Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 17, the Utah governor signed HB 20 to repeal several of the state’s collection agency statutory provisions. Specifically, the bill repeals provisions that (i) require collection agencies to register with the Division of Corporations and Commercial Code and have on file sufficient bond in the amount of $10,000 (see Sections 12-1-1 and 12-1-2); (ii) stipulate bond terms and require certain records relating to registrations and bonds to be maintained with the Division and open to public inspection (see Sections 12-1-3, and 12-1-5); (iii) relate to violations and penalties and specify that “[a]ny person, member of a partnership, or officer of any association or corporation who fails to comply with any provision of this title is guilty of a class A misdemeanor (see Section 12-1-6); (iv) outline exceptions (see Section 12-1-7); (v) govern assignments of debts involving collection agencies and limit activities as to the assignments (see Section 12-1-8); (vi) specify that information about a consumer’s credit rating or credit worthiness sent to a consumer reporting agency is void if the collection agency does not have a bond on file (see Section 12-1-9); and (vii) require certain registration forms and application fees for collection agencies seeking approval to conduct business in Utah (see Section 12-1-10). Limitations and terms of collection fees and convenience fees imposed by creditors or third-party debt collection agencies will remain unchanged by the amendments (see Section 12-1-11). The changes take effect May 3.
On March 23, the Utah governor signed SB 127, which, among other things, requires additional disclosure requirements for system security breaches and creates the Utah Cyber Center. For example, it mandates additional notice requirements to the office of the Utah attorney general (AG) and the Utah Cyber Center where an investigation “reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur.” If the investigation reveals the misuse of personal information relating to 1,000 or more Utah residents, the notification must also be sent “to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.”
The Utah Cyber Center will be responsible for, among other things, developing a statewide strategic cybersecurity plan for executive branches and other governmental agencies; identifying, analyzing, and mitigating cyber threats and vulnerabilities; coordinating cybersecurity resilience planning; providing cybersecurity incident response capabilities; developing incident response plans to coordinate federal, state, local, and private sector activities; and developing and promoting cybersecurity best practices.
The amendments are effective 60 days follow adjournment of the legislature.
On March 28, the CFPB issued a determination that state disclosure laws covering lending to businesses in California, New York, Utah, and Virginia are not preempted by TILA. The preemption determination confirms a preliminary determination issued by the Bureau in December, in which the agency concluded that the states’ statutes regulate commercial financing transactions and not consumer-purpose transactions (covered by InfoBytes here). The Bureau explained that a number of states have recently enacted laws requiring improved disclosure of information contained in commercial financing transactions, including loans to small businesses. A written request was sent to the Bureau requesting a preemption determination involving certain disclosure provisions in TILA. While Congress expressly granted the Bureau authority to evaluate whether any inconsistencies exist between certain TILA provisions and state laws and to make a preemption determination, the statute’s implementing regulations require the agency to request public comments before making a final determination. In making its preliminary determination last December, the Bureau concluded that the state and federal laws do not appear “contradictory” for preemption purposes, and that “differences between the New York and Federal disclosure requirements do not frustrate these purposes because lenders are not required to provide the New York disclosures to consumers seeking consumer credit.”
After considering public comments following the preliminary determination, the Bureau again concluded that “[s]tates have broad authority to establish their own protections for their residents, both within and outside the scope of [TILA].” In affirming that the states’ commercial financing disclosure laws do not conflict with TILA, the Bureau emphasized that “commercial financing transactions to businesses—and any disclosures associated with such transactions—are beyond the scope of TILA’s statutory purposes, which concern consumer credit.”
On March 24, the Utah governor signed SB 183 into law, which amends the state’s provisions related to financial institutions. Among other things, the bill: (i) modifies the definition of “control” for purposes of the Financial Institutions Act and provides penalties for failure to comply with registration and disclosure requirements. Additionally, the bill enacts the Commercial Financing Registration and Disclosure Act, which requires individuals who provide certain commercial financing products to register with the Department of Financial Institutions and make certain disclosures in connection with each commercial financing product.
On March 24, the Arizona governor signed HB 2612, which eliminates requirements for there to be a finding on whether an applicant is law abiding, honest, trustworthy, and of good moral character in order to be eligible for a license, permit, or certification. This applies to bank or in-state financial institution acquisitions, banking, consumer lenders, trust companies, escrow agents, mortgage brokers, mortgage bankers, commercial mortgage brokers, loan originators, financial institution holding companies, premium finance companies, real estate appraisers and appraisal management companies, among others. The bill also makes other technical and conforming changes and takes effect 90 days after adjournment of the legislature.
Earlier, on March 23, the Utah governor signed HB 69, which modifies various licensing provisions under the state’s Residential Mortgage Practices and Licensing Act. The bill also makes various amendments under the Real Estate Licensing and Practices Act related to licensing, fees, and disciplinary actions. Among other things, the bill amends the general qualifications of licensure to make residential mortgage loans, including provisions related to mandatory education requirements for both state applicants and applicants licensed in other states and criminal background checks. Specifically, the bill removes a provision that states a “license is immediately and automatically revoked if the criminal background check discloses the applicant fails to accurately disclose a criminal history involving: (A) the real estate industry; or (B) a felony conviction on the basis of an allegation of fraud, misrepresentation, or deceit.” Additional amendments authorize the commission to impose sanctions against licensees and unregistered persons that were found to be in violation of a provision of the act; discuss the process for filing a written request for the vacation of a license revocation; address pending transactions should the death of a principal broker occur; and remove provisions regarding the payment of certain expenses and costs. The bill takes effect 60 days after adjournment of the legislature.
On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, and Virginia (covered by Buckley Special Alerts here and here and InfoBytes here). As previously covered by InfoBytes, under the UCPA, consumers will have rights to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data. The UCPA also outlines data controller responsibilities, including a requirement that data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The UCPA also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices. While the UCPA explicitly prohibits its use as the basis for a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. Additionally, upon discovering a potential violation of the UCPA, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The UCPA takes effect December 31, 2023.
Recently, the Utah legislature passed SB 227, which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here.) Highlights of the bill include:
- Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that also “has annual revenue of $25,000,000 or more” and “controls or processes personal data of 100,000 or more consumers” or “derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.” Certain entities are exempt from the bill’s requirements, including governmental entities and third parties under contract with a governmental entity that acts on behalf of that entity; tribes; institutions of higher education; nonprofits; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; financial institutions and affiliates subject to federal privacy disclosure requirements; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
- Consumer rights. Under the bill, consumers will be able to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data.
- Controllers’ and processors’ responsibilities. Under the bill, data controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, “unless the request is the consumer’s second or subsequent request during the same 12-month period.” Data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing deidentified data or pseudonymous data.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it gives the Division of Consumer Protection investigative power and grants the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.
If enacted in its current form, the bill would take effect December 31, 2023.
On February 16, the FTC and the Utah Division of Consumer Protection reached a settlement in an action taken against a Utah-based company and its affiliates (collectively, “defendants”) for allegedly using deceptive marketing to persuade consumers to attend real estate events costing thousands of dollars. As previously covered by InfoBytes, the FTC and the Utah Division of Consumer Protection claimed that the defendants violated the FTC Act, the Consumer Review Fairness Act (CRFA), and Utah state law by marketing real estate events with false claims and using celebrity endorsements. The defendants allegedly promised consumers they would (i) earn thousands of dollars in profits from real estate investment “flips” by using the defendants’ products; (ii) receive 100 percent funding for their real estate investments, regardless of credit history; and (iii) receive a full refund if they do not make “a minimum of three times” the price of the workshop within six months. Additionally, consumers who received refunds were allegedly required to sign agreements preventing them from speaking with the FTC, state attorneys general, and other regulators; submitting complaints to the Better Business Bureau; or posting negative reviews. Under the terms of the settlement, the defendants are, among other things, permanently banned from marketing or selling any real estate or business coaching programs, and are restrained from making misleading earnings claims or misrepresenting any material aspect of the performance or nature of goods or services that are the subject of a sales offer. Additionally, the defendants are permanently banned from using contract terms to suppress customers’ ability to review their products or speak to law enforcement agencies, and may not release customer information in connection with any activity related to the subject matter of the order. The settlement also includes monetary judgments totaling more than $111 million.
Recently, the Utah Department of Commerce adopted amendments to the Utah Residential Mortgage Practices and Licensing Rules to eliminate unnecessary and redundant licensee expenses for criminal background checks and credit reports. Among other things, the amendments provide that if a licensee submits a fingerprint background report to the Nationwide Multistate Licensing System & Registry (NMLS) “that is current according to the NMLS and is dated within 90-days of the date of the application to renew, the Division shall use that fingerprint background report in satisfaction of the requirement of. . .subsection [R162-2c-204]. If there is no current fingerprint background report in the NMLS, the licensee shall submit a fingerprint background report to the NMLS with the licensee’s application to renew.” The same condition also applies to current credit reports dated within 30-days of the date the renewal application was submitted to the NMLS. The amendments also update certain license qualification provisions related to moral character and felony convictions, and eliminate provisions concerning employee incentive programs related to licensed entities. These provisions took effect October 26.
On April 1, Utah Governor Gary Herbert issued an order instituting a moratorium on residential evictions for individuals out of work or otherwise unable to pay rent as a direct result of Covid-19 provided certain conditions are met. The temporary order went into effect immediately and is effective through May 15. Herbert’s announcement did not institute rent forgiveness during the leniency period.