Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on August 14, the regulations went into effect after being approved by the Office of Administrative Law (OAL). Highlights of the proposed modifications include:
- The addition of Section 999.306, subd. (b)(3), which provides illustrative examples of the methods businesses can use to provide the notice of right to opt-out of the sale of personal information through an offline method, when the business collects personal information in the course of interacting with consumers offline. Examples include: posting signage in the area where personal information is collected or providing the notice orally during calls where information is collected;
- The addition of Section 999.315, subd. (h), which provides illustrative examples of right to opt-out methods that are designed with the purpose or have the substantial effect of subverting or impairing a consumer’s choice to opt-out. Examples include: using double negatives or requiring consumers to click through a list of reasons why they should not opt-out before confirming their request;
- Amending Section 999.326, subd. (a), which clarifies what proof a business may require from an authorized agent and consumer when a consumer uses an agent to submit a request to know or a request to delete; and
Comments on the proposed modifications are due on October 28 by 5:00 p.m.
Special Alert: California’s new consumer financial protection law expands UDAAP and enforcement authority
On Monday, August 31, the California Legislature passed Assembly Bill 1864, which enacts the California Consumer Financial Protection Law (CCFPL) and changes the name of the Department of Business Oversight (DBO) to the Department of Financial Protection and Innovation (DFPI).
- Establishes UDAAP authority for the new DFPI, adding “abusive” to “unfair or deceptive” acts or practices prohibited by California law, and authorizing remedies similar to those provided in the Dodd-Frank Act. The DFPI also has authority to define UDAAPs in connection with the offering or provision of commercial financing (e.g., merchant cash advance, lease financing, factoring) and other financial products or services to small business recipients, nonprofits, and family farms.
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. While the regulation package was under review by the OAL, the California attorney general made certain “nonsubstantial changes” and “changes without regulatory effect” to the CCPA regulations, which are outlined here (Buckley created redline available here). Under the OAL’s regulations, changes are considered “nonsubstantial” if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text. Changes are considered to be “without regulatory effect” if they involve renumbering or relocating a provision, revising structure, syntax, grammar or punctuation, and, subject to certain conditions, making a provision consistent with statute.
Among others, the following nonsubstantial changes were made to the final regulations:
- The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute (i.e. “Do Not Sell My Personal Information”).
- The severability provision, formerly in Section 999.341 was deleted as unnecessary. This provision previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” (formerly § 999.341).
Additionally, the following requirements were deleted from the regulations at this time, although the California attorney general has indicated that these provisions may be resubmitted “after further review and possible revisions”:
- The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.
- The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
- The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.”
- The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.
The final regulations became effective on August 14, 2020.
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. The proposed final regulations were submitted to OAL on June 1 and were “nonsubstantially changed” during OAL’s review process for “accuracy, consistency, and clarity.” The final regulations are effective as of August 14.
For a detailed overview of the regulations, see here (the InfoByte details an earlier version of the regulations, which remain substantially unchanged). Details discussing the nonsubstantial changes available by InfoBytes here.
On August 3, the member agencies of the Federal Financial Institutions Examinations Council (FFIEC) issued a joint statement on managing loan accommodations granted to borrowers pursuant to federal, state, and local law to address Covid-19 related hardships. Specifically, the statement provides risk management and consumer protection principles to financial institutions working with borrowers that are near the end of their initial loan accommodation period. Among other things, the statement outlines:
- Risk Management Practices. The statement encourages financial institutions to institute sound credit risk management practices following an accommodation period, such as “reassess[ing] risk ratings for each loan based on a borrower’s current debt level, current financial condition, repayment ability, and collateral.” Additionally, the statement encourages institutions to provide “clear, accurate, and timely information to borrowers and guarantors regarding the accommodation” being granted.
- Sustainable Accommodations. The statement notes that the Covid-19 pandemic may have “long-term adverse impact[s] on borrower’s future earnings” and financial institutions should consider additional accommodation options to mitigate losses for the borrower and institutions by assessing “each loan based upon the fundamental risk characteristics affecting the collectability of that particular credit.”
- Consumer Protection. The statement encourages financial institutions to provide consumers with options to support repayment at the end of accommodations to avoid delinquencies and to consider offering credit product term changes to “support sustainable and affordable payments for the long term.”
- Accounting and Regulatory Reporting. The statement emphasizes that financial institutions should consider the effects of the Covid-19 pandemic in its allowance for loan and lease losses, or credit losses, estimation processes, consistent with generally accepted accounting principles.
- Internal Control Systems. The statement notes that internal control functions for the end of initial accommodation periods and for additional accommodations typically “include appropriate targeted testing of the process for managing each stage of the accommodation.” Additionally, the statement reminds financial institutions of their responsibility for ensuring service providers in charge of these functions act consistently with the institution’s policies and all applicable laws and regulations.
On June 8, the CFPB published a blog post written by Todd Zywicki, the Chair of the Taskforce on Federal Consumer Financial Law, which discusses the future plans of the taskforce. In addition to the March request for information (RFI) seeking input on consumer protection areas for the taskforce to focus its research and analysis on (covered by InfoBytes here), the post notes that the taskforce intends to gain feedback from other public forums as well in order to produce a two-volume report. The first volume, among other things, will contain a history of consumer financial protection laws, a cost-benefit analysis of financial products and services, and an outline of the current regulatory framework. The second volume will include a set of recommendations for the Bureau “on ways to improve and strengthen the application of financial laws and regulations.” Through the fall, the taskforce will (i) analyze the comments received from the RFI; (ii) hold a public hearing; and (iii) participate in public listening sessions with the Bureau’s four advisory committees.
The final version of the proposed regulations, which are substantively unchanged from the March draft modifications (covered by InfoBytes here), include an updated statement of reasons summarizing the modifications and reiterating that the “stated bases for the necessity of the proposed regulations continue to apply to the regulations as adopted.”
The AG also submitted an expedited review request, asking that the regulations take effect upon filing with the Secretary of State. The CCPA imposes a July 1 statutory deadline for the AG to adopt initial regulations. However, due to challenges imposed by the Covid-19 pandemic, California Executive Order N-40-20 allows the OAL 30 working days, plus an additional 60 calendar days to finalize proposed regulations. Because of this, the AG respectfully requested that the OAL complete its review within 30 days, given the July 1 deadline.
On May 8, plaintiffs in a biometric privacy class action in the U.S. District Court for the Northern District of California filed a motion requesting preliminary approval of a $550 million settlement deal. The preliminary settlement, reached between a global social media company and a class of Illinois users, would resolve consolidated class claims that alleged the social media company’s face scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). As previously covered by InfoBytes, last August the U.S. Court of Appeals for the 9th Circuit affirmed class certification and held that the class’s claims met the standing requirement described in Spokeo, Inc. v. Robins because the social media company’s alleged development of a face template that used facial-recognition technology without users’ consent constituted an invasion of an individual’s private affairs and concrete interests. According to the motion for preliminary approval, the settlement would be the largest BIPA class action settlement ever and would provide “cash relief that far outstrips what class members typically receive in privacy settlements, even in cases in which substantial statutory damages are involved.” If approved, the social media company must also provide “forward-looking relief” to ensure it secures users’ informed, written consent as required under BIPA.
On April 23, the U.S. District Court for the District of Columbia approved a $5 billion settlement between the FTC and a global social media company, resolving allegations that the company violated consumer protection laws by using deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC. The settlement, first announced last July (covered by InfoBytes here), requires the company to take a series of remedial steps, including (i) ceasing misrepresentations concerning its collection and disclosure of users’ personal information, as well as its privacy and security measures; (ii) clearly disclosing when it will share data with third parties and obtaining user express consent if the sharing goes beyond a user’s privacy setting restrictions; (iii) deleting or de-identifying a user’s personal information within a reasonable time frame if an account is closed; (iv) creating a more robust privacy program with safeguards applicable to third parties with access to a user’s personal information; (v) creating a new privacy committee and designating a dedicated corporate officer in charge of monitoring the effectiveness of the privacy program; (vi) alerting the FTC when more than 500 users’ personal information has been compromised; and (vii) undertaking reporting and recordkeeping obligations, and commissioning regular, independent privacy assessments. The order “resolves all consumer-protection claims known by the FTC prior to June 12, 2019, that [the company], its officers, and directors violated Section 5 of the FTC Act.” While the court acknowledged concerns raised by several amici opposing the settlement, the court concluded that the settlement and the proposed remedies were reasonable and in the public interest. On April 28, the FTC announced the formal approval of amendments to its 2012 privacy order to incorporate updated provisions included in the 2019 settlement.
On April 23, the FTC released its 2019 Annual Highlights, which outlines the Commission’s efforts over the past year to protect consumers and promote competition. The report discusses various enforcement actions, policy and advocacy initiatives, and education and outreach programs, and notes that FTC actions in 2019 have led to more than $232 million in refunds to consumers. The report covers a range of consumer protection enforcement actions related to, among other things, unfair and deceptive marketing as well as privacy and data security issues. The report also discusses joint consumer protection enforcement-related efforts with foreign agencies and multilateral organizations, as well as information-sharing and enforcement cooperation measures intended to streamline and facilitate joint law enforcement investigations. In addition, the report highlights recent policy actions, such as advocacy comments, amicus briefs, and Congressional testimony, and discusses education efforts undertaken in 2019 including: (i) a series of public hearings on Competition and Consumer Protection in the 21st Century; (ii) workshops with state regulators and law enforcers; (iii) workshops on consumer protection issues such as small business financing, consumer reporting accuracy, and privacy matters; and (iv) education outreach programs. According to the stats and data section of the report, the FTC received more than 3.2 million consumer reports in 2019, in which identity theft and imposter scam complaints represented over 40 percent of the total reports received.
- H Joshua Kotin to discuss "Being fair, responsible, & profitable" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Kathryn L. Ryan to discuss "NMLS mortgage call report – Where’s NMLS 2.0?" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar