Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process user requests to opt-out of such sale via user-enabled global privacy controls, and failure to cure such violations within the 30-day period allowed by the California Consumer Privacy Act (CCPA). The action reaffirms the state’s commitment to enforcing the law and protecting consumers’ rights to fight commercial surveillance, AG Bonata said, emphasizing that “today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
According to a complaint filed in California Superior Court, third parties monitored consumers’ purchases and created profiles to more effectively target potential customers. The company’s arrangement with these third parties constituted a sale of consumer personal information under the CCPA, therefore triggering certain basic obligations, including telling consumers that it is selling their information and allowing consumers to easily opt-out of the sale of their information. According to the complaint, the company failed to take any of these measures.
Under the terms of the settlement, the company is required to pay a $1.2 million penalty and must disclose to California customers that it sells their personal data and provide a mechanism for consumers to opt out of a sale of their information, including through user-enabled global privacy controls like the Global Privacy Control (GPC). Additionally, the company must ensure its service provider agreements meet CCPA requirements and provide reports to the AG related to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.
The press release also announced that notices were sent to several businesses alleging non-compliance concerning their failure to process consumer opt-out requests made via user-enabled global privacy controls. The AG reiterated that under the CCPA, “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General.”
On July 15, the FDIC released a new Question and Answer (Q&A) and updated public information on its Banker Resource Center Brokered Deposits Page, reminding “FDIC-insured depository institutions (IDIs) that deposits swept from broker dealers with a primary purpose exception to unaffiliated IDIs must be reported as brokered if any additional third parties are involved that qualify as deposit brokers, as defined by Section 337.6 –Brokered Deposits, of the FDIC’s Rules and Regulations.” According to a statement released by the FDIC, Call Report data analysis submitted after the Brokered Deposits Final Rule took effect “suggests that some IDIs receiving sweep deposits from unaffiliated broker-dealers appear to be reporting the sweep deposits as non-brokered, despite the involvement of a third party that engages in facilitating the placement of deposits, including through engaging in matchmaking activities.” The agency emphasized that while an IDI may not have a direct relationship with an additional third party providing services to a broker dealer with a primary purpose exception, “when reporting sweep deposits, it is the IDI’s responsibility to file accurate Call Report data,” which may include reviewing agreements between the broker dealer and any additional third parties for any services that constitute matchmaking activities. The FDIC clarified, however, that banks will not be required to refile previous Call Reports “if, after good faith efforts, certain deposits were not previously reported as brokered by the IDI due to a misunderstanding of how the facilitation aspect of the deposit broker definition applies when additional third parties are involved.”
On July 11, the FTC’s Division of Privacy & Identity Protection published a blog post addressing risks associated with the sharing of highly personal information with strangers, particularly with respect to the use of technology that directly observes or derives sensitive information about users. The FTC noted that aside from location information, which is often automatically generated from consumers’ connected devices, consumers are also actively generating sensitive health information, including personal reproductive data, through apps on their devices. This “potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers,” the FTC warned, pointing to the “ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.” Additionally, once the sensitive information is collected, the FTC said that consumers usually have no idea who has access to it, what the information is being used for, or that companies are profiting from the sale of their data. “The misuse of mobile location and health information–including reproductive health data–exposes consumers to significant harm,” the FTC stated. “Criminals can use location or health data to facilitate phishing scams or commit identity theft . . . and may subject people to discrimination, stigma, mental anguish, or other serious harms.” The FTC reminded companies that it is committed to using the full scope of its legal authorities to protect consumers’ privacy and that it “will vigorously enforce the law” to protect the security and privacy of consumers’ personal information. Companies are advised that sensitive information is protected by several federal and state laws and that making claims that data is “anonymous” or “has been anonymized” may be a deceptive trade practice under the FTC Act if untrue.
On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”
On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private information. Plaintiffs alleged the defendant contracted with a third-party reservation site, which required consumers to provide payment card information and other personally identifying information (PII). The plaintiffs contended that during the data breach, hackers accessed customer data, and argued that “had [the third party] ‘employed multiple levels of authentication,’ rather than ‘single factor authorization,’ the ‘hacker would not . . . have been able to access the system.” Plaintiffs further claimed that the defendant served as the third party’s agent and was therefore responsible for its conduct.
Recently, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s ruling that a defendant knew its third-party contractor was making pre-recorded calls to prospective consumers without consumers’ consent in violation of the TCPA. As previously covered by InfoBytes, in December 2017, consumers filed a consolidated class action against a cruise line, alleging violations of, among other things, the TCPA for marketing calls made to class members’ cell phones using an automatic telephone dialing system between November 2016 and December 2017. The suit alleged that the defendant hired a company to generate leads and initiate telephone calls to prospective consumers for cruise packages. The U.S. District Court for the Southern District of California denied dismissal of the TCPA action for lack of subject matter jurisdiction, concluding that the Court’s decision in Barr v. American Association of Political Consultants Inc., did not invalidate the TCPA in its entirety from 2015 until July 2020. In Barr the U.S. Supreme Court held that the TCPA’s government-debt exception is an unconstitutional content-based speech restriction and severed the provision from the remainder of the statute. (Covered previously by InfoBytes here.)
On the appeal, the issue was whether the defendant is liable under the TCPA for prerecorded voice calls made by the third-party contractor to the plaintiffs, who had not given prior express consent to be called. The 9th Circuit agreed with the district court’s decision in granting summary judgment for the defendant where the TCPA did not require the defendant to ensure that the third-party contractor had prior express consent for each call that it made to the defendant’s customers, nor did the defendant have actual authority over the third-party contractor. However, the 9th Circuit concluded that the defendant may be vicariously liable for the third-party contractor’s calls because it might have ratified them. The appellate court noted that the defendant knew that it received 2.1 million warm-transferred calls from the company between January 2017 and June 2018, but only 80,081 of those transfers were from individuals who had allegedly consented to receiving the calls. The defendant also had knowledge that there was a slew of mismatched caller data, and that the third-party contractor placed calls using prerecorded voices. The appellate court wrote that, “[t]hese facts, in combination with the evidence of widespread TCPA violations in the cruise industry, would support a finding that [the defendant] knew facts that should have led it to investigate [the company’s] work for TCPA violations.”
On January 10, the CFPB filed a complaint against three debt collection companies and their owners (collectively, “defendants”) for allegedly engaging in illegal debt-collection practices. According to the Bureau, the defendants purchase debt portfolios and place them with other collection companies or sell them. The complaint states that from September 2017 through April 2020, the defendants placed debts valued at more than $8 billion and asserts that the defendants knew or should have known that these third-party collection companies were engaging in unlawful and deceptive debt collection measures. The Bureau alleges the defendants were aware of the companies’ false statements to consumers because they received hundreds of complaints from consumers claiming the companies were threating to arrest or file lawsuits if the consumers’ debts were not paid imminently, and the defendants received recorded phone calls alerting them to the companies’ threats and false statements regarding credit reporting. Further, the Bureau claims that the defendants continued to place debts with and sold debts to these companies even after an internal review found major violations of federal law. The Bureau’s complaint, which alleges violations of the CFPA and the FDCPA, seeks consumer restitution, disgorgement, injunctive relief, and civil money penalties.
On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and maintaining appropriate safeguards for customer information in violation of the Gramm-Leach Bliley Act’s Safeguards Rule. As previously covered by InfoBytes, in December 2020, the FTC alleged that a vendor hired by the defendant stored the unencrypted contents of mortgage documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was improperly accessed approximately 52 times. The FTC claimed, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of its vendors.
The settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
FTC Commissioner Rebecca Kelly Slaughter provided a lone dissenting statement.
On December 15, NYDFS announced a proposed amendment to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. The proposed amendment factored in findings from NYDFS investigations, which revealed instances of abusive and deceptive debt collection practices, as well as consumer debt collection complaint data. According to acting Superintendent Adrienne A. Harris, the “proposed amendment requires clear communication on consumer debt obligations and ensures the consumer has the right information to dispute the validity of the debt.” The proposed regulation will mitigate predatory debt collection by taking measures to ensure consumers only pay debts they owe and only pay them once. Harris added that the proposed amendment will offer enhanced consumer protections by increasing transparency, requiring enhanced disclosures, reducing misleading statements about consumer debt obligations, and limiting harassment by placing stricter limits on debt collection phone calls than those currently imposed under federal regulations. Among other things, the proposed amendment also:
- Defines “communication” as “the conveying of information regarding a debt directly or indirectly to any person through any medium.”
- Defines “creditor” as “any person or such person’s successor in interest by way of merger, acquisition, or otherwise, to whom a debt is owed or allegedly owed.”
- Amends the definition of “debt collector” to include “any creditor that, in collecting its own debts, uses any name other than its own that would suggest or indicate that someone other than such creditor is collecting or attempting to collect such debts.” The definition also includes certain exemptions, such as persons “performing the activity of serving or attempting to serve legal process” in the judicial enforcement of a debt “or serving, filing, or conveying” other specified documents pursuant to rules of civil procedure, but that are “not a party to, or providing legal representation to a party to, the action[.]”
- Requires collectors to clearly and conspicuously send written notification within 5 days after an initial communication with a consumer letting the consumer know specific information about the debt, including (i) validation information; (ii) the type of reference date used to determine the itemization date; (iii) account information associated with the debt; (iv) merchant/affinity/facility brand association; (v) the date the last payment (including any partial payment) was made; and (vi) the statute of limitations, if applicable.
- Requires collectors to inform consumers they have “the right to dispute the validity of the debt, in part or in whole,” and provides instructions on how consumers may dispute the validity of the debt.
- States that certain disclosures may not be sent exclusively through an electronic communication, and prohibits treating a formal pleading in a civil action as an initial communication.
- Provides that, if a collector “has reason to know or has determined” that the statute of limitations on a debt it seeks to collect has expired, the collector is required to provide clear and conspicuous notice in all communications that, among other items, it believes the statute of limitations has expired. For debts not subject to a statute of limitations, collectors must notify consumers that they are “not required to provide the debt collector with an admission, affirmation, or acknowledgment of the debt, a promise to pay the debt, or a waiver of the statute of limitations.”
- Prohibits collectors from communicating by telephone or other means of oral communication when attempting to collect on debts for which the statute of limitations has expired, without certain consent or permission.
- Requires collectors to provide consumers written substantiation of a debt (no longer specified as a “charged-off” debt) in hard copy by mail within 30 days of receiving a request for substantiation of a debt (unless a consumer has consented to receiving electronic communications). The written substantiation must include, among other information, (i) a statement describing the complete chain of title from the creditor “to which the debt was originally owed or alleged to be owed” to the present creditor “or owner of the debt”; and (ii) notice that a consumer may request additional documentation and instructions on how to make such a request. Collectors are also required to provide within 30 days after the consumer makes such a request for substantiation, documents sufficient to establish the complete chain of title, including documents sufficient to establish the specific dates on which the debt was assigned, sold or transferred and names of each previous owner of the account to the current owner.
- Requires collectors to retain certain information on a debt “until the debt is discharged, sold, or transferred, or for 7 years, whichever is longer.”
- Requires collectors to provide written confirmation of the satisfaction of a debt to a consumer within 20 business days of receiving receipt of the satisfaction of a debt. The confirmation must include the name of the creditor to which the debt was originally owed and the account number unless stipulated otherwise.
- Limits collectors to 1 telephone call and 3 attempted telephone calls in a 7-day period per alleged debt, without certain consents or permission, “except that telephone calls in excess of one time per seven day period are permitted when” a consumer requests to be contacted or when the communication is required under the proposed amendment or other federal or state law.
- Permits collectors to communicate with persons through electronic channels to collect a debt only if (i) the person has voluntarily provided certain contact information to the debt collector; and (ii) the person has given certain revocable consent in writing directly to the debt collector. The proposed amendment also provides (i) certain disclosure requirements for electronic communications “initiated by” a collector; (ii) privacy requirements that incorporate 15 U.S. Code § 1692c(b); and (iii) outlines compliance requirements for collectors should a consumer revoke consent.
On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services, ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. As previously covered by InfoBytes, in April, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the order issued sua sponte by the 11th Circuit, an en banc panel of appellate judges will convene at a later date to rehear the case.
- Jedd R. Bellman to provide an “Attorney exemption/medical debt update” at the North American Collection Agency Regulatory Association annual conference
- Kathryn L. Ryan to discuss “What should crypto regulation look like: Legislation, regulation and consumer issues” at WCL's First Annual Virtual Currency Law Institute
- Elizabeth E. McGinn to discuss “How to mitigate and manage third-party risks: Leveraging tools and best practices” at The Knowledge Group’s webcast
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The evolving regulatory landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- Sherry-Maria Safchuk to discuss “For your eyes only: Privacy updates for 2022-2023” at CCFL’s Annual Consumer Financial Services Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference