Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Recently, the California governor enacted several state bills relating to consumer financial protection. On October 6, AB 790 was signed, which expands upon provisions of the Consumer Legal Remedies Act that relate to “home solicitations of a senior citizen where a loan encumbers the primary residence of the consumer for purposes of paying for home improvement.” Specifically, the bill extends the Act’s protections to cover loans for assessments under the Property Assessed Clean Energy (PACE) program, or certain provisions regulating PACE under the California Financing Law, such that violations would qualify as unfair methods of competition and unfair or deceptive acts or practices.
On October 6, AB 424 was signed, which enacts the Private Student Loan Collections Reform Act. The bill prohibits a private education lender or loan collector from making a written statement to a debtor attempting to collect a private education loan unless the private education lender or private education loan collector has certain related information to the debt and provides it to the debtor. In addition, among other things, the bill: (i) prohibits a private education lender or private education loan collector from bringing certain legal proceeding to collect a private education loan if the statute of limitations expired; (ii) creates a state-mandated local program by expanding the scope of the crime of perjury; and (iii) makes other provisions related to settlement agreements and payment notification requirements. The bill is effective July 1, 2022.
On October 4, AB 1221 was signed, which specifies that service contract requirements must include certain elements and cancellation policies. Among other things, the bill: (i) requires a service contract to include a clear description and identification of the covered product; (ii) makes a violation of certain provisions of the Electronic and Appliance Repair Dealer Registration Law a misdemeanor; and (iii) specifies “that a service contract may be offered on a month-to-month or other periodic basis and continue until canceled by the buyer or the service contractor and would require a service contract that continues until canceled by the buyer or service contractor to, among other things, disclose to the buyer in a clear and conspicuous manner that the service contract shall continue until canceled by the buyer or service contractor and provide a toll-free number, email address, postal address, and, if one exists, internet website the buyer can use to cancel the service contract.” In addition, by expanding the scope of the crime in violation of the Electronic and Appliance Repair Dealer Registration Law, the bill imposes a state-mandated local program. The law is effective January 1, 2022.
On October 4, AB 1405 was signed, which enacts the Fair Debt Settlement Practices Act. Among other things, the bill: (i) specifies that customers in a debt settlement plan have a window of three days to review disclosures prior to the contract taking effect; (ii) defines “debt settlement provider”; (iii) prohibits unfair, abusive, or deceptive acts or practices from a debt settlement provider and a payment processor when providing certain services; (iii) authorizes a consumer to terminate a contract for debt settlement services at any time without a fee or penalty of any sort by notifying the debt settlement provider; and (iv) authorizes a consumer to bring a civil action for violation.
On October 6, the California governor signed SB 41, which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to honor a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days after the consent has been revoked. Companies must also obtain a consumer’s express consent for collection, use, or disclosure of an individual’s genetic data. GIPA also requires companies to comply with all applicable federal and state laws for disclosing genetic data without a consumer’s express consent, and companies must “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.” Violations of the law may result in civil penalties ranging from $1,000 to $10,000. Exempt from GIPA’s provisions is medical information governed by the Confidentiality of Medical Information Act, or medical information collected and used by business associates of a covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services.
Earlier on October 5, the governor also signed AB 825, which expands the definition of “personal information” to include genetic data, regardless of its format. Under existing law, any agency that owns or licenses computerized data that includes personal information is required to immediately disclose a security breach upon discovery to California residents who may have been impacted. Agencies are also required to implement and maintain reasonable security procedures and practices.
Both bills take effect January 1, 2022.
California authorizes prepaid accounts to accept publicly administered funds provided no overdraft fees
On October 5, the California governor signed SB 497, which, among other things, amends the definition of a “qualifying account” use for the purposes of depositing certain publicly administered funds. The amendment eliminates prepaid card accounts from the definition of “qualifying account,” and instead authorizes “a prepaid account or a demand deposit or savings account offered by or through an entity other than an insured depository financial institution, as specified, that is not attached to an automatic credit or overdraft feature, unless the credit or overdraft feature has no fee, charge, or cost, or it complies with the requirements for consumer credit under the federal Truth in Lending Act.” Specifically, persons or entities that are not insured depository financial institutions but who offer, maintain, or manage non-“qualifying accounts” are prohibited from soliciting, accepting, or facilitating the direct deposit of the publicly administered funds into the accounts.
On October 4, the California governor signed AB 390, which amends and adds Section 17602 of the Business and Professions Code regarding automatic subscription renewals. The law applies to businesses conducting automatic renewal or continuous services offers to California customers. Among other things, the bill requires that: (i) notice be provided at least 3 days before and at most 21 days before the expiration of the period for which a fee gift or trial, or promotional or discounted price, applies; (ii) notice be provided at least 15 days and not more than 45 days before the automatic renewal offer or continuous service offer renews; and (iii) a business allow a consumer to terminate the automatic renewal or continuous service offer without engaging in steps that may delay the consumer’s ability to immediately terminate the policy. The bill also specifies that a “‘free gift’ does not include a free promotional item or gift given by the business that differs from the subscribed product.” The law takes effect July 1, 2022.
On October 4, the California governor signed AB 1177, which establishes the California Public Banking Option Act and requires the state treasurer to convene a commission to conduct a market analysis to determine the feasibility of establishing a program for California consumers who lack access to traditional banking services. The CalAccount Program, if implemented, would protect unbanked and underbanked consumers from predatory, discriminatory, and costly alternatives by providing “access to a voluntary, zero-fee, zero-penalty, federally insured transaction account . . . and related payment services at no cost to accountholders.”
Among other things, the Act would (i) require the establishment of a process for accountholders to deposit funds into a CalAccount for no fee; (ii) impose a mandate requiring employers and hiring entities to maintain payroll direct deposit arrangements to allow workers to voluntarily participate in the program; (iii) require landlords to allow tenants to pay rent and security deposits by electronic funds transfers from a CalAccount; (iv) require a board (established to administer the program) to contract with and coordinate financial services vendors for the program and build an expansive financial services network of participating ATMs, banks, credit union branches, and other in-network partners to allow account holders to load or withdraw funds from their CalAccount without paying fees; (v) require the board to establish a no-fee process to allow all account holders to arrange for payments to a registered payee using a preauthorized electronic fund transfer from a CalAccount; (vi) establish rules governing the participation of individuals under the age of 18; (vii) provide a secure web-based portal and mobile application to allow individuals access and management of their CalAccount; and (viii) facilitate connectivity with other state and local government agencies and entities so public assistance programs and other disbursements may be directly deposited by electronic fund transfer into a CalAccount. The Act requires the commission to be convened on or before September 1, 2022, with the market analysis due on or before July 1, 2024 to the Chair of the Senate Committee on Banking and Financial Institutions and the Chair of the Assembly Committee on Banking and Finance.
On October 4, the California governor signed SB 531, which requires debt collectors to provide more information to consumers when assigned to collect a debt. Among other things, the bill: (i) expands the standards to allow Californians to verify a collector’s authority; (ii) bans creditors from selling the debt without first giving the debtor 30-day notice; (iii) requires debt buyers to provide a written statement to the debtor upon request; and (iv) prohibits, in certain circumstances, a debt collector from making a written statement to a debtor in an attempt to collect a delinquent consumer debt. The law is effective starting July 1, 2022.
Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data as required by the California Consumer Privacy Act (CCPA). Following a 2020 ransomware attack, class members claimed that sensitive information (including nonencrypted and nonredacted personal information) stored on the defendants’ network was compromised. The defendants countered that class members failed to establish that the defendants qualify as a “business” under the statute as opposed to a “service provider.”
As previously covered by a Buckley Special Alert, the CCPA, which became effective January 1, 2020, defines a “business” as an entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.” The CCPA defines a “service provider” as an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” While the CCPA provides a limited private right of action for actual or statutory damages against a business, actions against service providers can only be brough by the California attorney general. According to the court, class members adequately alleged that the defendants act as a business rather than a service provider based on allegations that they, among other things, collect consumers’ personal information from consumers (instead of receiving personal information from another business), and determine “the purposes and means of the processing of consumers’ personal information.” The court also rejected the defendants’ argument that class members failed to “plausibly” establish that their information was stolen because the ransomware attack merely encrypted the data on the defendants’ computer systems. “It may be that [p]laintiff’s personal information was not exfiltrated in a nonencrypted and nonredacted form,” the court stated, “[b]ut at this stage, especially when the bases for dismissal upon which [d]efendants rely do not appear in the complaint, the Court concludes that [p]laintiff’s allegations are sufficient to survive a motion to dismiss.”
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
On September 22, the California Privacy Protection Agency (CPPA) formally called on stakeholders to provide preliminary comments on proposed rulemaking under the California Privacy Rights Act (CPRA). The CPRA, which established the CPPA to administer, implement, and enforce the act, was approved by ballot measure in November 2020 (covered by InfoBytes here) and updated the existing California Consumer Privacy Act. The invitation for comments highlights several areas of interest for the CPPA as it begins the rulemaking process, including topics related to: (i) cybersecurity audits and risk assessments to be performed by businesses processing personal information that presents a significant risk to consumers’ privacy or security; (ii) matters concerning automated decision-making; (iii) audits performed by the CPPA; (iv) issues related to consumer rights, including consumers’ right to delete, right to correct, and right to know what personal data has been collected or shared, as well as consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information; (v) information to be provided when responding to a consumer’s request to know; and (vi) definitions and categories of information and activities, including what updates or additions should be added to “personal information,” “sensitive personal information,” “precise geolocation,” and “dark patterns,” among other terms. Comments must be submitted by November 8.
The CPRA will become effective January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA will apply to personal information collected by a business on or after January 1, 2022. The CPPA notes that this invitation for comments is not a proposed rulemaking action and states that the public will have additional opportunities to provide comments on proposed regulations or modifications when it proceeds with a notice of proposed rulemaking action.
On September 23, California’s governor signed AB 430, which requires a debt collector to pause collection activities until completion of a review if the debt collector receives a copy of an FTC identity theft report and a written statement from the debtor. Among other things, the bill: (i) alters the definition of “victim of identity theft” to include individuals who submit FTC identity theft reports; (ii) authorizes a debtor to send a copy of a police report, as specified, but prohibits a debt collector from also requiring a police report if the debtor submits an FTC identity theft report; and (iii) requires that “in order for a person to recover actual damages or attorney’s fees in an action or cross-complaint filed by a person alleging that they are a victim of identity theft, that the person, upon written request of the claimant, provided the claimant a valid, signed FTC identity theft report before filing the action or within their cross-complaint, as specified.”