InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California regulator advises businesses to only collect needed data under CCPA
On April 2, The California Privacy Protection Agency issued Enforcement Advisory No. 2024-01 reminding businesses that data minimization is a foundational principle the California Consumer Privacy Act. The Advisory noted that the Agency has observed certain businesses collecting unnecessary and disproportionate amounts of personal information and emphasized that minimization principles would apply to processing consumer requests. As such, the Advisory highlighted the requirements of minimization, including the concept that the collection, use, sharing, and retention of personal information must be reasonable and proportionate to the purposes identified, considering the minimum personal information required, the potential negative impacts on consumers, and the existence of additional safeguards that addressed the applicable negative impacts. As part of the discussion, the Advisory also discussed two scenarios: one described an opt-out procedure, and the other described verification in connection with a consumer request. For the opt-out procedure, the Advisory reminded businesses that businesses may not verify a consumer’s identity to process an opt-out (it may, however, ask the consumer for the information necessary to complete the request). For the verification procedures, the Advisory outlined a possible process for analyzing whether additional verification information would be required, such as whether the business stores driver license information.
CPPA releases latest draft of automated decision-making technology regulation
The California Privacy Protection Agency (CPPA) released an updated draft of its proposed enforcement regulations for automated decisionmaking technology in connection with its March 8 board meeting. The draft regulations included new definitions, including “automated decisionmaking technology” which means “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking,” which expands its scope from its previous September update (covered by InfoBytes here).
Among other things, the draft regulations would require businesses that use automated decisionmaking technology to provide consumers with a “Pre-use Notice” to inform consumers on (i) the business’s use of the technology; (ii) their right to opt-out of the business’s use of the automated decisionmaking technology and how they can submit such a request (unless exempt); (iii) a description of their right to access information; and (iv) a description of how the automated decisionmaking technology works, including its intended content and recommendations and how the business plans to use the output. The draft regulations detailed further requirements for the opt-out process.
The draft regulations also included a new article, entitled “risk assessments,” which provided requirements as to when a business must conduct certain assessments and requirements that process personal information to train automated decisionmaking technology or artificial intelligence. Under the proposed regulations, every business which processes consumers’ personal information may present significant risk to consumers’ privacy and must conduct a risk assessment before initiating that processing. If a business previously conducted a risk assessment for a processing activity in compliance with the article and submitted an abridged risk assessment to the CPPA, and there were no changes, the business is not required to submit an updated risk assessment. The business must, however, submit a certification of compliance to the CPPA.
The CPPA has not yet started the formal rulemaking process for these regulations and the drafts are provided to facilitate board discussion and public participation, and are subject to change.
California Attorney General warns small banks and credit unions on fees
On February 22, California State Attorney General, Rob Bonta, issued a letter to small banks and credit unions cautioning that overdraft and returned deposited item fees may infringe upon California’s Unfair Competition Law (UCL) and the CFPA. The letter, directed at institutions in California with assets under $10 billion, highlighted concerns that such fees disproportionately burden low-income and minority consumers. Bonta emphasized that these fees often catch consumers off guard, leading to significant financial strain, and urged the financial institutions in California to comply with state and federal laws by eliminating such practices.
The letter underscores how overdraft and returned deposited item fees can harm consumers, and potentially constitute unfair acts against them. Bonta also pointed out how overdraft fees cannot be reasonably anticipated due to the complexities of transaction processing, making it challenging for consumers to make informed financial decisions. Furthermore, the letter warned that imposition of returned deposited item fees, which are charges by financial institutions when a consumer deposits a check that bounces (due to an issue with the check originator such as insufficient funds or a stop payment order), is likely an unfair business practice in violation of the UCL and CFPA because consumers are usually unable to reasonably avoid the fee.
This action by the California Attorney General is notable for its focus on smaller financial institutions that were expressly excluded from the CFPB’s proposed rule last month on overdraft fees (previously covered by InfoBytes here); however, the action is broadly consistent with the CFPB’s guidance on returned deposited item fees (also covered by InfoBytes here).
District Court decides in favor of bank despite alleged FDCPA and RESPA violations
On February 15, the U.S. District Court for the Central District of California granted a bank defendant’s motion to dismiss certain claims presented in the plaintiff’s complaint alleging violations of the Fair Debt Collection Practices Act (FDCPA) and Real Estate Settlement Practices Act (RESPA).
With respect to the FDCPA claim, the court found that the defendant did not qualify as a “debt collector” within the meaning of the statute because the defendant acquired the loan through its merger with the original creditor of the plaintiff’s mortgage. The court noted that several other district courts have held that an entity that acquires a debt through its merger with another creditor is not a “debt collector” under the FDCPA even if the merger occurred following the borrower’s default on the debt.
With respect to the plaintiff’s RESPA claim, the court found that the plaintiff failed to allege a violation of the statute because the plaintiff’s letter to the defendant, which requested a copy of the original promissory note underlying the deed of trust as well as a loan payoff amount, did not constitute a “qualified written request” triggering the defendant’s obligations under RESPA to respond.
California Attorney General settles with food delivery company for allegedly violating two state privacy acts
On February 21, the California State Attorney General Office announced its complaint against a food delivery company for allegedly violating the California Consumer Privacy Act of 2018 (CCPA) and the California Online Privacy Protection Act of 2003 (CalOPPA) for failing to provide consumers notice or an opportunity to opt-out of the sale.
The CCPA requires businesses that sell personal information to make specific disclosures and give consumers the right to opt out of the sale. Under the CCPA, a company must disclose a privacy policy and post an “easy-to-find ‘Do Not Sell My Personal Information’ link.” The California AG alleged that the company provided neither notice. The AG also alleged that the company violated CalOPPA by not making required privacy policy disclosures. The company’s existing disclosures indicated that the company could only use customer data to present someone with advertisements, but not give that information to other businesses to use.
The proposed stipulated judgment, if approved by a court, will require the company to pay a $375,000 civil money penalty, and to (i) comply with CCPA and CalOPPA requirements; (ii) review contracts with vendors to evaluate how the company is sharing personal information; and (iii) provide annual reports to the AG on potential sales or sharing personal information.
California appeals court vacates a ruling on enjoining enforcement of CPRA regulations
On February 9, California’s Third District Court of Appeal vacated a lower court’s decision to enjoin the California Privacy Protection Agency (CPPA) from enforcing regulations implementing the California Privacy Rights Act (CPRA). The decision reverses the trial court’s ruling delaying enforcement of the regulations until March 2024, which would have given businesses a one-year implementation period from the date final regulations were promulgated (covered by InfoBytes here).
The CPRA mandated the CPPA to finalize regulations on specific elements of the act by July 1, 2022, and provided that “the Agency’s enforcement authority would take effect on July 1, 2023,” a one-year gap between promulgation and enforcement. The CPPA did not issue final regulations until March of 2023, but sought to enforce the rules starting on the July 1, 2023, statutory date. In response, in March 2023, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations. The trial court held that a delay was warranted because “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” On appeal, the court emphasized that there is no explicit and unambiguous language in the law prohibiting the agency from enforcing the CPRA until at least one year after final regulations are approved, and that and found that while the mandatory dates included in the CPRA “amounts to a one-year delay,” such a delay was not mandated by the statutory language. The court further found that there is no indication from the ballot materials available to voters in passing the statute that the voters intended such a one-year delay. The court explained that the one-year gap between regulations could have been interpreted to give businesses time to comply, or as a period for the agency to prepare for enforcing the new rules, or there may also be other reasons for the gap.
Accordingly, the appellate court held that Chamber of Commerce “was simply not entitled to the relief granted by the trial court.” As a result of the court’s decision, businesses are now required to commence implementing the privacy regulations established by the agency.
California DFPI proposes new regulations under the Debt Collection Licensing Act
On February 9, the California Department of Financial Protection and Innovation (DFPI) published a proposed rule to adopt new regulations under the Debt Collection Licensing Act (DCLA). Under the DCLA, a debt collector licensee is required to pay the DFPI Commissioner its “pro rata share of all costs and expenses incurred in the administration” of the DCLA, which is calculated in part based on the licensee’s “net proceeds generated by California debtor accounts,” but the term “net proceeds” was not defined in the statute. The proposed rule defines “net proceeds generated by California debtor accounts” to mean “the amount retained by a debt collector from its California debt collection activity.” The proposed rule also specifies the formulas used in calculating the net proceeds depending on the party, including a debt buyer, purchaser of debt that has not been charged off or in default, third-party collector, and first-party collector.
Additionally, the proposed rule requires licensees to file an annual report with the DFPI and specifies the information required in the annual report, including (i) the number of California debtor accounts collected on in the previous year; (ii) the number of California debtor accounts in the licensee’s portfolio as of December 31 of the preceding year; and (iii) the number and dollar amount of California debtor accounts for which collection was attempted, but not successfully collected or resolved during the previous year. Comments to the proposed rule must be submitted by March 27.
California Attorney General investigates streaming services for CCPA violations
On January 26, California State Attorney General Rob Bonta announced an investigative initiative by issuing letters to businesses operating streaming apps and devices, accusing them of non-compliance with the California Consumer Privacy Act (CCPA). The focus of the investigation is the evaluation of streaming services’ adherence to the CCPA's opt-out requirements, in particular those businesses that sell or share consumer personal information. The investigation targets businesses failing to provide a direct mechanism for consumers wishing to prevent the sale of their data.
AG Bonta urged consumers to know about and exercise their rights under the CCPA, emphasizing the right to instruct businesses not to sell their personal information. The CCPA grants California consumers enhanced rights regarding the collection, sharing, and disclosure of their personal information by businesses, and compliance responsibilities include responding to consumer requests and providing necessary notices about privacy practices. AG Bonta noted that the right to opt-out under the CCPA mandates that businesses selling or sharing personal data for targeted advertising must facilitate an easy and minimal-step process for consumers to exercise their right. For example, users should be able to easily navigate their streaming service’s mobile application settings to enable the “Do Not Sell My Personal Information” option. The expectation is that this choice remains effective across various devices if users are logged into their accounts when electing to opt-out. Finally, Bonta added that consumers should be given easy access to a streaming service’s privacy policy outlining their CCPA rights.
DFPI fines online platform for omitting convenience fee disclosures
On January 9, DFPI issued a consent order against an online platform (respondent) that enables merchants to provide installment contracts to customers. The consent order resolved alleged violations of the California Consumer Financial Protection Law (CCFPL) arising from the convenience fees assessed by a third-party service provider when consumers opt to pay their installments online or by phone. According to the consent order, since 2021 respondent guaranteed that consumers entering into contracts on its platform had a fee-free payment method. However, for a time respondent failed to disclose potential optional convenience fees in the initial contract. Although the third-party servicer disclosed the convenience fees to consumers, DFPI took issue with the respondent’s failure to disclose these fees before transferring consumers to the third-party servicer to enter into the contracts. In other words, consumers only became aware of both the existence and amounts of these fees after entering into contractual obligations. DFPI accused respondent of deceiving consumers by failing to disclose this information first.
Under the terms of the consent order, respondent must pay a $50,000 penalty and must disclose information about the potential convenience fees that may be assessed by a servicer.
California Appellate Court overturns ruling on FDCPA
On December 18, a California Court of Appeal overturned a lower court’s dismissal of a case involving claims under the federal FDCPA and California’s Rosenthal Fair Debt Collection Practices Act (Rosenthal Act). The appellate court found the lower court had erred in dismissing the case pursuant to California’s anti-SLAPP statute, which provides a mechanism for early dismissal of meritless lawsuits arising from protected communicative activities.
The dismissal arises from a class action filed in 2021, alleging that the defendant debt collector – who had filed an action to collect on a defaulted student loan – lacked the documents necessary to collect or enforce the loan, and thus violated the FDCPA and the Rosenthal Act. The complaint also claimed the collector violated California’s Unfair Competition Law (UCL) by engaging in “prohibited unlawful, unfair, fraudulent, deceptive, untrue, and misleading acts and practices as part of its direct and indirect collection and attempted collection of debts that have previously been adjudicated.” The complaint referenced a 2017 CFPB consent order with the defendant, previously covered by InfoBytes here, where the consent order involved allegations that the collector had filed lawsuits against consumers for private student loan debt that it could not prove was owed or that was outside the applicable statute of limitations.
In response to the complaint, the defendant debt collector filed a demurrer and an anti-SLAPP motion. While the lower court granted the anti-SLAPP motion, the appellate court reversed, concluding that the plaintiff’s claims were not barred by the litigation privilege. The appellate court found that the lower court had “only considered the litigation privilege in considering the probability that [the plaintiff] would prevail on her claims,” and did not consider the public interest exception to California’s anti-SLAPP law (which provides that the anti-SLAPP law does not apply to actions brought solely in the public interest or on behalf of the general public if certain conditions are met). The appellate court directed the trial court to determine whether the plaintiff met her burden of demonstrating a probability of prevailing on the merits of her claims and to consider the public interest exception.