Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 12, the U.S. District Court for the Northern District of California granted a defendant’s motion for summary judgment in a suit alleging that it collected consumers’ data without first obtaining their consent. According to the opinion, the plaintiffs are users of the defendant’s browser who alleged that they chose not to sync their browsers with the defendant’s accounts while browsing the web from July 2016 to the present. The complaint further noted that the browser’s sync feature permits “users to store their personal information by logging into the browser with their [defendant’s] account.” The district court granted the defendant’s motion for summary judgment after determining that most of the issues are “browser agnostic” rather than specific to the browser. Furthermore, the district court determined that because those issues are not specific to the browser, the defendant’s general privacy policies “governs the collection of those categories of information identified by plaintiffs.” The district court also found that “a reasonable person viewing those disclosures would understand that [the defendant] maintains the practices of collecting its users' data when users use [the defendant’s] services or third-party sites that use [the defendant’s] services and that [the defendant] uses the data for advertising purposes.” The district court also noted that “a reasonable user reviewing these same disclosures would understand that [the defendant] combines and links this information across sites and services for targeted advertising purposes.”
On July 28, the U.S. Department of Treasury’s Office of Financial Research (OFR) announced the establishment of the Climate Data and Analytics Hub pilot, which will be used to help financial regulators assess risks to financial stability due to climate change. According to the announcement, the Climate Data and Analytics Hub permits participants to integrate data from across the federal government, including wildfire, crop condition, precipitation, and other climate-related data, with their public supervisory data for a more precise view of the relationship between climate change and financial stability risk. Additionally, it is “equipped with statistical and visualization applications that will allow deeper insight into climate-related financial risks and vulnerabilities.” Access to the pilot is initially limited to the Federal Reserve Board of Governors and the Federal Reserve Bank of New York, with the goal of expanding access to all of the Financial Stability Oversight Council member agencies. The OFR also released a Fact Sheet, which provides more information on the Climate Data and Analytics Hub.
On July 20, the U.S. House Committee on Energy and Commerce voted 53-2 to send H.R. 8152, the American Data Privacy and Protection Act, to the House floor. As previously covered by a Buckley Special Alert, a draft of the bill was released in June, which would, among other things, require companies to collect the least amount of data possible to provide services, implement special protections for minors, and allocate enforcement responsibilities to the FTC. The bill has been revised from its initial draft to allow consumers to bring lawsuits after notifying certain state and federal regulators beginning two years after the law takes effect, which is different from the four-year wait period proposed in the draft. Additionally, the current patchwork of five state privacy laws would be preempted, although under the revised bill California's new privacy agency would be allowed to enforce the federal law. The revised bill also includes a provision that narrows the scope of algorithmic impact assessments required of large data holders to focus on algorithms that pose a “consequential risk of harm.” Additionally, the revised bill includes a more expansive definition of “sensitive data” to include browsing history, race, ethnicity, religion and union membership. It also sets a tiered system of responsibility depending on the size of companies for data related to people under 17.
On March 26, the CFPB announced several regulatory flexibility measures to help financial companies work with consumers affected by Covid-19. Specifically, the measures postpone certain industry data collections on Bureau-related rules. These include:
- HMDA. Quarterly information reporting by certain mortgage lenders as required under HMDA and Regulation C will not be expected during this time. However, entities should continue collecting and recording HMDA data in anticipation of making annual submissions. Entities will be provided information by the Bureau on when and how to commence new quarterly HMDA data submissions. (See statement here.)
- TILA. During this time, annual submissions required under TILA, Regulation Z, and Regulation E “concerning agreements between credit card issuers and institutions of higher education; quarterly submission of consumer credit card agreements; collection of certain credit card price and availability information; and submission of prepaid account agreements and related information” will not be expected. (See statement here.)
- Section 1071. A survey seeking information from financial institutions on the cost of compliance in connection with pending rulemaking on Section 1071 of the Dodd-Frank Act has been postponed. As previously covered by InfoBytes, under the terms of a stipulated settlement resolving a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071, the Bureau agreed to outline a proposal for collecting data and studying discrimination in small-business lending.
- PACE Financing. A survey of firms providing Property Assessed Clean Energy (PACE) financing to consumers for the purposes of implementing Section 307 of the Economic Growth, Regulatory Relief, and Consumer Protection Act has been postponed.
- Supervision and Enforcement. The Bureau’s policy statement provides “that it does not intend to cite in an examination or initiate an enforcement action against any entity for failure to submit to the Bureau” specified information related to credit card and prepaid accounts. However, the Bureau’s announcement advises entities to “maintain records sufficient to allow them to make delayed submissions pursuant to Bureau guidance.” With respect to operational challenges facing institutions due to Covid-19, the Bureau states that it will work with institutions when scheduling examinations and other supervisory activities to minimize disruption and burden. “[W]hen conducting examinations and other supervisory activities and in determining whether to take enforcement action, the Bureau will consider the circumstances that entities may face as a result of the [Covid-19] pandemic and will be sensitive to good-faith efforts demonstrably designed to assist consumers,” the announcement states.
Global technology companies testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On September 26, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “Examining Safeguards for Consumer Data Privacy” to discuss whether federal lawmakers should write a broad federal online privacy law in the wake of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, which was amended on September 23. Committee Chairman, Senator John Thune, noted that the September 26 hearing was the first in a series of hearings the Committee plans to hold to discuss consumer data privacy concerns. Testifying before the Committee were executives representing six global technology and telecommunications companies who all agreed that there is a need for federal consumer privacy safeguards that would give consumers more control over the way their data is used. The witnesses also supported the idea of engaging in further discussions with the Committee regarding the FTC’s enforcement powers under its current authority to determine whether the agency needs more resources and tools to carry out its responsibilities effectively. However, the witnesses cautioned that Congress needed to strike an appropriate balance between industry accountability and giving government agencies unchecked power. The witnesses also voiced their opposition to proposed legislation that would require businesses to notify consumers of data breaches within 72 hours of their discovery.
Among other things, the hearing also discussed topics addressing: (i) GDPR compliance burdens; (ii) the need for federal privacy laws to preempt the growing “patchwork” of inconsistent state laws; (iii) pitfalls of mandatory opt-in requirements for consumers; (iv) data use transparency and mandatory disclosures; and (v) efforts undertaken by companies to monitor violations of the Children’s Online Privacy Protection Act, particularly with respect to both in-house and third-party apps offered by the several of the witnesses’ companies.
On September 25, the CFPB released a report on the Bureau’s data governance program, including what data the Bureau collects, from where the data is sourced, and how the data is used and reused within the Bureau. The report emphasizes that data informs a large portion of the Bureau’s work, including rule writing, supervision, enforcement, consumer education, and market monitoring. The report details the more than 188 data collections from public sources, government agencies, commercial vendors, financial institutions, and consumers that the Bureau has undertaken to date. In connection with the report, the Bureau issued a request for information (RFI) seeking feedback on the Bureau’s data governance program and data use. Specifically, the RFI requests comments on, among other things, (i) the overall effectiveness and efficiency of the Bureau’s data collections; (ii) privacy issues related to the Bureau’s data collection practices; (iii) ways the Bureau should or should not reuse data collected for one purpose to inform other work; and (iv) ways the Bureau could make data reporting less burdensome. Comments must be received by December 27.