, and the CCPA here.)
On January 17, Maryland introduced HB 249 to amend the state’s Commercial Law by adding a section titled “Consumer Personal Information Privacy.” Under the proposed bill, consumers would be provided the right to opt-out of the disclosure of their personal information to third parties. HB 249 defines “disclosure” as “a transfer of a consumer’s personal information by a business to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.” The bill clarifies that disclosure does not include (i) a transfer of personal information to a service provider by a business for an operational purpose; (ii) identification of a consumer who has opted-out to alert third parties; and (iii) a transfer of personal information to a third party “as an asset that is part of a transaction in which the third party assumes control of all or part of the business.” The bill also stipulates requirements for businesses related to the consumer opt-out process, and states that a violation of the bill’s provisions would constitute an unfair or deceptive trade practice under Maryland’s Consumer Protection Act.
The same day, SB 2451 was introduced in the Hawaii Senate to add a new section to Chapter 487J of the Hawaii Revised Statutes, which stipulates that third parties cannot use or sell personal information purchased from a business unless a consumer receives explicit notice, provides express written consent, and chooses not to opt-out after given the opportunity to do so. The proposed bill also provides consumers the opportunity to, at any time, opt-out of the sale of their personal information to third parties. Among other things, the bill outlines provisions related to the sale of personal information for consumers less than 16 years of age, as well as specific compliance requirements for businesses when providing notice to consumers. SB 2451 also defines a third party as one that is (i) not a “business that collects personal information from consumers”; or (ii) not a person who receives personal information from a business for a business purpose pursuant to a written contract that restricts further use of the personal information.
Earlier, on January 3, HB 473, known as the “Virginia Privacy Act,” was introduced. Among other things, the bill requires data controllers to be transparent about their processing activities and be responsible for, upon verified request from the consumer, (i) confirming the uses of personal data; (ii) correcting inaccuracies; (iii) deleting unnecessary personal data or data for which the consumer has withdrawn consent; (iv) limiting the processing of personal data to what is required and relevant for a specified purpose; and (v) obtaining consumer consent in order to process sensitive data. HB 473 also provides consumers the right to object at any time to the processing of personal data, including the sale of data to third parties for targeted advertising, and stipulates that third parties must honor objection requests received from third-party controllers. The bill also requires controllers to conduct risk assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.” If enacted, violations of HB 473 would “constitute a prohibited practice” pursuant to Virginia Consumer Protection Act (VCPA) Section 59-1-200 and violators would be subject to any and all of the VCPA’s enforcement provisions.
Michigan establishes provisions for credit services organizations
On January 27, the Michigan governor signed HB 4411, which establishes provisions for credit service organizations. Among other things, HB 4411 prohibits persons engaged in credit service activities from (i) charging or receiving money from a buyer seeking a loan, extension of credit, or other valuable consideration before closing; (ii) charging a buyer or receiving from a buyer money or other valuable consideration before completing all agreed upon services, or “for referral to a retail seller that will or may extend credit to the buyer if the credit that is or may be extended to the buyer is substantially the same as that available to the general public”; (iii) making or using false or misleading representations, or engaging in a fraudulent or deceptive act or practice connected with the offer or sale of a credit services organization, stating that the organization has the ability to delete adverse credit history, or guaranteeing that the organization can obtain an extension of credit regardless of the buyer’s credit history; (iv) failing to perform the agreed upon services within 90 days after the contract is signed by the buyer; (v) advising a buyer to make untrue or misleading statements to certain entities, including a consumer credit reporting agency; (vi) assisting in the removal of adverse credit information that is accurate and not obsolete, or assisting a buyer in creating a new credit record using alternative personal information; and (vii) submitting buyer disputes to consumer credit reporting agencies without a buyer’s knowledge. The act is effective immediately.
FHFA seeks comments on PACE loans
On January 16, the FHFA issued a notice requesting public comment on prospective policy changes to its residential energy retrofitting programs, or Property Assessed Clean Energy (PACE) programs. According to the request for comment, PACE programs are “financed through special state legislation enabling a ‘super-priority lien’ over existing and subsequent first mortgages.” Because the loans are only recorded in tax rolls and not in land records, they do not show up in title searches. This may potentially cause problems for prospective buyers and mortgage lenders. Additionally, the programs are not uniform across states and the GSEs cannot buy properties encumbered by PACE loans.
Comments must be received by March 16.
Washington state introduces comprehensive privacy bill
On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281, the Washington Privacy Act, include the following:
- Applicability. SB 6281 will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 50 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers. Exempt from SB 6281, among others, are state and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records.
- Consumer rights. Consumers will be able to exercise the following concerning their personal data: access; correction; deletion; data portability; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
- Controller responsibilities. Controllers required to comply with SB 6281 will be responsible for (i) transparency; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.”
- State attorney general. SB 6821 does not create a private right of action for individuals to sue if there is an alleged violation. However, the AG will be permitted to bring actions and impose penalties of no more than $7,500 per violation. The AG will also be required to submit a report evaluating the liability and enforcement provisions of SB 6281 by 2022 along with any recommendations for change.
- Information sharing. SB 6281 will allow the state governor to enter into agreements with British Columbia, California, and Oregon, which will allow personal data to be shared for joint research initiatives.
- Facial Recognition. SB 6281 will establish limits on the commercial use of facial recognition services. Among other things, the bill will require third-party testing on all services prior to deployment for accuracy and unfair performance, conspicuous notice when a service is deployed in a public space, and will require companies to receive consumer consent prior to enrolling an image in a service used in a public space.
The second bill, SB 6280, will more specifically govern the use of facial recognition services by state and local government agencies, and, among other things, outlines provisions for the use of facial recognition services when identifying victims of crime, stipulates restrictions concerning ongoing surveillance, and requires agencies to produce an annual report containing a compliance assessment.
As previously covered by InfoBytes, last year, New York introduced proposed legislation (see S 5642) that seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state. Provisions included in the measures introduced by New York and Washington state differ from those contained in the California Consumer Privacy Act (CCPA), which took effect January 1. (Previous InfoBytes coverage on the CCPA is available here.)
Creditor collateral protection insurance disclosures required in New Jersey
On January 13, the New Jersey governor signed S 2998, which amends the state’s collateral protection insurance (CPI) disclosure requirements. The amendments provide that when CPI is required and provided by the creditor, the creditor must disclose to the consumer debtors that they will be responsible for interest on the CPI cost “at the same rate that is applied pursuant to [the debtor’s] credit agreement.” The creditor must also provide a “good faith estimate” of what the CPI coverage will cost the debtor. Additionally, the creditor must instruct the debtors how to provide evidence of the required insurance, so that in those instances where the debtor obtains CPI, the creditor-purchased CPI can be cancelled and the costs and interest fees can be recovered. The amendments take effect on April 12.