Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 13, the New York governor signed S.3941, which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone calls, including unwanted robocalls. “Electronic text messages to  mobile devices have become the newest unwelcomed invasive marketing technique. Consumers should not be burdened with excessive and predatory telemarketing in any form, including text messages,” the press release stated. The act takes effect 30 days after becoming law.
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by a Buckley Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).
Highlights of the CPA include:
On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection personal identification numbers; (iii) passport and military identification numbers, as well as other government-issued identification numbers; (iv) medical information; (v) health insurance policy numbers or other identifiers used by health insurers; (vi) biometric information; and (vii) user names or email addresses combined with passwords or security questions and answers used to access an individual’s online account.
The act also requires businesses to notify residents whose personal information was breached or reasonably believed to have been breached within 60 days instead of 90 days after the discovery of the breach. Should a business identify additional affected residents after 60 days, it is required to provide notice as expediently as possible. Additionally, in the event that a resident’s login credentials are breached, a business may provide notice in electronic form (or another form) that directs the individual to take appropriate measures to protect the affected online account and all other online accounts. Businesses that furnish email accounts are also required to either verify that the affected individual received the data breach notice or provide notification through another method. The act also adds provisions related to compliance with privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, and specifies that information provided in response to an investigative demand connected to a data breach will be exempt from public disclosure, but the attorney general may make the information available to third parties in furtherance of the investigation. The act takes effect October 1.
On June 2, the Nevada governor signed SB 260, which revises certain provisions under the state’s existing privacy law. Among other things, the act (i) adds “data broker” to the existing privacy framework; (ii) exempts certain persons and information collected about a consumer in the state from requirements imposed on operators, data brokers, and covered information, including consumer reporting agencies, personally identifying information regulated by the FCRA or the federal Driver’s Privacy Protection Act, information collected for the purposes of fraud information, publicly available information, and financial institutions; (iii) prohibits a data broker from selling covered information collected about a consumer in the state if so directed by the consumer, and revises provisions related to the sale of certain covered information about a consumer; (iv) requires data brokers to respond to a consumer’s verified request within 60 days after receipt (a data broker may extend this period by no more than 30 days if an extension is determined to be reasonably necessary); (v) provides data brokers and operators 30 days to remedy violations of the opt-out requirement (provided they have not previously failed to comply with the opt-out requirements); and (vi) updates the definition of “sale” to include “the exchange of covered information for monetary consideration by an operator or data broker to another person.” While existing law already provides the Nevada attorney general with the authority to seek injunctive relief and impose civil penalties of no more than $5,000 per violation, the act extends this authority to cover data brokers. Additionally, the act explicitly does not provide for a private right of action against operators. The act takes effect October 1.
On May 24, the FTC announced that it will be releasing closing letters—letters from FTC staff telling a company or individual that the FTC is closing its investigation into their conduct—which “may supplement law enforcement with other methods, including consumer education, business guidance, warning letters, national workshops, reports.” However, the text in the letters make it clear that the “FTC reserves the right to take further action as the public interest may require.” The FTC also notes that although the closing letters “serve a narrow purpose,” they often include a guide that can help other companies with their own compliance efforts.
On May 26, the Colorado attorney general filed a complaint against a Pennsylvania-based student loan servicer that handles the Public Service Loan Forgiveness (PSLF) program, alleging the servicer failed to comply with state law when asked to provide certain documentation. Under the Colorado Student Loan Servicers Act (SLSA), the state is “authorized to conduct examinations and investigations of student loan servicers that are servicing student education loans owned by residents of Colorado.” The SLSA also allows the state to enforce compliance by bringing a civil action to prevent servicers from violating the SLSA and to obtain other appropriate relief. According to the AG’s press release, the state requested information related to the servicer’s handling of the PSLF program during the Covid-19 pandemic. The servicer allegedly refused to produce the requested materials and only provided certain limited documents regarding non-government owned loans related to its business line. The complaint seeks a preliminary and permanent injunction compelling the servicer to comply with the AG’s oversight authority and provide the requested documentation.
On May 10, the Washington governor signed into law SB 5025, a bill that increases fines for unfair methods of competition and unfair or deceptive acts or practices under the state’s Consumer Protection Improvement Act (Act). Among other things, the bill (i) increases the maximum civil penalty for persons who violate the terms of any injunction issued under the Act from $25,000 to $125,000; (ii) increases the maximum civil penalty for violations of RCW 19.86.030 or 19.86.040 to $180,000 for individuals (previously $100,000) and $900,000 for persons other than individuals (previously $500,000); (iii) increases the maximum civil penalty for violations of RCW 19.86.020 to $7,500 from $2,000; and (iv) provides that unlawful acts or practices targeting or impacting individuals or communities based on characteristics including “age, race, national origin, citizenship or immigration status, sex, sexual orientation, presence of any sensory, mental, or physical disability, religion, veteran status, or status as a member of the armed forces” carry an enhanced penalty of $5,000. Additionally, by December 1, 2022, the Washington attorney general is required to “evaluate the efficacy of the maximum civil penalty amounts established in this section in deterring violations of the consumer protection act and the difference, if any, between the current penalty amounts and the penalty amounts adjusted for inflation, and provide the legislature with a report of its findings and any recommendations.” The Act goes into effect July 25.
On April 22, the FCC imposed a $4.1 million fine against a phone carrier for allegedly impersonating other carriers in telemarketing calls and deceiving consumers into changing carriers without consent. The FCC first proposed the fine in 2018 after the agency, state regulators, and the Better Business Bureau received many complaints about this conduct. According to the FCC, the company’s “actions specifically harmed elderly and infirm consumers who, in some cases, were left without telephone service for extended periods of time while the company refused to reinstate service until the unauthorized charges were paid in full.” FCC acting Chairwoman Jessica Rosenworcel issued a statement condemning the “ugly scam” as a violation of the Communications Act, and warned: “To anyone else using our nation’s phone systems to perpetuate this kind of scam, take note because our efforts won’t stop here.”
On April 27, FTC staff testified on behalf of the Commission before the Senate Commerce Committee’s Subcommittee on Consumer Protection, Product Safety, and Data Security, briefing lawmakers on the FTC’s efforts to protect consumers from scams and frauds connected to the Covid-19 pandemic. During the testimony, presented by acting Director of the Bureau of Consumer Protection Daniel Kaufman, the FTC highlighted that the agency filed more than a dozen law enforcement actions, led the elimination of deceptive claims made by more than 350 companies, and released more than 100 alerts to update consumers and businesses on identifying and avoiding these schemes. According to the testimony, the FTC responded rapidly to identify and stop schemes that have proliferated during the pandemic in response to the demand for scarce goods, to peddle potential treatments and cures, and to exploit consumers’ and businesses’ financial hardships during the crisis. Acting Director Daniel Kaufman noted that “the FTC issued its first warnings to consumers about COVID-19 related scams in February 2020, even before the declaration of a national emergency.” Additionally, the FTC has brought enforcement actions to protect consumers’ privacy and data from digital harms amplified by the ongoing pandemic, and has partnered with the CFPB to ensure “that renters are not subjected to unlawful practices in light of the eviction crisis caused by COVID-19.” The testimony also pointed out that the FTC has received more than 436,000 reports concerning fraud, identity theft, and other consumer problems since January 2020, reflecting $399 million in fraud losses.
On April 19, the FTC’s Bureau of Consumer Protection wrote a blog post identifying lessons learned to manage the consumer protection risks of artificial intelligence (AI) technology and algorithms. According to the FTC, over the years the Commission has addressed the challenges presented by the use of AI and algorithms to make decisions about consumers, and has taken many enforcement actions against companies for allegedly violating laws such as the FTC Act, FCRA, and ECOA when using AI and machine learning technology. The FTC stated that it has used its expertise with these laws to: (i) report on big data analytics and machine learning; (ii) conduct a hearing on algorithms, AI, and predictive analytics; and (iii) issue business guidance on AI and algorithms. To assist companies navigating AI, the FTC has provided the following guidance:
- Start with the right foundation. From the beginning, companies should consider ways to enhance data sets, design models to account for data gaps, and confine where or how models are used. The FTC advised that if a “data set is missing information from particular populations, using that data to build an AI model may yield results that are unfair or inequitable to legally protected groups.”
- Watch out for discriminatory outcomes. It is vital for companies to test algorithms—both prior to use and periodically after that—to prevent discrimination based on race, gender, or other protected classes.
- Embrace transparency and independence. Companies should consider how to embrace transparency and independence, such as “by using transparency frameworks and independent standards, by conducting and publishing the results of independent audits, and by opening. . . data or source code to outside inspection.”
- Don’t exaggerate what your algorithm can do or whether it can deliver fair or unbiased results. Under the FTC Act, company “statements to business customers and consumers alike must be truthful, non-deceptive, and backed up by evidence.”
- Data transparency. In the FTC guidance on AI last year, as previously covered by InfoBytes, an advisory warned companies to be careful about how they get the data that powers their models.
- Do more good than harm. Companies are warned that if their models cause “more harm than good—that is, in Section 5 parlance, if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and not outweighed by countervailing benefits to consumers or to competition—the FTC can challenge the use of that model as unfair.”
- Importance of accountability. The FTC warns of the importance of being transparent and independent and cautions companies to hold themselves accountable or the FTC may do it for them.
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Jonice Gray Tucker to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute