Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • State attorneys general push Congress on federal consumer privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 8, the Attorney General of California, Rob Bonta, and 15 other state attorneys general wrote a letter to Congressional leaders following the introduction of the American Privacy Rights Act (APRA) in Congress. The attorneys general encouraged Congress to set a “federal floor, not a ceiling” for consumer privacy rights, as APRA preempts state law under its current draft. The letter highlighted how states have “played a critical role” in setting new data privacy standards without curbing business practices or developments in technology. In addition, the attorneys general expressed concern that the APRA would limit some attorneys general to issue civil investigative demands (CIDs) because their CID authority would require a violation of state or federal law before issuance. The APRA, however, provided that “a violation of [the APRA] or a regulation promulgated under [the APRA] may not be pleaded as an element of any violation of [a state] law.” Despite these concerns, the attorneys general did express their support for other provisions of APRA, such as data minimization by default, stronger consent requirements, and protections for minors.

    Privacy, Cyber Risk & Data Security Congress California State Attorney General HIPAA

  • Bank granted motion to dismiss in credit card sign-up bonus class action


    On April 15, the U.S. District Court for the Northern District of California entered an order granting a defendant bank’s motion to dismiss a plaintiff’s claims relating to alleged false advertising in connection with a credit card, with leave to amend. Plaintiff alleged that after responding to a social media advertisement for a credit card in December 2022, promising a $200 cash sign-up bonus for spending $500 within the first three billing cycles, he applied for and was approved for the card. However, the terms of the agreement he entered into with defendant did not mention the sign-up bonus, and he never received it. Consequently, plaintiff sued for "Breach of Contract Including Breach of the Covenant of Good Faith and Fair Dealing," asserting that defendant’s actions are part of a broader marketing strategy to entice customers to apply for defendant’s credit cards. Defendant filed a motion to dismiss the case based on two arguments: (i) plaintiff lacks the necessary Article III standing; and (ii) plaintiff failed to state a claim upon which relief can be granted.

    The court sided with the defendant on both arguments determining that (i) the plaintiff failed to establish the “traceability” element of standing because it is not clear when the advertisement was seen or what it specifically promised; and (ii) the contract did not include a promise for a sign-up bonus, such that no breach of contract had occurred.

    The court provided plaintiff with leave to amend within 45 days from entry of the order.

    Courts California Credit Cards Class Action

  • DFPI annual report highlights consumer protection efforts and upcoming regulations

    State Issues

    On April 25, the California DFPI released its Annual Report of Activity under the California Consumer Financial Protection Law (CCFPL), highlighting investigations, public actions, and consumer outreach efforts under the CCFPL. According to the report, the DFPI (i) experienced a 70 percent increase in CCFPL complaints, which predominantly involved crypto assets and debt collectors; (ii) opened 734 CCFPL-related investigations and issued 181 public CCFPL actions; (iii) launched the Crypto Scam Tracker and a new consumer complaints portal; and (iv) advanced two rules, including unlawful, unfair, deceptive, or abusive acts and practices (UUDAAP) protections for small businesses and new registration requirements (pending final approval by the Office of Administrative Law) for earned wage access, debt settlement services, debt relief services, and private postsecondary education financing products.

    The report emphasized that the new regulations specified that optional payments, such as tips, collected by California Financing Law (CFL)-licensed lenders would be considered charges under the law. According to the DFPI, these updates will reinforce the CFL by blocking potential loopholes and ensuring compliance among CFL-licensed lenders. Once these regulations would be approved, DFPI will oversee these financial service providers. Upon adoption, DFPI says it will be a pioneer in defining “earned wage access” as loans and regulating income advance services and the treatment of tips as charges, all through regulatory measures rather than statutory enactment.

    State Issues DFPI Enforcement California Consumer Protection Consumer Finance Digital Assets Agency Rule-Making & Guidance

  • Student loan servicer to pay DFPI $27, 500 for untimely response to information request

    State Issues

    On April 24, the California DFPI entered into a consent order with a federal student loan servicer (respondent) that allegedly failed to provide the DFPI with timely access to requested borrower data. In late April of 2022, the U.S. Department of Education announced a one-time revision of income-driven repayments to address past inaccuracies.  To take advantage of this adjustment, the Department of Education required borrowers to submit a loan consolidation application by April 30, 2024.  The DFPI requested information from respondent on student loan borrowers for the purpose of completing outreach to impacted borrowers ahead of the loan consolidation application deadline. Respondent provided this information 17 days after the deadline set by the DFPI. 

    To resolve DFPI’s allegations, respondent agreed to pay a penalty in the amount of $27,500.

    State Issues California DFPI Student Loans Missouri Consumer Finance

  • California regulator advises businesses to only collect needed data under CCPA

    Privacy, Cyber Risk & Data Security

    On April 2, The California Privacy Protection Agency issued Enforcement Advisory No. 2024-01 reminding businesses that data minimization is a foundational principle the California Consumer Privacy Act. The Advisory noted that the Agency has observed certain businesses collecting unnecessary and disproportionate amounts of personal information and emphasized that minimization principles would apply to processing consumer requests. As such, the Advisory highlighted the requirements of minimization, including the concept that the collection, use, sharing, and retention of personal information must be reasonable and proportionate to the purposes identified, considering the minimum personal information required, the potential negative impacts on consumers, and the existence of additional safeguards that addressed the applicable negative impacts. As part of the discussion, the Advisory also discussed two scenarios: one described an opt-out procedure, and the other described verification in connection with a consumer request. For the opt-out procedure, the Advisory reminded businesses that businesses may not verify a consumer’s identity to process an opt-out (it may, however, ask the consumer for the information necessary to complete the request). For the verification procedures, the Advisory outlined a possible process for analyzing whether additional verification information would be required, such as whether the business stores driver license information.  

    Privacy, Cyber Risk & Data Security California CCPA CPPA Digital Identity Identity Theft

  • CPPA releases latest draft of automated decision-making technology regulation

    State Issues

    The California Privacy Protection Agency (CPPA) released an updated draft of its proposed enforcement regulations for automated decisionmaking technology in connection with its March 8 board meeting. The draft regulations included new definitions, including “automated decisionmaking technology” which means “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking,” which expands its scope from its previous September update (covered by InfoBytes here).

    Among other things, the draft regulations would require businesses that use automated decisionmaking technology to provide consumers with a “Pre-use Notice” to inform consumers on (i) the business’s use of the technology; (ii) their right to opt-out of the business’s use of the automated decisionmaking technology and how they can submit such a request (unless exempt); (iii) a description of their right to access information; and (iv) a description of how the automated decisionmaking technology works, including its intended content and recommendations and how the business plans to use the output. The draft regulations detailed further requirements for the opt-out process.

    The draft regulations also included a new article, entitled “risk assessments,” which provided requirements as to when a business must conduct certain assessments and requirements that process personal information to train automated decisionmaking technology or artificial intelligence. Under the proposed regulations, every business which processes consumers’ personal information may present significant risk to consumers’ privacy and must conduct a risk assessment before initiating that processing. If a business previously conducted a risk assessment for a processing activity in compliance with the article and submitted an abridged risk assessment to the CPPA, and there were no changes, the business is not required to submit an updated risk assessment. The business must, however, submit a certification of compliance to the CPPA.

    The CPPA has not yet started the formal rulemaking process for these regulations and the drafts are provided to facilitate board discussion and public participation, and are subject to change. 

    State Issues Privacy Agency Rule-Making & Guidance California CPPA Artificial Intelligence

  • California Attorney General warns small banks and credit unions on fees

    State Issues

    On February 22, California State Attorney General, Rob Bonta, issued a letter to small banks and credit unions cautioning that overdraft and returned deposited item fees may infringe upon California’s Unfair Competition Law (UCL) and the CFPA. The letter, directed at institutions in California with assets under $10 billion, highlighted concerns that such fees disproportionately burden low-income and minority consumers. Bonta emphasized that these fees often catch consumers off guard, leading to significant financial strain, and urged the financial institutions in California to comply with state and federal laws by eliminating such practices.

    The letter underscores how overdraft and returned deposited item fees can harm consumers, and potentially constitute unfair acts against them. Bonta also pointed out how overdraft fees cannot be reasonably anticipated due to the complexities of transaction processing, making it challenging for consumers to make informed financial decisions. Furthermore, the letter warned that imposition of returned deposited item fees, which are charges by financial institutions when a consumer deposits a check that bounces (due to an issue with the check originator such as insufficient funds or a stop payment order), is likely an unfair business practice in violation of the UCL and CFPA because consumers are usually unable to reasonably avoid the fee. 

    This action by the California Attorney General is notable for its focus on smaller financial institutions that were expressly excluded from the CFPB’s proposed rule last month on overdraft fees (previously covered by InfoBytes here); however, the action is broadly consistent with the CFPB’s guidance on returned deposited item fees (also covered by InfoBytes here).

    State Issues California State Attorney General Overdraft CFPA Unfair

  • District Court decides in favor of bank despite alleged FDCPA and RESPA violations


    On February 15, the U.S. District Court for the Central District of California granted a bank defendant’s motion to dismiss certain claims presented in the plaintiff’s complaint alleging violations of the Fair Debt Collection Practices Act (FDCPA) and Real Estate Settlement Practices Act (RESPA).

    With respect to the FDCPA claim, the court found that the defendant did not qualify as a “debt collector” within the meaning of the statute because the defendant acquired the loan through its merger with the original creditor of the plaintiff’s mortgage. The court noted that several other district courts have held that an entity that acquires a debt through its merger with another creditor is not a “debt collector” under the FDCPA even if the merger occurred following the borrower’s default on the debt.

    With respect to the plaintiff’s RESPA claim, the court found that the plaintiff failed to allege a violation of the statute because the plaintiff’s letter to the defendant, which requested a copy of the original promissory note underlying the deed of trust as well as a loan payoff amount, did not constitute a “qualified written request” triggering the defendant’s obligations under RESPA to respond.  

    Courts RESPA FDCPA California Mortgages

  • California Attorney General settles with food delivery company for allegedly violating two state privacy acts

    Privacy, Cyber Risk & Data Security

    On February 21, the California State Attorney General Office announced its complaint against a food delivery company for allegedly violating the California Consumer Privacy Act of 2018 (CCPA) and the California Online Privacy Protection Act of 2003 (CalOPPA) for failing to provide consumers notice or an opportunity to opt-out of the sale.

    The CCPA requires businesses that sell personal information to make specific disclosures and give consumers the right to opt out of the sale. Under the CCPA, a company must disclose a privacy policy and post an “easy-to-find ‘Do Not Sell My Personal Information’ link.” The California AG alleged that the company provided neither notice. The AG also alleged that the company violated CalOPPA by not making required privacy policy disclosures. The company’s existing disclosures indicated that the company could only use customer data to present someone with advertisements, but not give that information to other businesses to use.

    The proposed stipulated judgment, if approved by a court, will require the company to pay a $375,000 civil money penalty, and to (i) comply with CCPA and CalOPPA requirements; (ii) review contracts with vendors to evaluate how the company is sharing personal information; and (iii) provide annual reports to the AG on potential sales or sharing personal information.

    Privacy, Cyber Risk & Data Security California State Attorney General CCPA CalOPPA Enforcement Data

  • California appeals court vacates a ruling on enjoining enforcement of CPRA regulations

    State Issues

    On February 9, California’s Third District Court of Appeal vacated a lower court’s decision to enjoin the California Privacy Protection Agency (CPPA) from enforcing regulations implementing the California Privacy Rights Act (CPRA).  The decision reverses the trial court’s ruling delaying enforcement of the regulations until March 2024, which would have given businesses a one-year implementation period from the date final regulations were promulgated (covered by InfoBytes here).

    The CPRA mandated the CPPA to finalize regulations on specific elements of the act by July 1, 2022, and provided that “the Agency’s enforcement authority would take effect on July 1, 2023,” a one-year gap between promulgation and enforcement. The CPPA did not issue final regulations until March of 2023, but sought to enforce the rules starting on the July 1, 2023, statutory date.  In response, in March 2023, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations.  The trial court held that a delay was warranted because “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” On appeal, the court emphasized that there is no explicit and unambiguous language in the law prohibiting the agency from enforcing the CPRA until at least one year after final regulations are approved, and that and found that while the mandatory dates included in the CPRA “amounts to a one-year delay,” such a delay was not mandated by the statutory language. The court further found that there is no indication from the ballot materials available to voters in passing the statute that the voters intended such a one-year delay. The court explained that the one-year gap between regulations could have been interpreted to give businesses time to comply, or as a period for the agency to prepare for enforcing the new rules, or there may also be other reasons for the gap.

    Accordingly, the appellate court held that Chamber of Commerce “was simply not entitled to the relief granted by the trial court.” As a result of the court’s decision, businesses are now required to commence implementing the privacy regulations established by the agency. 

    State Issues Privacy Courts California Appellate CPPA CPRA


Upcoming Events