InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Tech giant to pay $62M in smartphone location tracking suit
On September 14, 2023, in the U.S. District Court of the Northern District of California, San Jose Division, plaintiffs filed a motion for preliminary approval of a proposed Class Action Settlement Agreement and Release pursuant to which a tech giant will pay $62 million to resolve claims that it illegally tracked and stored such users’ private location information even after users opted out. According to the filing, the proposed settlement “would be used to pay for the costs of Notice and Settlement administration, any Court-awarded attorneys’ fees and expenses and Class Representative Service Awards” with the balance being “distributed to one or more Court-approved cy pres recipients” each of which must be “independent 501(c)(3) organizations with a track record of addressing privacy concerns on the Internet.”
The company also agreed to injunctive relief for a period of at least three years, requiring it to, among other things: (i) “maintain a policy whereby (a) Location Information stored through Location History (“LH”) and Web & App Activity (“WAA”) is automatically deleted by default after a period of at least 18 months when users opt into these settings for the first time, and (b) users can set their own auto-delete periods;” (ii) provide users with instructions on how to disable each data collection setting, delete the data collected, and set retention limits; and (iii) confirm that the company “does not now share users’ precise Location Information collected in LH or WAA with third parties (except for valid legal reasons).” The settlement class includes as many as 247 million smartphone users whose location information the company stored “while “Location History” was disabled” from January 1, 2014, through the notice date.
In a statement on September 15, a spokesperson for the company said “[c]onsistent with improvements we've made in recent years, we have settled this matter, which was based on outdated product policies that we changed years ago."
Delaware Personal Data Privacy Act to protect consumers
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or request the deletion of their personal data held by individuals or entities. The Act will apply to those who conduct business in the State, that “produce products or services that are targeted to residents of the State [of Delaware] and that during the preceding calendar year,” processed personal data of more than 35,000 consumers, or processed the personal data of at least 10,000 consumers while deriving more than 20 percent of their gross revenue from personal data sales. Additionally, the Act mandates that the Delaware Department of Justice conduct public outreach programs to educate consumers and the business community about the Act, starting at least 6 months before the date on which the Act becomes effective.
The Act is effective on January 1, 2025.
CPPA continues efforts towards California Privacy Rights Act
The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here).
Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.
The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.
The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.
CFPB issues guidance on adverse action reasons by creditors using AI
On September 19, the CFPB issued guidance about legal requirements that creditors must follow when using artificial intelligence and other complex models.
In prior guidance, the agency stated that lenders must provide specific and accurate reasons for adverse actions against consumers. The latest guidance expanded upon that prior guidance to clarify that lenders cannot simply use CFPB sample adverse action forms and checklists when taking adverse actions against consumers, but must explain the reasons for such adverse actions to help improve consumers’ chances for future credit, and protect consumers from illegal discrimination.
In its announcement of the updated guidance, the CFPB discussed the potential that consumers may be denied credit as a result of the increased use of complex, predictive decision-making technologies to analyze large datasets that may include consumer surveillance data or other information that the consumer may not believe is relevant to their finances. The agency confirmed that creditors must disclose the specific reasons for adverse action, even if consumers may be surprised, upset, or angered to learn their credit applications were being graded on data that may not intuitively relate to their finances. According to the guidance, a creditor is not absolved from the requirement to specifically and accurately inform consumers of the reasons for adverse actions because the use of predictive decision-making technologies in their underwriting models makes it difficult to pinpoint the specific reasons for such adverse actions.
California AG advocates for medical payment reforms
California Attorney General Rob Bonta submitted a letter to federal agencies urging the federal government to adopt regulations and statutory protections to help protect patients who may need to use medical credit cards and installment loans to pay for healthcare-related bills.
The letter notes that medical payment products exacerbate health disparities, that patients seeking medical care may not be in an appropriate position to make complex financial decisions, and offers California’s protections against medical payment products as a model framework.
In the letter, which is addressed to the U.S. Department of Health and Human Services, Centers for Medicare & Medicaid Services, the CFPB, and the Treasury, Bonta recommends (i) designating medical credit card debt as medical debt and not consumer debt; (ii) ensuring providers properly screen patients for financial aid and charity care before offering a medical payment product; (iii) limiting enrollment when patients may be distressed or under the influence of medication; (iv) providing written notice of financial assistance and potential eligibility for charity care; (v) making reasonable efforts to notify patients about the level of insurance coverage of medical expenses; and (vi) reducing patient cost-sharing responsibilities.
CFPB announces consent order against leasing company
On September 11, the CFPB issued a consent order against an Ohio-based nonbank consumer finance company (respondent), for deceptive practices related to consumer leasing agreements. The CFPB, along with 41 states and the District of Columbia, addressed respondent’s conduct in a parallel multi-state settlement. According to the consent order, respondent, operating through major retailers, allegedly concealed contract terms and costs from consumers, leading them to unknowingly enter into costly leasing agreements. The Bureau claims that deceptive practices left consumers unable to return products and burdened with unexpectedly high payments, violating the CFPA and Regulation M, implementing the Consumer Leasing Act.
The consent order states that respondent concealed lease agreement terms, often providing consumers with copies of the agreements after transactions or relying on verbal descriptions from store employees. Consumers were also allegedly trapped by unreasonable return practices, as respondent did not accept returns for many items, forcing consumers to pay excessively high prices. Additionally, the CFPB claimed respondent failed to provide legally required disclosures, leading to revenues of approximately $192 million from around 325,000 consumers.
As a result of the consent order, respondent is permanently prohibited from offering consumer leases and is required to close all outstanding consumer accounts. Consumers will be allowed to keep leased merchandise without further payment, amounting to approximately $33.6 million in released payments. Respondent must also pay a $2 million penalty, with $1 million going to the CFPB's victims’ relief fund and the remaining $1 million allocated to the participating states.
The CFPB's director, Rohit Chopra, emphasized the significance of the order, stating that it permanently bans respondent from engaging in such agreements. The alleged deceptive practices, which occurred from January 1, 2015 to the present, and allegedly affected over 1.8 million consumers who entered into financial agreements with the company covering a wide range of items, from auto parts to furniture and jewelry. Respondent neither admitted nor denied the CFPB’s claims.
CFPB reaches $2.6 billion settlement with credit repair telemarketers
On August 28, the CFPB announced a proposed settlement with Utah-based credit repair telemarketers and various affiliates (collectively, "defendants") for allegedly committing deceptive acts and practices in violation of the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA) by collecting illegal advance fees. As previously covered by InfoBytes, in its initial lawsuit the CFPB alleged the defendants requested and received payment of “prohibited” upfront fees for telemarketed credit repair services when they signed up. In June, a district court ruling put a hold on the Bureau’s initial attempt to impose the settlement because of “outstanding issues of fact” which precluded it from entering the agency’s requested relief at that time (covered by InfoBytes here). The Bureau and defendants have now agreed to a new settlement which will, among other things, (i) impose over $2.7 billion in redress (understanding that the principal corporate defendant is in Chapter 11 bankruptcy proceedings); (ii) impose over $64 million in civil money penalties; (iii) ban defendants from telemarketing and from doing business with certain marketing affiliates for ten years; and (iv) require defendants to send a notice of the settlement to “any remaining enrolled customers who were previously signed up through telemarketing.”
The proposed settlement is subject to final approval by the court.
District Court denied motion to dismiss CFPA and FDCPA claims against debt buyers
On August 22, the U.S. District Court for the Western District of New York refused to dismiss CFPA and FDCPA claims brought by the CFPB that alleged violations related to misrepresentations made to debtors by debt collectors. The CFPB’s complaint alleged that defendants purchased defaulted consumer debt and then placed it for collection with, or sold it to, a network of debt collectors who consistently violated consumer protection laws by making false statements to debtors. These false statements included informing consumers that (i) they would be sued for failing to pay the debts; (ii) that their credit score would be impacted by paying or not paying the debt; and (iii) that they could face criminal charges for failing to pay the debt. The complaint additionally alleged that defendants were aware of the allegedly unlawful acts by the debt collectors they used through monitoring of the debt collectors and consumer complaints made to defendants.
The CFPB’s complaint alleged violations against a variety of corporate entities responsible for the alleged debt collection practices, as well as individual executives at those entities. Defendants moved to dismiss the complaint on several grounds. The defendants argued that they are not “covered persons” under the CFPA, because they do not actually collect debts themselves. The district court held that the defendants were “covered persons” under the CFPA since they were engaged in the collection of consumer debt, writing that it would “strain ordinary understanding to say that a company is not engaged in collecting debt when it purchases defaulted debt, places that debt with other companies for collection, and then receives some of the money recovered by those debt collectors.” Similarly, the defendants argued that they are not “debt collectors” under the FDCPA. The court also rejected this argument, reasoning that defendants’ principal purpose was debt collection making them a “debt collector” for FDCPA purposes, because they purchased portfolios of debts and derived most of their revenue from collecting those debts.
The district court also rejected defendants’ arguments that they could not be held vicariously liable for the conduct of the third-party debt collectors under the CFPA or FDCPA, reasoning that parties can be found vicariously liable for the acts of their agents under both statutes. The court held that because the CFPB’s complaint alleged that the defendants exercised authority over the debt collectors, vicarious liability for the violations by the debt collectors was appropriate.
The district court further held that the complaint adequately alleged violations of the CFPA by the individual defendants. The court held that the individual defendants enabled violations of the CFPA, relying on the fact that the individual defendants had both knowledge of the violations and the ability to control the violations, by either providing instructions to the debt collectors or by refusing to place debts with those collectors. Further, the court held that the individual defendants could be liable for “substantially assisting” violations of the CFPA, because the complaint alleged that the individual defendants recklessly disregarded unlawful behavior by the debt collectors and continued to place or sell debts to those collectors.
Finally, defendants also argued that both the CFPA and the FDCPA claims are time barred by the statute of limitations. The court rejected the defendants’ argument that the CFPB’s FDCPA claims were barred by the FDCPA’s one-year statute of limitations, holding that this provision applies only to private plaintiffs. The court held that FDCPA claims brought by the CFPB are subject to the CPFA’s statute of limitations, which bars claims brought more than three years after the CFPB’s discovery of the violations. The court further rejected the defendants’ argument that the claims were barred by this three-year statute of limitations, holding that it is unclear from the complaint when the CFPB became aware of facts constituting the violation and that the receipt of a consumer complaint by the CFPB will not necessarily constitute the date that the CFPB discovered or should have discovered the facts constituting the violation.
CFPB contests motions for preliminary injunctions to block enforcement of Small Business Lending Rule
On August 22, the CFPB filed an opposition to a motion made by a group of intervenors seeking to expand the scope of a preliminary injunction issued by the U.S. District Court for the Southern District of Texas, which enjoined the CFPB from implementing its Small Business Lending Rule. As previously covered by InfoBytes, the original plaintiffs in the litigation, a Texas banking association and a Texas bank, challenged the legality of the CFPB’s Small Business Lending Rule. After the American Bankers Association joined the case, the plaintiffs sought, and the court granted, a preliminary injunction enjoining implementation and enforcement of the rule against plaintiffs and their members. The intervenors, who consist of both banking and credit union trade associations, as well as individual banks and credit unions, seek a nationwide injunction that would apply beyond the parties to the case, or at least to the intervenors and their members. The CFPB’s opposition to this request for an expanded preliminary injunction argues that the intervenors fail to show that they would suffer immediate harm from enforcement of the Small Business Lending Rule.
In a related matter, on August 21, a group of Kentucky banks and a Kentucky banking association filed a motion for a preliminary injunction in the U.S. District Court for the Eastern District of Kentucky against the CFPB, seeking a preliminary injunction enjoining the CFPB from enforcing the Small Business Lending Rule against the plaintiffs and their members. Referencing the parallel Texas litigation, the Kentucky plaintiffs allege that they are entitled to an order enjoining enforcement of the Small Business Lending Rule against them for the same reasons that the Texas district court enjoined enforcement of the rule.
The most recent litigation activity follows a request from a group of trade associations to the CFPB to take administrative action to address the disparity in compliance dates that results from the district court’s injunction, a disparity that the trade associations argue is both unfair and disruptive to the market’s compliance efforts. The CFPB declined this request.
Both of these challenges to the Small Business Lending Rule point to a recent decision issued by the U.S. Court of Appeals for the Fifth Circuit in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where the court found that the CFPB’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here), as justification for why the final rule should ultimately be set aside.
7th Circuit affirms dismissal of proposed Driver’s Privacy Protection Act class action
On August 22, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a proposed class action alleging that defendant insurance companies leaked the plaintiffs’ drivers license numbers, holding that the plaintiffs lacked standing to sue the insurance companies. In a split decision, the majority opinion held that plaintiffs failed to establish standing to bring a lawsuit under the Driver’s Privacy Protection Act (DPPA) based on the unauthorized disclosure of their driver’s license numbers through a form on defendant’s website. The majority held that plaintiffs failed to allege a concrete injury, writing that allegations that plaintiffs are worried about future identity theft stemming from the disclosure are insufficient for standing, focusing on legitimate reasons why driver’s license numbers are commonly exposed to third-parties. The majority further held that plaintiffs failed to allege that false unemployment benefit applications submitted in their name were traceable to the disclosure of their driver’s license number, dooming their standing claim. In a dissent, Judge Kenneth Ripple disagreed with the majority’s conclusion that plaintiffs failed to make sufficient allegations to justify standing, reasoning that the DPPA contemplates a private right of action for the types of harms suffered by the plaintiffs and that plaintiffs adequately alleged that they suffered harm from false unemployment benefit applications submitted as a result of the driver’s license number leak.