InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Pennsylvania appeals court upholds broad standard for “deception” under state consumer protection law
On September 12, the Superior Court of Pennsylvania held that Pennsylvania’s Uniform Trade Practices and Consumer Protection Law (UTPCPL) imposes strict liability on businesses who deceive consumers and does not require proof of fraud or negligent misrepresentation to state a claim. The plaintiffs brought common law claims of fraudulent and negligent misrepresentation and a statutory claim under the UTPCPL against insurance companies related to the sale of various insurance products. The common law claims of fraudulent and negligent misrepresentation went to a jury, which returned verdicts on both counts in favor of the insurance companies. The trial judge, however, found that the insurance companies violated the “deceptive” provision of the UTPCPL and awarded damages to the consumers. The insurance companies appealed, arguing that (i) the jury verdict on the common law claims required the court to dismiss the UTPCPL claim, and (ii) challenging the judge’s damages award calculation.
The appellate court affirmed the trial court’s determination that the defendants acted deceptively under the UTPCPL. The insurance companies argued that the UTPCPL claim was barred by the doctrines of collateral estoppel and res judicata based on the jury’s determination that the defendants had not committed a negligent misrepresentation. The appellate court, however, explained that these doctrines do not apply because the UTPCPL raises distinct issues. The court rejected the argument that the consumer must prove common law negligent misrepresentation to bring a claim under the deceptive prong of the UTPCPL. The court concluded that “any deceptive conduct, ‘which creates a likelihood of confusion or of misunderstanding,’” is actionable under the UTPCPL “whether committed intentionally (as in a fraudulent misrepresentation), carelessly (as in a negligent misrepresentation), or with the upmost care (as in strict liability).” The court also upheld the trial court’s damages determination under the UTPCPL, finding that the judge’s calculation was appropriate and consistent with the statute.
29 bipartisan state Attorneys General respond to FTC's consumer protection hearing announcement
On August 20, a bipartisan coalition of 29 state Attorneys General, led by Oregon Attorney General Ellen Rosenblum, submitted a comment letter to the FTC regarding the agency’s June announcement of public hearings on “Competition and Consumer Protection in the 21st Century.” The letter requests that the state Attorneys General be included in the discussions regarding consumer protection during the agency’s hearing process, which intends to address “whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.” The letter emphasizes the states’ “long history of protecting consumers from unfair and deceptive practices” under each state’s consumer protection authority and offers specific comment on three areas of the FTC request: (i) privacy and big data; (ii) communication and media technology; and (iii) algorithmic decision tools and other artificial intelligence. Specifically, the Attorneys General note consumers’ concerns over personal information and data security, stating the “[i]ndustry must place privacy and security front and center in its research and development of products and services.” The letter concludes with a request that the agency take into account the “important role” the Attorneys General have in consumer protection and include their offices in the hearing process.
Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement
On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:
- In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
- If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
- Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
- If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.
The law also includes security and notification requirements for Colorado governmental entities.
District of Columbia mayor passes bill to make code consistent with FTC, federal court interpretations of unfair or deceptive trade practices
On May 21, District of Columbia Mayor Muriel Bowser signed B22-0185/D.C. Act 22-367 to, among other things, update portions of the District of Columbia’s Official Code concerning the term “unfair or deceptive trade practice” to make it consistent with interpretations made by the FTC and federal courts. Language under the Consumer Protection Clarification and Enhancement Amendment Act of 2018, has been amended to read as follows: “It shall be a violation of this chapter for any person to engage in an unfair or deceptive trade practice, whether or not any consumer is in fact misled, deceived, or damaged thereby.” The amendments also increase the civil penalty for first violations of the act to not more than $5,000 per violation, and to not more than $10,000 for repeat violations. The act will take effect following a 30-day congressional review period.