InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California enacts new data broker regulations
The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.
Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.
The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.
California enacts two privacy bills AB 1194 and AB 947
On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that reveals a consumer’s citizenship or immigration status. AB 1194 will ensure that when a consumer’s personal information relates to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” business are obligated to comply with CPRA, except in cases where the information is in an aggregated, deidentified form and is not sold or shared. CRPA already empowers consumers to request the deletion of their personal information, with some exceptions to accommodate a business's obligations to adhere to federal, state, or local laws, fulfill court orders, respond to subpoenas for information, or cooperate with government agencies in emergency situations involving potential risks to a person's life or physical well-being.
AB 947 is effective January 1, 2024 and AB 1194 is effective July 1, 2024.
Chopra foreshadows expanding oversight over digital payments
On October 6, CFPB Director Rohit Chopra spoke at a digital payments event where he described the risks posed by private digital currencies and digital payments systems and provided steps that would increase the CFPB oversight so as to help protect consumers from these risks.
Chopra stated that from a consumer regulator’s perspective, it is important to safeguard against the risks of private currencies issued by nonbanks, which include the potential for sudden devaluation of the digital currency, intrusive data surveillance, censorship, private regulations that favor the issuer’s commercial interests, challenges with error resolution, and consumer fraud.
Further, Chopra shared what he believes are warranted steps to ensure that private digital dollars and payments systems do not harm consumers:
- The CFPB will issue supplemental orders to certain large technology platforms to acquire more data and information to better ascertain their business practices, especially with respect to the use of sensitive personal data and any issuance of private currencies.
- To reduce the harms of errors, hacks, and unauthorized transfers, the Bureau will explore providing additional guidance on the applicability of the Electronic Fund Transfer Act with respect to private digital dollars and other virtual currencies for consumer and retail use.
- The CFPB will use appropriate authorities to conduct supervisory examinations of nonbanks operating consumer payment platforms, including the authority over service providers to large depository institutions and the authority over large participants, which would subject nonbanks meeting a particular size threshold to CFPB supervision.
- The Bureau will publish a proposed rule regarding personal financial data rights pursuant to Section 1033 of the Consumer Financial Protection Act, which will seek to accelerate America’s shift to open, competitive, and decentralized banking, while also seeking to safeguard against misuse of personal financial data.
Additionally, Chopra stated the Financial Stability Oversight Council should consider exercising its authority under Title VIII of the Dodd-Frank Act to designate activity as, or as likely to become, a systemically important payment, clearing, or settlement activity so as to provide other agencies with critical oversight and tools to ensure that a stablecoin is actually stable.
CFPB issues guidance on “excessive” account information fees, returns $140 million to consumers
On October 11, the CFPB issued an advisory opinion concerning consumers’ requests for information regarding their accounts with large banks and credit unions (financial institutions). According to the Bureau, Section 1034(c) of the Consumer Financial Protection Act (the “law”) requires insured depository institutions that offer consumer financial products or services and that have total assets of more than $10 billion, as well as their affiliates, to “comply in a timely manner with consumer requests for information concerning their accounts for consumer financial products and services, subject to limited exceptions.” The advisory opinion includes the following guidance and interpretations:
- Requirements of the law apply even if a customer does not expressively invoke the law.
- Requirements of the law apply to consumer requests for information including information that appears on periodic statements or in online portals including: (i) the amount of the balance in a deposit account; (ii) the interest rate on a loan or credit card; (iii) individual transactions or payments; (iv) bill payments; (vi) recurring transactions; (vii) terms and conditions; and (viii) fee schedules.
- The term “supporting written documentation” in the law requires financial institutions to provide, upon request, “written documents that will substantiate information provided in response to consumer questions, or that will assist consumers with understanding or verifying information regarding their accounts.”
- Financial institutions must provide account information and documentation that is in their “control” and “possession.” This excludes (i) confidential commercial information; (ii) information collected to prevent fraud or money laundering or detecting or making any report regarding unlawful conduct; (iii) information required by law to be kept as confidential; and (iv) supervisory information and nonpublic information.
- The law does not contain language stating or suggesting that financial institutions cannot impose unreasonable conditions on consumer information, but there is no reason Congress intended for the law to allow financial institutions to do so. Generally, the Bureau believes requiring fees and obstacles that impede a consumer’s ability to access their rights granted by the law is a violation of the provision. A financial institution could violate this law by imposing “excessively long wait times to make a request to a customer service representative, requiring consumers to submit the same request multiple times, requiring consumers to interact with a chatbot that does not understand or adequately respond to consumers’ requests, or directing consumers to obtain information that the institution possesses from a third party instead,” among other things.
- There is no fixed time limit for an institution to respond to a consumer’s request, but the CFPB does not view the timing requirements of this law to differ from the timing requirements of other applicable federal laws or regulations.
- Responses must provide all information requested accurately to be considered compliant.
CFPB Director Rohit Chopra delivered remarks on a press call, in which he emphasized that the Bureau’s investigations have uncovered many examples of junk fee-related misconduct by large financial institutions. He reminded consumers that financial institutions should not charge them excessive fees when trying to manage their finances. “Congress passed a law a decade ago requiring heightened customer service standards," said Chopra. "To date, this law has not been enforced. We are changing that.” Chopra also announced that later this month, the CFPB will propose rules to create more competition in banking to make switching financial institutions for better rates and less junk fees, more accessible.
The CFPB additionally issued the results of its recent oversight inspections of major financial institutions, which resulted in financial institutions refunding $140 million in junk fees, $120 million of which were for “surprise overdraft fees and double-dipping on non-sufficient funds fees.”
FTC announces second request for public comment on rule to ban “junk fees”
On October 11, the FTC released a notice of proposed rulemaking meant to prohibit unfair and deceptive, costly fees, also known as “junk fees.” After announcing its Advance Notice of Proposed Rulemaking last year (covered by InfoBytes here), and after considering more than 12,000 public comments, the FTC determined that some businesses misrepresent overall costs by omitting mandatory fees from advertised prices until consumers are “well into completing the transaction,” and fail to adequately explain the nature and amount of fees. The Commission is seeking another round of comments for its proposed rule, which, for any entity that “offers goods or services” to consumers, would prohibit:
- Offering, displaying, or advertising an amount a consumer may pay without “clearly and conspicuously” disclosing the “total price,” which must be displayed “more prominently than any other pricing information.”
- Misrepresenting “the nature and purpose of any amount a consumer may pay.”
- Disclosing “any other pricing information” besides the total price “more prominently” than disclosures of the total price in an “offer, display, or advertisement.”
The proposed rule would also grant the FTC more robust enforcement authority to seek refunds for harmed consumers and impose monetary penalties of up to $50,120 per violation. The proposed rule also requires businesses to include any mandatory costs for ancillary goods or services in their price disclosures.
The FTC is working alongside the CFPB, OCC, FCC, HUD and the Department of Transportation to develop and implement rules banning junk fees. The CFPB has also issued guidance emphasizing that large banks and credit unions are prohibited from imposing unreasonable obstacles on customers, such as charging excessive fees, for basic information about their accounts. Further, the White House has called on federal agencies “to reduce or eliminate hidden fees, charges, and add-ons for everything from banking services to cable and internet bills to airline and concert tickets.”
The Commission is seeking public input on 37 questions, with comments due 60 days after publication in the Federal Register.
Software provider settles allegations related to data breach
On October 5, a software provider serving nonprofit fundraising entities agreed to pay almost $50 million to settle claims with 49 states and the District of Columbia alleging that the provider maintained insufficient data security measures and inadequately responded to a 2020 data breach. Specifically, the settlement resolved claims that the software provider violated state consumer protection laws, breach-notification laws, and the Health Insurance Portability and Accountability Act (HIPAA).
According to the allegations, the data breach exposed donor information, including Social Security numbers and financial records, of over 13,000 nonprofit groups and organizations and the provider waited two months before informing these clients of the breach.
The settlement requires the provider to improve its cybersecurity protections and breach notification procedures.
Earlier this year, the software provider also settled claims with the SEC for $3 million to address allegations of misleading disclosures relating to the same 2020 data breach.
California enacts amendments to the Consumers Legal Remedies Act: Advertisements
On October 7, the California governor approved SB 478 (the “Act”), enacting amendments to the Consumers Legal Remedies Act designed to prohibit “drip pricing,” which involves advertising a price that is lower than the actual price a consumer will have to pay for a good or service. The Act, with specified exceptions, will make advertising the price of a good or service excluding additional fees or charges other than taxes, unlawful. The California Legislature declared that the Act is not intended to prohibit any particular method of determining prices for goods or services, including algorithmic or dynamic pricing. Instead, it is intended to regulate how prices are advertised, displayed, and/or offered.
The Act is effective July 1, 2024.
FTC data spotlight reveals social media as primary source for scams over other contact methods
On October 6, the FTC released a data spotlight showing that more scams have originated on social media than on any other method of contact with consumers, accounting for $2.7 billion in consumer losses from 2021 to 2023. The FTC reports that the most frequently reported frauds in 2023 were online shopping scams on social media. However, promotions of fake investment opportunities, mostly those relating to cryptocurrency, on social media had the largest overall monetary losses. The FTC also provided a list of tips for consumers to limit their risks of fraud on social media, including restricting who can contact them on these platforms.
NY proposes amendments of debt collector rules
On September 30, the New York City Department of Consumer and Worker Protection (Department) published proposed amendments to its rules relating to debt collectors. The proposed amendments to its 2020 rules, which require debt collectors to inform consumers about language access services, come in response to the CFPB’s 2020 updates to the FDCPA, and the Department’s 2022 public hearing, among other things. The proposed rule (i) repeals a section requiring debt collection agencies to give consumers certain disclosures when collecting on time-barred debt; (ii) requires debt collection agencies to maintain an annual report identifying certain actions taken by the agency in any language; (iii) expands the list of required records to cover compliance with relevant laws and rules, as well as a monthly log of all debt collection-related communications by any medium between the agency and the consumer; and (iv) adds definitions relating to communications with consumers, such as “attempted communication,” “clear and conspicuous,” “covered medical entity,” “limited-content message,” “original creditor” and “originating creditor.”
CFPB shares concerns and actions regarding medical debt collection
On October 4, Seth Froman, the CFPB’s General Counsel and senior advisor to Director Chopra, delivered remarks at the New Jersey Citizen Action Education Fund’s Financial Justice Summit. He heralded the work and mission of the CFPB, and focused on the impact of medical debt. He emphasized the CFPB’s concerns that families are being “saddled with medical bills they should not – or do not – owe,” and mentioned a recent enforcement action ordering a medical debt collector to pay more than a million dollars in penalties and redress “because the collector continued to collect on debts without verifying that they were valid after consumers disputed them.” He further discussed the impact of medical bills on consumer credit, such that consumers have a “strong incentive to pay the medical bill, even when they think it’s not the right amount or don’t owe it at all.”