Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 4, the California governor signed AB 1320, which requires a licensee to supply a toll-free telephone number on its internet website so that a customer may contact the licensee for customer service issues and receive live customer assistance, in addition to displaying the days and times that the telephone line is operative. Among other things, the bill requires that a telephone number be included in the information contained in a receipt given to a customer at the time of a money transmission transaction. In addition, the bill specifies that the telephone line must be operative “at least 10 hours per day, Monday through Friday, excluding federal holidays.” The bill is effective July 1, 2022.
On October 12, the California Department of Financial Protection and Innovation (DFPI) issued a third draft of proposed regulations implementing the requirements of the commercial financing disclosures required by SB 1235 (Chapter 1011, Statutes of 2018). As previously covered by InfoBytes, in 2018, California enacted SB 1235, which requires non-bank lenders and other finance companies to provide written consumer-style disclosures for certain commercial transactions, including small business loans and merchant cash advances. In July 2019, California released the first draft of the proposed regulations, initiated the formal rulemaking process with the Office of Administrative Law in September 2020, and subsequently released a second round of modifications in August (covered by InfoBytes here, here, and here). The third modifications to the proposed regulations follow a consideration of public comments received on the various iterations of the proposed text. Among other things, the proposed modifications:
- Amend several terms including “approved advance limit,” “approved credit limit,” “at the time of extending a specific commercial financing offer,” “benchmark rate,” “broker,” “provider,” and “recipient funds.”
- Define the term “specific commercial financing offer” to mean a written communication to a recipient related to specific payment amounts and costs of financing, but does not include a recipient’s name, address, or general interest in financing.
- Amend certain disclosure requirements and thresholds, including specific circumstances that a provider can disregard when making calculations and disclosures.
- Clarify APR calculation requirements and tolerances and outline disclosure criteria for specifying the amount of financing used to pay down or pay off other amounts owed by a recipient.
- Amend duties and requirements for financers and brokers.
- Amend criteria for specifying the amount of funding a recipient will receive.
Comments on the third modifications must be received by October 27.
Recently, the California governor enacted several state bills relating to consumer financial protection. On October 6, AB 790 was signed, which expands upon provisions of the Consumer Legal Remedies Act that relate to “home solicitations of a senior citizen where a loan encumbers the primary residence of the consumer for purposes of paying for home improvement.” Specifically, the bill extends the Act’s protections to cover loans for assessments under the Property Assessed Clean Energy (PACE) program, or certain provisions regulating PACE under the California Financing Law, such that violations would qualify as unfair methods of competition and unfair or deceptive acts or practices.
On October 6, AB 424 was signed, which enacts the Private Student Loan Collections Reform Act. The bill prohibits a private education lender or loan collector from making a written statement to a debtor attempting to collect a private education loan unless the private education lender or private education loan collector has certain related information to the debt and provides it to the debtor. In addition, among other things, the bill: (i) prohibits a private education lender or private education loan collector from bringing certain legal proceeding to collect a private education loan if the statute of limitations expired; (ii) creates a state-mandated local program by expanding the scope of the crime of perjury; and (iii) makes other provisions related to settlement agreements and payment notification requirements. The bill is effective July 1, 2022.
On October 4, AB 1221 was signed, which specifies that service contract requirements must include certain elements and cancellation policies. Among other things, the bill: (i) requires a service contract to include a clear description and identification of the covered product; (ii) makes a violation of certain provisions of the Electronic and Appliance Repair Dealer Registration Law a misdemeanor; and (iii) specifies “that a service contract may be offered on a month-to-month or other periodic basis and continue until canceled by the buyer or the service contractor and would require a service contract that continues until canceled by the buyer or service contractor to, among other things, disclose to the buyer in a clear and conspicuous manner that the service contract shall continue until canceled by the buyer or service contractor and provide a toll-free number, email address, postal address, and, if one exists, internet website the buyer can use to cancel the service contract.” In addition, by expanding the scope of the crime in violation of the Electronic and Appliance Repair Dealer Registration Law, the bill imposes a state-mandated local program. The law is effective January 1, 2022.
On October 4, AB 1405 was signed, which enacts the Fair Debt Settlement Practices Act. Among other things, the bill: (i) specifies that customers in a debt settlement plan have a window of three days to review disclosures prior to the contract taking effect; (ii) defines “debt settlement provider”; (iii) prohibits unfair, abusive, or deceptive acts or practices from a debt settlement provider and a payment processor when providing certain services; (iii) authorizes a consumer to terminate a contract for debt settlement services at any time without a fee or penalty of any sort by notifying the debt settlement provider; and (iv) authorizes a consumer to bring a civil action for violation.
On October 6, the California governor signed SB 41, which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to honor a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days after the consent has been revoked. Companies must also obtain a consumer’s express consent for collection, use, or disclosure of an individual’s genetic data. GIPA also requires companies to comply with all applicable federal and state laws for disclosing genetic data without a consumer’s express consent, and companies must “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.” Violations of the law may result in civil penalties ranging from $1,000 to $10,000. Exempt from GIPA’s provisions is medical information governed by the Confidentiality of Medical Information Act, or medical information collected and used by business associates of a covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services.
Earlier on October 5, the governor also signed AB 825, which expands the definition of “personal information” to include genetic data, regardless of its format. Under existing law, any agency that owns or licenses computerized data that includes personal information is required to immediately disclose a security breach upon discovery to California residents who may have been impacted. Agencies are also required to implement and maintain reasonable security procedures and practices.
Both bills take effect January 1, 2022.
California authorizes prepaid accounts to accept publicly administered funds provided no overdraft fees
On October 5, the California governor signed SB 497, which, among other things, amends the definition of a “qualifying account” use for the purposes of depositing certain publicly administered funds. The amendment eliminates prepaid card accounts from the definition of “qualifying account,” and instead authorizes “a prepaid account or a demand deposit or savings account offered by or through an entity other than an insured depository financial institution, as specified, that is not attached to an automatic credit or overdraft feature, unless the credit or overdraft feature has no fee, charge, or cost, or it complies with the requirements for consumer credit under the federal Truth in Lending Act.” Specifically, persons or entities that are not insured depository financial institutions but who offer, maintain, or manage non-“qualifying accounts” are prohibited from soliciting, accepting, or facilitating the direct deposit of the publicly administered funds into the accounts.
On October 4, the California governor signed AB 390, which amends and adds Section 17602 of the Business and Professions Code regarding automatic subscription renewals. The law applies to businesses conducting automatic renewal or continuous services offers to California customers. Among other things, the bill requires that: (i) notice be provided at least 3 days before and at most 21 days before the expiration of the period for which a fee gift or trial, or promotional or discounted price, applies; (ii) notice be provided at least 15 days and not more than 45 days before the automatic renewal offer or continuous service offer renews; and (iii) a business allow a consumer to terminate the automatic renewal or continuous service offer without engaging in steps that may delay the consumer’s ability to immediately terminate the policy. The bill also specifies that a “‘free gift’ does not include a free promotional item or gift given by the business that differs from the subscribed product.” The law takes effect July 1, 2022.
On October 4, the California governor signed AB 1177, which establishes the California Public Banking Option Act and requires the state treasurer to convene a commission to conduct a market analysis to determine the feasibility of establishing a program for California consumers who lack access to traditional banking services. The CalAccount Program, if implemented, would protect unbanked and underbanked consumers from predatory, discriminatory, and costly alternatives by providing “access to a voluntary, zero-fee, zero-penalty, federally insured transaction account . . . and related payment services at no cost to accountholders.”
Among other things, the Act would (i) require the establishment of a process for accountholders to deposit funds into a CalAccount for no fee; (ii) impose a mandate requiring employers and hiring entities to maintain payroll direct deposit arrangements to allow workers to voluntarily participate in the program; (iii) require landlords to allow tenants to pay rent and security deposits by electronic funds transfers from a CalAccount; (iv) require a board (established to administer the program) to contract with and coordinate financial services vendors for the program and build an expansive financial services network of participating ATMs, banks, credit union branches, and other in-network partners to allow account holders to load or withdraw funds from their CalAccount without paying fees; (v) require the board to establish a no-fee process to allow all account holders to arrange for payments to a registered payee using a preauthorized electronic fund transfer from a CalAccount; (vi) establish rules governing the participation of individuals under the age of 18; (vii) provide a secure web-based portal and mobile application to allow individuals access and management of their CalAccount; and (viii) facilitate connectivity with other state and local government agencies and entities so public assistance programs and other disbursements may be directly deposited by electronic fund transfer into a CalAccount. The Act requires the commission to be convened on or before September 1, 2022, with the market analysis due on or before July 1, 2024 to the Chair of the Senate Committee on Banking and Financial Institutions and the Chair of the Assembly Committee on Banking and Finance.
On October 4, the California governor signed SB 531, which requires debt collectors to provide more information to consumers when assigned to collect a debt. Among other things, the bill: (i) expands the standards to allow Californians to verify a collector’s authority; (ii) bans creditors from selling the debt without first giving the debtor 30-day notice; (iii) requires debt buyers to provide a written statement to the debtor upon request; and (iv) prohibits, in certain circumstances, a debt collector from making a written statement to a debtor in an attempt to collect a delinquent consumer debt. The law is effective starting July 1, 2022.
Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data as required by the California Consumer Privacy Act (CCPA). Following a 2020 ransomware attack, class members claimed that sensitive information (including nonencrypted and nonredacted personal information) stored on the defendants’ network was compromised. The defendants countered that class members failed to establish that the defendants qualify as a “business” under the statute as opposed to a “service provider.”
As previously covered by a Buckley Special Alert, the CCPA, which became effective January 1, 2020, defines a “business” as an entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.” The CCPA defines a “service provider” as an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” While the CCPA provides a limited private right of action for actual or statutory damages against a business, actions against service providers can only be brough by the California attorney general. According to the court, class members adequately alleged that the defendants act as a business rather than a service provider based on allegations that they, among other things, collect consumers’ personal information from consumers (instead of receiving personal information from another business), and determine “the purposes and means of the processing of consumers’ personal information.” The court also rejected the defendants’ argument that class members failed to “plausibly” establish that their information was stolen because the ransomware attack merely encrypted the data on the defendants’ computer systems. “It may be that [p]laintiff’s personal information was not exfiltrated in a nonencrypted and nonredacted form,” the court stated, “[b]ut at this stage, especially when the bases for dismissal upon which [d]efendants rely do not appear in the complaint, the Court concludes that [p]laintiff’s allegations are sufficient to survive a motion to dismiss.”
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
- Daniel R. Alonso to discuss internal investigations at the Institute of Internal Auditors of Argentina Spanish-language webinar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- Daniel R. Alonso to discuss anti-money-laundering at FELABAN Spanish-language webinar “Perspective for banks: LAFT, FINCEN, OFAC, Cryptocurrency”
- Daniel R. Alonso to discuss "What’s new in BSA/AML compliance?" at the Institute of International Bankers Regulatory Compliance Seminar
- Marshall T. Bell and John R. Coleman to speak at 2021 AFSA Annual Meeting
- Jon David D. Langlois to discuss "Regulatory update: What you need to know under the new boss; It won’t be the same as the old boss" at the IMN Residential Mortgage Service Rights Forum (East)
- Benjamin B. Klubes to discuss “Creating a Fantastic Workplace Culture”
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek