Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Rep. McHenry introduces draft privacy legislation based on GLBA

    Federal Issues

    On June 23, House Financial Services Ranking Member Patrick McHenry (R-NC) released a discussion draft of new federal legislation intended to modernize financial data privacy laws and provide consumers more control over the collection and use of their personal information. (See overview of the discussion draft here.) The draft bill seeks to build on the Gramm-Leach-Bliley Act (GLBA) to better align financial data protection law with evolving technologies that have innovated the financial system and the way in which consumers interact with financial institutions, including nonbank institutions. “Technology has fundamentally changed the way consumers participate in our financial system—increasing access and inclusion. It has also increased the amount of sensitive data shared with service providers. Our privacy laws—especially as they relate to financial data—must keep up,” McHenry said, emphasizing the importance of finding a way to “secure Americans’ privacy without strangling innovation.”

    Among other things, the draft bill:

    • Requires notice of collection activities. The GLBA currently requires that consumers be provided notice when their information is being disclosed to third parties. The draft bill updates this requirement to require financial institutions to provide notice when consumers’ nonpublic personal information is being collected.
    • Recognizes the burden on small institutions. The draft bill stipulates that agencies shall consider compliance costs imposed on smaller financial institutions when promulgating rules.
    • Amends the definition of a “financial institution.” The draft bill will update the definition to cover data aggregators in addition to financial institutions engaged in financial activities as described in 4(k) of the Bank Holding Company Act of 1956.
    • Expands the definition of non-public information. The draft bill expands the definition of “personally identifiable financial information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Publicly available information is not included in this definition. The definition of “consumer account credentials” will mean “nonpublic information (including a username, password, or an answer to a security question) that enables the consumer to access an account of the consumer at a financial institution.”
    • Provides consumers access to data. The draft bill provides that financial institutions must, upon an authorized request from a consumer, disclose the data held, entities with which the financial institution shares consumer data, and a list of entities from whom the financial institution has received a consumer’s non-public personal information.
    • Allows consumers to stop the collection and disclosure of their data. When a financial institution is required to terminate the collection and/or sharing of a consumer’s nonpublic personal information, the draft bill provides that a financial institution must notify third parties that data sharing is terminated and must require the third parties to also terminate collection and disclosure. Additionally, upon request from a consumer, the financial institution must delete any nonpublic personal information in its possession, and if required by law to retain the data, the financial institution may only use the data for that purpose.
    • Minimizes data collection. The draft bill requires that financial institutions notify consumers of their data collection practices in their privacy policies, including the categories collected, how the information is collected, and the purposes for the collection. Consumers must be allowed an opportunity to opt-out of the collection of their data if not necessary for the provision of the product or service by that entity.
    • Provides informed choice and transparency. Under the draft bill, privacy terms and conditions must be transparent and easily understandable. The draft bill requires the disclosure of a financial institution’s privacy policies in a manner that provides consumers meaningful understanding of what data is being collected, the manner in which the data is collected, the purposes for which the data will be used, the right to opt-out, who has access to the data, how an entity is using the data, where the data will be shared, the data retention policies of the entity, the consumer’s termination rights, and the rights associated with that data for uses inconsistent with stated purpose, among others.
    • Stipulates liability for unauthorized access. The draft bill states that “[i]f the nonpublic personal information of a consumer is obtained from a financial institution (either due to a data breach or in any other manner) and used to make unauthorized access of the consumer’s account, the financial institution shall be liable to the consumer for the full amount of any damages resulting from such unauthorized access.’’
    • Requires preemption. The draft bill will preempt state privacy laws to create a national standard.

    The draft bill was introduced days after the House Subcommittee on Consumer Protection and Commerce heard testimony from consumer advocates and industry representatives on the recently proposed bipartisan American Data Privacy and Protection Act (covered by a Buckley Special Alert here).

    Federal Issues Privacy/Cyber Risk & Data Security Federal Legislation Gramm-Leach-Bliley Consumer Protection

    Share page with AddThis
  • Special Alert: House subcommittee hears testimony on privacy bill

    Privacy, Cyber Risk & Data Security

    The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing, “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data Privacy and Protection Act (ADPPA).

    The bipartisan initiative faces new headwinds following June 22 remarks by Senate Commerce Chair Maria Cantwell (D-WA), who cited “major enforcement holes” in the legislation on preemption issues — but expressed hope that the sponsors could offer revisions. 

    Privacy/Cyber Risk & Data Security Federal Issues Special Alerts Federal Legislation Consumer Protection FTC House Subcommittee on Consumer Protection and Commerce

    Share page with AddThis
  • Special Alert: Congress releases draft privacy bill

    Federal Issues

    A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act.

    Passage of the ADPPA, which combines elements of prior proposals in an effort to reach a legislative compromise, is still far from assured. But it represents a meaningful starting point for further discussions, and is already shaping the long-running debate on national privacy standards. This alert looks closely at the proposed statutory text that seeks to define the breadth and scope of a federal privacy regime that policymakers have contemplated for years.

    Greater clarity about bill text and its overall prospects for passage are likely to emerge at the House Energy and Commerce Committee’s hearing scheduled for tomorrow at 10:30 a.m. ET.

    Federal Issues Federal Legislation Privacy/Cyber Risk & Data Security Special Alerts House Energy and Commerce Committee FTC Consumer Protection American Data Privacy and Protection Act

    Share page with AddThis
  • FTC says consumers lost more than $1 billion to crypto fraud

    Federal Issues

    On June 3, the FTC reported that consumers lost over $1 billion to fraud involving cryptocurrencies from January 2021 through March 2022. The FTC’s recent Consumer Protection Data Spotlight found that cryptocurrency is becoming the payment of choice for many scammers and that most reported cryptocurrency losses involved fake investment opportunities (totaling $575 million in reported losses since January 2021). The spotlight stated that nearly four out of every ten dollars reported lost to a fraud originating on social media was lost in crypto, far more than any other payment method. Following losses related to cryptocurrency schemes, the next largest losses involved romance scams ($185 million) and business and government impersonation scams ($133 million collectively).

    Federal Issues Digital Assets FTC Cryptocurrency Consumer Finance Fraud Consumer Protection

    Share page with AddThis
  • FTC to modernize guidance on preventing digital deception

    Federal Issues

    On June 3, the FTC announced that it is soliciting public comment on modernizing the agency’s business guidance titled “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,” which was published in 2013 and provides guidance to businesses on digital advertising and marketing. In seeking public comment on possible revisions, the FTC is seeking information on the technical and legal issues that consumers, the FTC’s law enforcement partners, and others believe should be addressed. The issues include, among other things: (i) the usage of sponsored and promoted advertising on social media; (ii) advertising embedded in games and virtual reality and microtargeted advertisements; and (iii) the usage of dark patterns, manipulative user interface designs used on websites and mobile apps, and digital advertising that pose unique risks to consumers. According to the Commission, this effort “is one of a number of initiatives the FTC is undertaking to tackle dark patterns and digital deception, including issuing a click-to-cancel policy statementproposing strengthened advertising guidelines against fake and manipulated reviews, arming staff with new tools to investigate dark patterns, and authorizing a Notice of Penalty Offense against deceptive reviews.” Comments close on August 2.

    Federal Issues Agency Rule-Making & Guidance FTC Consumer Protection Deceptive Disclosures

    Share page with AddThis
  • California’s privacy agency posts CPRA proposal

    Privacy, Cyber Risk & Data Security

    Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the February meeting that the rulemaking process will extend into the second half of the year. An updated formal rulemaking timeline may be released during the June 8 meeting.

    The draft regulations, which were introduced outside of the rulemaking process, set forth a working draft of the regulations to implement the CPRA and modify certain provisions and propose new regulations, including:

    • Adding, amending, and striking certain definitions. The CPRA draft regulations modify the definitions in the CCPA regulations. Specifically, the amendments strike “affirmative authorization” and “household” from its list of definitions, but adds new terms such as “disproportionate effect,” “first party,” “frictionless manner,” “notice of right to limit,” “opt-out preference signal,” as well as terms related to a consumer’s right to request to correct, opt-in to sale/sharing, delete, know, or limit.
    • Outlining restrictions on the collection and use of personal information. The draft regulations state that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate,” and “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses also must obtain a consumer’s explicit consent prior to collecting, using, retaining, and/or sharing the personal information for any purpose that is unrelated or incompatible with the original purpose for which the personal information was collected or processed.
    • Providing disclosure and communications requirements. Disclosures and communications are required to be easy to read and understandable to consumers, be available in languages in which the business ordinarily provides information, and be reasonably accessible to consumers with disabilities. The draft regulations also stipulate requirements for website and mobile application links.
    • Describing requirements for submitting CCPA requests and obtaining consumer consent. The draft regulations set forth methods for submitting CCPA requests and obtaining consumer consent, including requirements regarding the manner in which such requests and consents may be obtained. For example, the requests and consents must be easy to understand, must include symmetry in choice, and avoid confusing and manipulative language. Methods that do not comply with these requirements may be considered a “dark pattern” and will not constitute consumer consent.
    • Amending requirements related to a business’s privacy notice. The draft regulations would amend the requirements related to the information that must be included in a privacy notice related to a business’s online and offline practices regarding the collection, use, sale, sharing, and retention of personal information; and an explanation of CPRA rights conferred on consumers regarding their personal information, how they can exercise their rights, and what they can expect from this process.
    • Amending notices required by the CCPA. The draft regulations set forth additional requirements related to the notice at collection, the notice of right to opt-out of sale/sharing, and the “Do Not Sell or Share My Personal Information” link, such as updates to the content of the notices, location of the notices/links, and the effects of certain requests (e.g. “clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice”).  The draft regulations would also amend the notice of financial incentive.
    • Providing instructions for the Notice of Right to Limit Use of Sensitive Personal Information. The draft regulations outline requirements for businesses to comply with a consumer’s rights to limit the use of sensitive personal information. They also provide businesses the option to use an alternative opt-out link to allow “consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate…links.”
    • Amending methods for handling consumer requests to delete, correct, and know. The draft regulations outline additional documentation requirements, as well as guidance on responding to consumer requests, including explanations for denying a request. Notably, in response to a request to know, “a business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Additionally, a company that intends to collect additional categories of information that are “incompatible” with the originally disclosed purpose must provide a new notice at collection and obtain new consent.
    • Opt-out preference signals. The draft regulations set forth requirements for opt-out preference signals and how businesses should respond to such preferences. Specifically, the draft regulations provide that processing an opt-out preference must be done in a “frictionless manner” and includes examples.
    • Addressing consumer requests for limiting the use and disclosure of sensitive personal information. Businesses will be required to provide two or more designated methods for submitting requests to limit and must, among other things, comply with a request to limit “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” All service providers, contractors, and third parties must comply as well. The regulations set forth exceptions to the limitations for using and disclosing sensitive personal information.

    The draft regulations also amend provisions related to contract requirements for service providers/contractors/third parties, verification of requests, authorized agents, minor consumers, discriminatory practices, requirements for businesses collecting large amounts of personal information, and investigations and enforcement.

    Privacy/Cyber Risk & Data Security State Issues California CCPA CPRA CPPA Consumer Protection

    Share page with AddThis
  • DFPI issues NPRM to implement process for handling consumer complaints and inquiries under the CCFPL

    State Issues

    Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement and interpret certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, AB 1864 was signed in 2020 to enact the CCFPL, which, among other things: (i) establishes UDAAP authority for DFPI; (ii) authorizes DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful, arguably representing an enhancement of DFPI’s enforcement powers in contrast to Dodd-Frank and existing California law; (iii) provides DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that administration of the law will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), DFPI’s oversight authority was expanded to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.

    The NPRM proposes new rules to implement section 90008, subdivisions (a), (b), and (d)(2)(D), of the CCFPL related to consumer complaints and inquires. According to DFPI’s notice, section 90008 subdivisions (a) and (b) authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries. Additionally, subdivision (d)(2)(D) “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”

    Among other things, the NPRM:

    • Identifies entities exempt from the consumer complaints and inquiries requirements;
    • Requires covered persons to respond to consumer complaints and to establish policies and procedures for receiving and responding to complaints, including providing a complaint form, acknowledging receipt of complaints, tracking complaints, the timeline for responding to complaints, the contents for such a response, and recordkeeping of such complaints;
    • Sets forth requirements for responding to complaints, including documenting when complaints do not require further investigation, performing an investigation of a complaint if warranted, and requiring corrective action to resolve a complaint such as an account adjustment, credit, or refund, and appropriate steps to prevent recurrence of the issue, which may include policy changes and employee training;
    • Requires designation of an officer with primary responsibility for the complaint process;
    • Requires covered persons to submit to DFPI a quarterly complaint report, which will be made public, and an annual inquiries report;
    • Sets forth requirements for covered persons to respond to inquiries from consumers and develop and implement written policies and procedures for responding to such inquiries;
    • Provides that covered persons must develop and implement written policies and procedures for responding to requests from DFPI regarding consumer complaints; and
    • Exempts certain information, such as nonpublic or confidential information, including confidential supervisory information, from disclosure to consumers.  

    Written comments on the NPRM are due by July 5.

    State Issues State Regulators DFPI California CCFPL Consumer Complaints Consumer Protection Agency Rule-Making & Guidance Consumer Finance

    Share page with AddThis
  • FTC addresses importance of effective incident response and breach disclosure

    Privacy, Cyber Risk & Data Security

    On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures. The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to disclose can increase the likelihood that affected parties will suffer harm. The post outlines effective security breach detection and response programs, which can: (i) permit an organization time to take remedial actions to counter, prevent, or mitigate an attack; (ii) prevent and minimize consumer harm from breaches; (iii) provide valuable information to the prevention function of a security team; and (vi) remove an attacker and allow for post-breach remedial measures. According to the FTC, failure to maintain such practices could indicate a lack of competition in the marketplace. The post stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Listing recent cyber-related FTC enforcement actions, the post explained that deceptive statements can limit consumers’ ability to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. Looking at these cases together, the post further noted that “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”

    Privacy/Cyber Risk & Data Security Federal Issues FTC FTC Act Data Breach Consumer Protection

    Share page with AddThis
  • NYDFS commits to mitigating virtual currency risks

    State Issues

    On May 20, NYDFS Superintendent Adrienne A. Harris emphasized the role regulation plays in protecting consumers from cybercriminals in the virtual currency marketplace. According to Harris, NYDFS is committed to mitigating risks in this space by guarding against sanctions evasion and illicit activity and making sure corporate infrastructure and consumer data are well protected from bad actors. Harris stressed that NYDFS “will continue to improve upon [its] regulation and supervision; engage with key stakeholders on important trends and issues; collaborate with state, federal and international regulators; and strive to be a forward-looking, innovative regulator, including through [its] VOLT initiative,” which supports the department’s efforts to increase transparency and enhance supervision related to virtual currency.

    State Issues Digital Assets Virtual Currency State Regulators NYDFS New York Consumer Protection Financial Crimes Fintech

    Share page with AddThis
  • Oklahoma establishes telephone solicitation restrictions

    State Issues

    On May 20, the Oklahoma governor signed HB 3168, which establishes the Telephone Solicitation Act of 2022. The bill, among other things, prohibits (i) certain sales calls without the prior express written consent of the called party; (ii) commercial telephone sellers or salespersons from using certain technology to conceal their true identity; and (iii) commercial telephone sellers or salespersons from using automated dialing or recorded messages to make certain commercial telephone solicitation phone calls. The bill also establishes a time frame during which a commercial telephone seller or salesperson may make commercial solicitation phone calls. The bill is effective November 1.

    State Issues State Legislation Oklahoma Robocalls Consumer Protection

    Share page with AddThis