Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 18, the Texas governor signed HB 4 to enact the Texas Data Privacy and Security Act (TDPSA) and establish a framework for controlling and processing consumer personal data in the state. Texas follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, and Montana in enacting comprehensive consumer privacy measures. Earlier this month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
The TDPSA applies to a person that conducts business in the state or produces products or services consumed by state residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration, except to the extent that it sells sensitive data which requires consumer consent. Unlike other states, there is no data-processing volume threshold. The TDPSA only protects consumers acting in an individual or household capacity and does not cover individuals acting in a commercial or employment context. Additionally, the TDPSA provides several exemptions, including financial institutions or data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, higher education institutions, covered entities governed by the Health Insurance Portability and Accountability Act, and certain utility companies.
Highlights of the TDPSA include:
- Consumers’ rights. Under the TDPSA, consumers will be able to access their personal data; confirm whether their data is being processed; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling.
- Data controllers’ responsibilities. Data controllers under the TDPSA will be responsible for, among other things: (i) responding to consumer requests within 45 days (unless extenuating circumstances arise) and providing requested information free of charge; (ii) establishing a process to allow consumer appeals after a controller’s refusal to take action on a consumer’s request; (iii) providing at least two methods for consumers to exercise their rights; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) establishing easy opt-out methods that require consumers to affirmatively and freely choose to opt out of any processing of their personal data; (vii) processing data in compliance with state and federal anti-discrimination laws; (viii) obtaining consumer consent in order to process sensitive data; (ix) providing clear and reasonably accessible privacy notices; and (x) conducting and retaining data protection assessments and ensuring deidentified data cannot be associated with a consumer. The TDPSA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action. The TDPSA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the TDPSA, the attorney general must give the data controller notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit and seek up to $7,500 for each violation, as well as injunctive relief, attorney’s fees, and other expenses.
The TDPSA takes effect July 1, 2024, except for certain provisions relating to methods for submitting consumer requests, which shall take effect January 1, 2025.
In June, the Texas governor signed HB 1666 (the “Act”) to add practice restrictions to digital asset service providers, defined as electronic platforms that facilitate the trading of digital assets on behalf of a digital asset customer and maintain custody of the customer’s digital assets. The Act applies to a digital asset service provider conducting business in Texas that holds a money transmission license and either services more than 500 digital asset customer in the state or has at least $10 million in customer funds. Digital asset service providers are required to comply with certain provisions in order to obtain and maintain a money transmission license including provisions relating to the commingling of funds, customer access to funds, accounting requirements, annual reporting requirements. The Texas Department of Banking has the authority to suspend and revoke a license if these requirements are not met and may impose a penalty for violations of the Act. The commissioner also has examination authority and may promulgate rules to administer and enforce the Act’s provisions. The Act is effective September 1. Certain financial institutions and entities not required to hold a money transmission license are exempt.
On June 13, the Louisiana governor signed SB 185 (the “Act”), which amends provisions relating to the regulation and licensure of virtual currency businesses and is effective immediately. The Act adds and amends several definitions, including “acting in concert,” “affiliate,” “blockchain,” “mining,” “non-fungible token,” “responsible individual,” “unsafe or unsound act or practice” “virtual currency business activity,” and “virtual currency network.” With respect to licensure, the Act now requires applicants to provide a copy of their business plan, detailing, among other things, the anticipated volume of virtual currency business activities in the state, the expected number of virtual currency locations (including kiosks) in the state, and information on surety bonds and tangible net worth. Applicants must also provide audited financial statements and certificates of coverage for each liability, casualty, business interruption, and cybersecurity insurance policies (applicable policies for affiliates, agents, and control persons are required as well) with respect to an applicant’s virtual currency business activities. The Act also adds numerous licensing conditions and includes new requirements relating to background checks/criminal records/character fitness and fees and costs. Applicants will now be required to provide their financial services-related regulatory history, including information concerning money transmission, securities, banking, insurance, and mortgage-related industries. The Act extended the time that the state’s office of financial institutions has after the completion of an application to notify an applicant of its decision from 30 days to 60 days. If the office denies a license application, an advanced change of control notice, or an advanced change of responsible individual notice, an applicant has 30 days to appeal. Information on submitting annual licensing renewal applications, as well as guidance on providing appropriate disclosures is also included.
Furthermore, the Act outlines provisions to protect residents’ assets, including prohibitions on selling, transferring, and assigning virtual currency and commingling assets belonging to a resident with assets belonging to a licensee. Also stipulated within the Act are authorities granted to the commission relating to examinations, investigations, and enforcement activity, as well as the authority to coordinate and share information and conduct joint examinations with other state regulators of virtual currency business activities.
The Colorado governor recently signed HB 23-1181 (the “Act”) to codify and amend rules relating to guaranteed asset protection (GAP) agreements (designed to relieve “all or part of a consumer’s liability for the deficiency balance remaining, after the payment of all insurance proceeds,” upon the total loss of a consumer’s motor vehicle that served as collateral for a loan). In addition to adding new definitions and outlining exemptions, the Act also, among other things, (i) establishes conditions, notices, and provisions that must be included in order to offer, sell, provide or administer a GAP agreement in connection with a consumer finance agreement; (ii) establishes that the maximum fee that may be charged for a GAP agreement must not exceed four percent of the amount financed in the consumer credit transaction or $600, whichever amount is greater; (iii) provides that a creditor may contract for, charge, and receive only one GAP fee as part of an agreement regardless of the number of co-borrowers, co-signers, or guarantors; (iv) lays out the process for calculating a deficiency balance and how much a consumer is owed in the event of a total loss; (v) establishes requirements in the event a GAP agreement is cancelled; (vi) details when a consumer must submit a GAP agreement claim after a total loss; and (vii) prohibits the sale of a GAP agreement in specific circumstances.
The Act is effective January 1, 2024, and applies to GAP agreements entered into on or after this date.
On June 5, the Colorado governor signed SB 23-248 (the “Act”), which addresses consumer protection in certain credit transactions. Among other things, the bill amends, repeals, and adds sections around lender nomenclature in the Colorado Student Loan Equity Act. The Act defines the terms “private education creditor” and “creditor” as (i) “any person engaged in the business of making or extending private education credit obligation”; (ii) “a holder of a private education credit obligation”; or (iii) “a seller, lessor, lender, or person that makes or arranges a private education credit obligation and to whom the private education credit obligation is initially payable or the assignee of a creditor’s right to payment.” Several exemptions are outlined. The Act also establishes the term “refinanced” to mean when “an existing private education credit obligation is satisfied and replaced by a new private education credit obligation undertaken by the same consumer.” In subsequent sections, words like “lender” and “loan,” amongst other things, are replaced with the newly defined terms. The Act also amends certain provisions relating to Uniform Consumer Credit Code (UCCC) licensing renewal and fee due dates. Specifically, all supervised lender licensees must file for renewal and pay the appropriate renewal fees by July 1 annually, where previously the renewal due date was January 1 each year.
The Act takes effect the day after the expiration of the 90-day period following adjournment of the general assembly.
On June 13, the Texas governor signed HB 18 to enact the Securing Children Online through Parental Empowerment (SCOPE) Act. The Act will require digital service providers to register a person’s age and, if the user is determined to be a minor (younger than 18 years of age), the provider is required to: (i) limit the collection of personal identifying information (PII) to what is reasonably necessary to provide the service; (ii) limit use of PII to the purpose for which it was collected; (iii) prevent the user from engaging in financial transactions through the digital service; (iv) prevent the user’s PII from being shared, disclosed, or sold; (v) not use the digital service to collect precise geolocation data on the user; or (vi) not use the digital service for targeted advertising. Digital service providers are also required to create tools for parents to control their minor children’s accounts and privacy settings and should reasonably attempt to limit advertising and algorithms that direct minors to harmful content.
SCOPE applies only to those who provide a digital service that enables minor users to socially interact with other users on the digital service and create, post, or share content. SCOPE outlines numerous exemptions, including exemptions for financial institutions, certain covered entities governed by the Health Insurance Portability and Accountability Act, certain persons subject to the Family Educational Rights and Privacy Act, and certain affiliates or subsidiaries of an internet service provider.
While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law (a violation of the Act is considered a deceptive act or practice). The Act takes effect September 1, 2024.
On May 29, the Texas governor signed SB 895 (the “Act”) to enact the Money Services Modernization Act, the money transmitter model law created by industry and state experts. The goal of the Act is to create a set of consistent and coordinated standards relating to the regulation of money service businesses. Among other things, the Act outlines networked supervision criteria to allow the commissioner to participate in multistate supervisory processes coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and other related affiliates and successors for all money services licenses that hold licenses in Texas and other states. To efficiently minimize regulatory burden, the commissioner may, among other things, coordinate and share information with other state and federal regulators, enter into information-sharing contracts or agreements, conduct joint examinations or investigations, and accept examination or investigation reports made by other states. Texas now joins several other states in adopting common licensing and regulatory standards to add efficiencies to the multi-state process (continuing InfoBytes coverage here).
Additionally, the commissioner has enforcement, examination, and supervision authority, may adopt implementing regulations, and may recover costs and fees associated with applications, examinations, investigations, and other related actions. The Act also includes additional consumer protection provisions. The Act includes in the definition of “money” or “monetary value” a stablecoin that “(i) is pegged to a sovereign currency; (ii) is fully backed by assets held in reserve; and (iii) grants a holder of the stablecoin the right to redeem the stablecoin for sovereign currency from the issuer.” Among the various exemptions, the Act provides for an exemption for an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services. The amendments also outline numerous licensing application and renewal procedures including net worth, surety bond, and permissible investment requirements. The Act is effective September 1.
On May 24, Minnesota enacted SF 2744 (the “Act”) to amend several sections of the state statutes relating to payday loans. Among other things, Section 47.603 has been added to create barriers for payday lenders charging annual interest rates of more than 36 percent and to require payday lenders to assess the borrower’s ability to repay a payday loan or payday advance.
The provisions specify an ability to repay analysis, which requires a payday lender to first determine whether a borrower has the ability to make the loan payment at the end of the loan period. The Act further explains that a “payday lender’s ability to repay determination is reasonable if, based on the calculated debt-to-income ratio for the loan period, the borrower can make payments for all major financial obligations, make all payments under the loan, and meet basic living expenses during the period ending 30 days after repayment of the loan.” Additionally, amendments replace past provisions for charges in lieu of interest, with an umbrella policy for any consumer small loan with an annual percentage rate of up to 50 percent that bans lenders from adding any additional charges or payments in connection with the loan.
The amendments will apply to “consumer small loans” and “consumer short-term loans,” as defined by the Act, originated on or after January 1, 2024.
On June 6, the Florida governor approved SB 262 to create the Florida Digital Bill of Rights (FDBR) and establish a framework for controlling and processing consumer personal data in the state, applicable only to companies that meet certain criteria and bring in global gross annual revenues of more than $1 billion. Specifically, the FDBR applies to “controllers,” or any person that conducts business in Florida, collects personal data about consumers (or is an entity on behalf of which this information is collected), determines the purposes and means of processing consumers’ personal data (alone or jointly with other entities), meets the revenue minimum, and satisfies at least one of the following criteria: (i) derives at least 50 percent of global gross revenue from the sale of online advertisements (including targeted advertising); (ii) operates a consumer smart speaker and voice command component service; or (iii) operates an app store or a digital distribution platform offering a minimum of 250,000 unique software applications available for download. The FDBR outlines exemptions, including exemptions for financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as certain covered entities governed by the Health Insurance Portability and Accountability Act.
- Consumer rights. Under the FDBR, Florida consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and to access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The FDBR also adds biometric data and geolocation information to the definition of personal information.
- Controllers’ responsibilities. Data controllers under the FDBR will be responsible for, among other things, (i) responding to consumers’ requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, up to twice annually for each consumer; (ii) establishing an appeals process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (iv) securing personal data and implementing appropriate data security protection practices; (v) not processing data in violation of state or federal anti-discrimination laws; (vi) obtaining consumer consent in order to process sensitive data (consent may be revoked at any time); (vii) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (viii) providing clear privacy notices. The FDBR also sets forth obligations relating to contracts between a controller and a processor.
- No private cause of action but enforcement by the Florida Department of Legal Affairs. The FDBR explicitly prohibits a private cause of action. Instead, it grants the department exclusive authority to bring actions under the Florida Deceptive and Unfair Trade Practices Act and seek penalties of up to $50,000 per violation, which may be tripled for any violation involving a child under the age of 18 for which the online platform has actual knowledge. The department is also granted authority to adopt rules to implement the FDBR.
- Right to cure. Upon discovering a potential violation of the FDBR, the department must give the controller written notice. The controller then has 45 days to cure the alleged violation before the department can file suit.
Minor children are also afforded specific protections under the FDBR, including prohibiting online platforms that provide services or features to children from processing children’s personal information or from collecting, selling, sharing, or retaining any personal information that is not necessary to provide an online service, product, or feature. Additionally, the FDBR includes provisions addressing political ideology and government-led censorship.
The FDBR takes effect July 1, 2024.
Several states are moving forward on legislation relating to commercial financing disclosures. While Georgia is the most recent state to require disclosures in connection with commercial financing transactions of $500,000 or less (covered by InfoBytes here), additional states, including Connecticut and Florida, are moving bills through the legislature that would also impose several requirements on commercial financing lenders and providers.
Awaiting the governor’s signature, Connecticut SB 1032 would require certain providers of commercial financing to make various disclosures, with violators being subject to civil penalties. The requirements are applicable to sales-based financing in amounts of $250,000 or less. A “provider” is defined by the bill as “a person who extends a specific offer of commercial financing to a recipient” and includes, unless otherwise exempt, a “commercial financing broker,” but does not include “a bank, out-of-state bank, bank holding company, Connecticut credit union, federal credit union, out-of-state credit union or any subsidiary or affiliate of the foregoing.” The bill establishes parameters for qualifying commercial transactions and outlines numerous additional exemptions. Providers may also be able to rely on a statement of intended purpose made by the “recipient” – which is defined as “a person, or the authorized representative of a person, who applies for commercial financing and is made a specific offer of commercial financing by a provider” – to determine whether the financing is commercial financing. Additionally, when extending a specific offer for sales-based financing, the provider must disclose the terms of the transaction as specified within the bill. As a condition of obtaining commercial financing, should the provider require a recipient to pay off the balance of existing commercial financing from the same provider, the provider would be required to include additional disclosures. The bill also discusses conditions and criteria for when using another state’s commercial financing disclosure requirements that meet or exceed Connecticut’s provisions may be permitted.
The bill further provides that a commercial financing contract entered into on or after July 1, 2024, may not contain any provisions waiving a recipient’s right to notice, judicial hearing, or prior court order in connection with the provider obtaining any prejudgment remedy. Additionally, a provider may not revoke, withdraw, or modify a specific offer until midnight of the third calendar day after the date of the offer. Finally, the banking commissioner also is authorized to adopt regulations to carry out the bill’s provisions. Notably and unique to Connecticut is a requirement that providers and brokers of commercial financing be registered with the state banking commissioner in addition to adhering to the prescribed disclosure requirements. No later than October 1, 2024, providers and brokers must abide by certain application requirements and pay registration fees. If enacted, Connecticut’s requirements would take effect July 1, 2024.
Similarly, Florida also moved legislation during the 2023 session related to commercial financing that would have created the Florida Commercial Financing Disclosure Law. Among other things, HB 1353 would have required covered providers to provide specified disclosures for commercial financing transactions in amounts of $500,000 or less and would have established unique broker requirements. Florida’s session ended May 5.