InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: Congress releases draft privacy bill
A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act.
Passage of the ADPPA, which combines elements of prior proposals in an effort to reach a legislative compromise, is still far from assured. But it represents a meaningful starting point for further discussions, and is already shaping the long-running debate on national privacy standards. This alert looks closely at the proposed statutory text that seeks to define the breadth and scope of a federal privacy regime that policymakers have contemplated for years.
Greater clarity about bill text and its overall prospects for passage are likely to emerge at the House Energy and Commerce Committee’s hearing scheduled for tomorrow at 10:30 a.m. ET.
FTC says consumers lost more than $1 billion to crypto fraud
On June 3, the FTC reported that consumers lost over $1 billion to fraud involving cryptocurrencies from January 2021 through March 2022. The FTC’s recent Consumer Protection Data Spotlight found that cryptocurrency is becoming the payment of choice for many scammers and that most reported cryptocurrency losses involved fake investment opportunities (totaling $575 million in reported losses since January 2021). The spotlight stated that nearly four out of every ten dollars reported lost to a fraud originating on social media was lost in crypto, far more than any other payment method. Following losses related to cryptocurrency schemes, the next largest losses involved romance scams ($185 million) and business and government impersonation scams ($133 million collectively).
FTC to modernize guidance on preventing digital deception
On June 3, the FTC announced that it is soliciting public comment on modernizing the agency’s business guidance titled “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,” which was published in 2013 and provides guidance to businesses on digital advertising and marketing. In seeking public comment on possible revisions, the FTC is seeking information on the technical and legal issues that consumers, the FTC’s law enforcement partners, and others believe should be addressed. The issues include, among other things: (i) the usage of sponsored and promoted advertising on social media; (ii) advertising embedded in games and virtual reality and microtargeted advertisements; and (iii) the usage of dark patterns, manipulative user interface designs used on websites and mobile apps, and digital advertising that pose unique risks to consumers. According to the Commission, this effort “is one of a number of initiatives the FTC is undertaking to tackle dark patterns and digital deception, including issuing a click-to-cancel policy statement, proposing strengthened advertising guidelines against fake and manipulated reviews, arming staff with new tools to investigate dark patterns, and authorizing a Notice of Penalty Offense against deceptive reviews.” Comments close on August 2.
California’s privacy agency posts CPRA proposal
Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the February meeting that the rulemaking process will extend into the second half of the year. An updated formal rulemaking timeline may be released during the June 8 meeting.
The draft regulations, which were introduced outside of the rulemaking process, set forth a working draft of the regulations to implement the CPRA and modify certain provisions and propose new regulations, including:
- Adding, amending, and striking certain definitions. The CPRA draft regulations modify the definitions in the CCPA regulations. Specifically, the amendments strike “affirmative authorization” and “household” from its list of definitions, but adds new terms such as “disproportionate effect,” “first party,” “frictionless manner,” “notice of right to limit,” “opt-out preference signal,” as well as terms related to a consumer’s right to request to correct, opt-in to sale/sharing, delete, know, or limit.
- Outlining restrictions on the collection and use of personal information. The draft regulations state that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate,” and “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses also must obtain a consumer’s explicit consent prior to collecting, using, retaining, and/or sharing the personal information for any purpose that is unrelated or incompatible with the original purpose for which the personal information was collected or processed.
- Providing disclosure and communications requirements. Disclosures and communications are required to be easy to read and understandable to consumers, be available in languages in which the business ordinarily provides information, and be reasonably accessible to consumers with disabilities. The draft regulations also stipulate requirements for website and mobile application links.
- Describing requirements for submitting CCPA requests and obtaining consumer consent. The draft regulations set forth methods for submitting CCPA requests and obtaining consumer consent, including requirements regarding the manner in which such requests and consents may be obtained. For example, the requests and consents must be easy to understand, must include symmetry in choice, and avoid confusing and manipulative language. Methods that do not comply with these requirements may be considered a “dark pattern” and will not constitute consumer consent.
- Amending requirements related to a business’s privacy notice. The draft regulations would amend the requirements related to the information that must be included in a privacy notice related to a business’s online and offline practices regarding the collection, use, sale, sharing, and retention of personal information; and an explanation of CPRA rights conferred on consumers regarding their personal information, how they can exercise their rights, and what they can expect from this process.
- Amending notices required by the CCPA. The draft regulations set forth additional requirements related to the notice at collection, the notice of right to opt-out of sale/sharing, and the “Do Not Sell or Share My Personal Information” link, such as updates to the content of the notices, location of the notices/links, and the effects of certain requests (e.g. “clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice”). The draft regulations would also amend the notice of financial incentive.
- Providing instructions for the Notice of Right to Limit Use of Sensitive Personal Information. The draft regulations outline requirements for businesses to comply with a consumer’s rights to limit the use of sensitive personal information. They also provide businesses the option to use an alternative opt-out link to allow “consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate…links.”
- Amending methods for handling consumer requests to delete, correct, and know. The draft regulations outline additional documentation requirements, as well as guidance on responding to consumer requests, including explanations for denying a request. Notably, in response to a request to know, “a business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Additionally, a company that intends to collect additional categories of information that are “incompatible” with the originally disclosed purpose must provide a new notice at collection and obtain new consent.
- Opt-out preference signals. The draft regulations set forth requirements for opt-out preference signals and how businesses should respond to such preferences. Specifically, the draft regulations provide that processing an opt-out preference must be done in a “frictionless manner” and includes examples.
- Addressing consumer requests for limiting the use and disclosure of sensitive personal information. Businesses will be required to provide two or more designated methods for submitting requests to limit and must, among other things, comply with a request to limit “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” All service providers, contractors, and third parties must comply as well. The regulations set forth exceptions to the limitations for using and disclosing sensitive personal information.
The draft regulations also amend provisions related to contract requirements for service providers/contractors/third parties, verification of requests, authorized agents, minor consumers, discriminatory practices, requirements for businesses collecting large amounts of personal information, and investigations and enforcement.
DFPI issues NPRM to implement process for handling consumer complaints and inquiries under the CCFPL
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement and interpret certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, AB 1864 was signed in 2020 to enact the CCFPL, which, among other things: (i) establishes UDAAP authority for DFPI; (ii) authorizes DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful, arguably representing an enhancement of DFPI’s enforcement powers in contrast to Dodd-Frank and existing California law; (iii) provides DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that administration of the law will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), DFPI’s oversight authority was expanded to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.
The NPRM proposes new rules to implement section 90008, subdivisions (a), (b), and (d)(2)(D), of the CCFPL related to consumer complaints and inquires. According to DFPI’s notice, section 90008 subdivisions (a) and (b) authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries. Additionally, subdivision (d)(2)(D) “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
Among other things, the NPRM:
- Identifies entities exempt from the consumer complaints and inquiries requirements;
- Requires covered persons to respond to consumer complaints and to establish policies and procedures for receiving and responding to complaints, including providing a complaint form, acknowledging receipt of complaints, tracking complaints, the timeline for responding to complaints, the contents for such a response, and recordkeeping of such complaints;
- Sets forth requirements for responding to complaints, including documenting when complaints do not require further investigation, performing an investigation of a complaint if warranted, and requiring corrective action to resolve a complaint such as an account adjustment, credit, or refund, and appropriate steps to prevent recurrence of the issue, which may include policy changes and employee training;
- Requires designation of an officer with primary responsibility for the complaint process;
- Requires covered persons to submit to DFPI a quarterly complaint report, which will be made public, and an annual inquiries report;
- Sets forth requirements for covered persons to respond to inquiries from consumers and develop and implement written policies and procedures for responding to such inquiries;
- Provides that covered persons must develop and implement written policies and procedures for responding to requests from DFPI regarding consumer complaints; and
- Exempts certain information, such as nonpublic or confidential information, including confidential supervisory information, from disclosure to consumers.
Written comments on the NPRM are due by July 5.
FTC addresses importance of effective incident response and breach disclosure
On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures. The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to disclose can increase the likelihood that affected parties will suffer harm. The post outlines effective security breach detection and response programs, which can: (i) permit an organization time to take remedial actions to counter, prevent, or mitigate an attack; (ii) prevent and minimize consumer harm from breaches; (iii) provide valuable information to the prevention function of a security team; and (vi) remove an attacker and allow for post-breach remedial measures. According to the FTC, failure to maintain such practices could indicate a lack of competition in the marketplace. The post stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Listing recent cyber-related FTC enforcement actions, the post explained that deceptive statements can limit consumers’ ability to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. Looking at these cases together, the post further noted that “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”
NYDFS commits to mitigating virtual currency risks
On May 20, NYDFS Superintendent Adrienne A. Harris emphasized the role regulation plays in protecting consumers from cybercriminals in the virtual currency marketplace. According to Harris, NYDFS is committed to mitigating risks in this space by guarding against sanctions evasion and illicit activity and making sure corporate infrastructure and consumer data are well protected from bad actors. Harris stressed that NYDFS “will continue to improve upon [its] regulation and supervision; engage with key stakeholders on important trends and issues; collaborate with state, federal and international regulators; and strive to be a forward-looking, innovative regulator, including through [its] VOLT initiative,” which supports the department’s efforts to increase transparency and enhance supervision related to virtual currency.
Oklahoma establishes telephone solicitation restrictions
On May 20, the Oklahoma governor signed HB 3168, which establishes the Telephone Solicitation Act of 2022. The bill, among other things, prohibits (i) certain sales calls without the prior express written consent of the called party; (ii) commercial telephone sellers or salespersons from using certain technology to conceal their true identity; and (iii) commercial telephone sellers or salespersons from using automated dialing or recorded messages to make certain commercial telephone solicitation phone calls. The bill also establishes a time frame during which a commercial telephone seller or salesperson may make commercial solicitation phone calls. The bill is effective November 1.
Illinois amendments address confidentiality of customer financial records
On May 13, the Illinois governor signed SB 3971, which makes various amendments to Illinois Banking Act and Savings Bank Act provisions concerning the confidentiality of customer financial records. Among other things, the Act provides that a bank must disclose financial records “only after the bank sends a copy of the subpoena, summons, warrant, citation to discover assets, or court order,” to the person establishing the relationship with the bank if living (or the person’s representative otherwise), at the person’s last known address. Further, such requests must be sent through a third-party commercial carrier or courier, with delivery charge fully prepaid, by hand or by electronic delivery at an email address on file with the bank (provided the person has consented to electronic delivery).
The Act also stipulates that a bank retain customer financial records “in a manner consistent with prudent business practices and in accordance with this Act and applicable State or Federal laws, rules, and regulations.” A bank may also destroy records (with reasonable precautions taken to ensure the confidentiality of the information contained in the records) except where a retention period is required by law. The Act is effective immediately.
Connecticut becomes fifth state to enact comprehensive privacy legislation
On May 10, the Connecticut governor signed SB 6, establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (covered by Buckley Special Alerts here and here and InfoBytes here and here). As previously covered by InfoBytes, Connecticut consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. The Act also outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests free of charge within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 60 days to cure the alleged violation before the attorney general can file suit. The Act takes effect July 1, 2023.