InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California enacts amendments to the Consumers Legal Remedies Act: Advertisements
On October 7, the California governor approved SB 478 (the “Act”), enacting amendments to the Consumers Legal Remedies Act designed to prohibit “drip pricing,” which involves advertising a price that is lower than the actual price a consumer will have to pay for a good or service. The Act, with specified exceptions, will make advertising the price of a good or service excluding additional fees or charges other than taxes, unlawful. The California Legislature declared that the Act is not intended to prohibit any particular method of determining prices for goods or services, including algorithmic or dynamic pricing. Instead, it is intended to regulate how prices are advertised, displayed, and/or offered.
The Act is effective July 1, 2024.
FTC data spotlight reveals social media as primary source for scams over other contact methods
On October 6, the FTC released a data spotlight showing that more scams have originated on social media than on any other method of contact with consumers, accounting for $2.7 billion in consumer losses from 2021 to 2023. The FTC reports that the most frequently reported frauds in 2023 were online shopping scams on social media. However, promotions of fake investment opportunities, mostly those relating to cryptocurrency, on social media had the largest overall monetary losses. The FTC also provided a list of tips for consumers to limit their risks of fraud on social media, including restricting who can contact them on these platforms.
NY proposes amendments of debt collector rules
On September 30, the New York City Department of Consumer and Worker Protection (Department) published proposed amendments to its rules relating to debt collectors. The proposed amendments to its 2020 rules, which require debt collectors to inform consumers about language access services, come in response to the CFPB’s 2020 updates to the FDCPA, and the Department’s 2022 public hearing, among other things. The proposed rule (i) repeals a section requiring debt collection agencies to give consumers certain disclosures when collecting on time-barred debt; (ii) requires debt collection agencies to maintain an annual report identifying certain actions taken by the agency in any language; (iii) expands the list of required records to cover compliance with relevant laws and rules, as well as a monthly log of all debt collection-related communications by any medium between the agency and the consumer; and (iv) adds definitions relating to communications with consumers, such as “attempted communication,” “clear and conspicuous,” “covered medical entity,” “limited-content message,” “original creditor” and “originating creditor.”
CFPB shares concerns and actions regarding medical debt collection
On October 4, Seth Froman, the CFPB’s General Counsel and senior advisor to Director Chopra, delivered remarks at the New Jersey Citizen Action Education Fund’s Financial Justice Summit. He heralded the work and mission of the CFPB, and focused on the impact of medical debt. He emphasized the CFPB’s concerns that families are being “saddled with medical bills they should not – or do not – owe,” and mentioned a recent enforcement action ordering a medical debt collector to pay more than a million dollars in penalties and redress “because the collector continued to collect on debts without verifying that they were valid after consumers disputed them.” He further discussed the impact of medical bills on consumer credit, such that consumers have a “strong incentive to pay the medical bill, even when they think it’s not the right amount or don’t owe it at all.”
FTC roundtable on generative AI and the creative economy
On October 4, the FTC hosted a virtual roundtable to hear directly from creators on how generative artificial intelligence (AI) is affecting their work and livelihood. FTC Chair Lina Khan noted the Commission’s role enforcing rules of fair competition and its intention to “keep pace” to fully understand how new technology can be used and the negative impacts. Khan reminded the audience that there is no “AI exemption” to the laws regarding unfair methods of competition or collusion, discrimination, or deception. In addition, Commissioner Kelly Slaughter mentioned that the generative AI dynamic of web scraping is often performed without the knowledge of creators whose livelihood depends on displaying a public portfolio.
Duncan Crabtree-Ireland, chief negotiator for SAG AFTRA, stated that the companies using AI technology must receive informed consent and compensation for the use of individuals’ likenesses. John August, committee member for the Writers Guild of America, explained the union’s position that AI generated content can be considered an unfair method of competition, and that creators deserve protection against the unfair use of their work. Douglas Preston, author and former president of the Writers Guild of America, shared that he is part of a class action lawsuit with 16 other authors against a generative AI platform.
Overall, participants asked the FTC to initiate rulemaking, and support in federal legislation as necessary to underpin the protection of creators’ livelihood, as technology is outpacing law and regulation. They suggested that moving forward, platforms should request creators to opt-in, rather than opt-out of the use of their works to teach and support generative AI output. Moreover, participants repeatedly mentioned a need for disclosures for consumers, so they know when synthetic AI-generated voices, among other things, are used in content generated for consumers.
FCC updates rules to curb robocallers
On September 21, the FCC adopted rules that would strengthen and modernize the requirements that providers under the Voice over Internet Protocol (VoIP) need to abide by to obtain direct access to telephone numbers. The rules impose guardrails to make it more difficult for those who make illegal robocalls to access telephone numbers, which the FCC stated helps to protect national security and law enforcement, safeguard the nation’s finite numbering resources, reduce the opportunity for regulatory arbitrage, and further promote public safety. The FCC finalized the rules after the FCC sought comment in 2021 under the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, which directed the FCC to examine its rules regarding direct access to telephone numbers.
The rules require an applicant seeking direct access to telephone numbers to:
- Provide certifications regarding its compliance with FCC robocall rules, FCC interconnected VoIP provider rules, and timely filing of FCC Forms 477 and 499.
- Submit disclosures on and continue to update its ownership structure, including related foreign entities, to reduce the risk that U.S. numbering resources reach bad actors abroad.
- Comply with applicable business-related state laws and registration requirements.
The rules codify the FCC’s role in completing direct access application review and rejection and the authorization revocation process.
Additionally, the rules instruct the North American Numbering Council to study numbering use to inform the FCC’s future rulemaking. The rules also seek comments on a variety of topics, including further reforms on new direct access applications, duties of existing direct access authorization holders, and whether direct access applicants should disclose a list of states where they will provide initial services.
The rules will take effect 30 days after publication in the Federal Register.
Kentucky banks win injunction on Small Business Lending Rule enforcement
On September 14, U.S. District Judge Karen K. Caldwell issued an order granting an injunction sought by the Kentucky Bankers Association and eight Kentucky-based banks to enjoin the CFPB from implementing and enforcing requirements for small business lenders until the U.S. Supreme Court rules on the CFPB’s funding structure (previously covered by InfoBytes here and here).
As previously covered by InfoBytes, the plaintiff banks filed their motion for a preliminary injunction seeking an order to enjoin the CFPB from enforcing the Small Business Lending Rule against them for the same reasons that a Texas district court enjoined enforcement of the rule (Texas decision covered by InfoBytes here). The CFPB argued, among other things, that the plaintiff banks failed to satisfy the factors necessary for preliminary relief, that the plaintiff banks are factually wrong in asserting that the Rule would require lenders to compile “‘scores of additional data points’ about their small business loans,” and the “outlier ruling of the 5th Circuit” in the Texas case does not demonstrate that the plaintiff banks are entitled to the relief they seek.
In the order granting the preliminary injunction, Judge Caldwell discussed the factors for determining whether injunctive relief is appropriate. Notably, Judge Caldwell determined that the irreparable harm factor weighs in favor of the plaintiffs, stating “[p]laintiffs are already incurring expenses in preparation for enforcement of the Rule and will not be able to recover upon a Supreme Court ruling that the CFPB’s funding structure is unconstitutional.” Additionally, Judge Caldwell indicated that the likelihood of success factor “does not tip the scale in either direction,” and the substantial harm to others if the preliminary injunction is granted, and the public interest factors “carry little weight” because “[b]efore the Rule becomes enforceable, a decision on the merits will be issued by the highest court in the land.”
Judge Caldwell found that the imposition of the preliminary injunction “will create no harm to the CFPB nor the public since the rule would not otherwise be enforceable in the interim” and granted the preliminary injunction “in the interest of preserving the status quo until the Supreme Court has made its decision.”
Tech giant to pay $62M in smartphone location tracking suit
On September 14, 2023, in the U.S. District Court of the Northern District of California, San Jose Division, plaintiffs filed a motion for preliminary approval of a proposed Class Action Settlement Agreement and Release pursuant to which a tech giant will pay $62 million to resolve claims that it illegally tracked and stored such users’ private location information even after users opted out. According to the filing, the proposed settlement “would be used to pay for the costs of Notice and Settlement administration, any Court-awarded attorneys’ fees and expenses and Class Representative Service Awards” with the balance being “distributed to one or more Court-approved cy pres recipients” each of which must be “independent 501(c)(3) organizations with a track record of addressing privacy concerns on the Internet.”
The company also agreed to injunctive relief for a period of at least three years, requiring it to, among other things: (i) “maintain a policy whereby (a) Location Information stored through Location History (“LH”) and Web & App Activity (“WAA”) is automatically deleted by default after a period of at least 18 months when users opt into these settings for the first time, and (b) users can set their own auto-delete periods;” (ii) provide users with instructions on how to disable each data collection setting, delete the data collected, and set retention limits; and (iii) confirm that the company “does not now share users’ precise Location Information collected in LH or WAA with third parties (except for valid legal reasons).” The settlement class includes as many as 247 million smartphone users whose location information the company stored “while “Location History” was disabled” from January 1, 2014, through the notice date.
In a statement on September 15, a spokesperson for the company said “[c]onsistent with improvements we've made in recent years, we have settled this matter, which was based on outdated product policies that we changed years ago."
Delaware Personal Data Privacy Act to protect consumers
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or request the deletion of their personal data held by individuals or entities. The Act will apply to those who conduct business in the State, that “produce products or services that are targeted to residents of the State [of Delaware] and that during the preceding calendar year,” processed personal data of more than 35,000 consumers, or processed the personal data of at least 10,000 consumers while deriving more than 20 percent of their gross revenue from personal data sales. Additionally, the Act mandates that the Delaware Department of Justice conduct public outreach programs to educate consumers and the business community about the Act, starting at least 6 months before the date on which the Act becomes effective.
The Act is effective on January 1, 2025.
CPPA continues efforts towards California Privacy Rights Act
The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here).
Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.
The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.
The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.