InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Colorado amends GAP requirements
The Colorado governor recently signed HB 23-1181 (the “Act”) to codify and amend rules relating to guaranteed asset protection (GAP) agreements (designed to relieve “all or part of a consumer’s liability for the deficiency balance remaining, after the payment of all insurance proceeds,” upon the total loss of a consumer’s motor vehicle that served as collateral for a loan). In addition to adding new definitions and outlining exemptions, the Act also, among other things, (i) establishes conditions, notices, and provisions that must be included in order to offer, sell, provide or administer a GAP agreement in connection with a consumer finance agreement; (ii) establishes that the maximum fee that may be charged for a GAP agreement must not exceed four percent of the amount financed in the consumer credit transaction or $600, whichever amount is greater; (iii) provides that a creditor may contract for, charge, and receive only one GAP fee as part of an agreement regardless of the number of co-borrowers, co-signers, or guarantors; (iv) lays out the process for calculating a deficiency balance and how much a consumer is owed in the event of a total loss; (v) establishes requirements in the event a GAP agreement is cancelled; (vi) details when a consumer must submit a GAP agreement claim after a total loss; and (vii) prohibits the sale of a GAP agreement in specific circumstances.
The Act is effective January 1, 2024, and applies to GAP agreements entered into on or after this date.
Colorado bill amends student loan provisions and UCCC licensing renewal deadlines
On June 5, the Colorado governor signed SB 23-248 (the “Act”), which addresses consumer protection in certain credit transactions. Among other things, the bill amends, repeals, and adds sections around lender nomenclature in the Colorado Student Loan Equity Act. The Act defines the terms “private education creditor” and “creditor” as (i) “any person engaged in the business of making or extending private education credit obligation”; (ii) “a holder of a private education credit obligation”; or (iii) “a seller, lessor, lender, or person that makes or arranges a private education credit obligation and to whom the private education credit obligation is initially payable or the assignee of a creditor’s right to payment.” Several exemptions are outlined. The Act also establishes the term “refinanced” to mean when “an existing private education credit obligation is satisfied and replaced by a new private education credit obligation undertaken by the same consumer.” In subsequent sections, words like “lender” and “loan,” amongst other things, are replaced with the newly defined terms. The Act also amends certain provisions relating to Uniform Consumer Credit Code (UCCC) licensing renewal and fee due dates. Specifically, all supervised lender licensees must file for renewal and pay the appropriate renewal fees by July 1 annually, where previously the renewal due date was January 1 each year.
The Act takes effect the day after the expiration of the 90-day period following adjournment of the general assembly.
Colorado limits out-of-state bank charges on consumer credit
On June 6, the Colorado governor signed HB 23-1229 (the “Act”) to amend the state’s Uniform Consumer Credit Code (UCCC). Specifically, Colorado has invoked its right under the Depository Institutions Deregulation and Monetary Control Act (DIDMCA) to opt out of a provision that allows state-chartered banks to preempt state interest rates applicable to consumer credit transactions. Sections 521-523 of DIDMCA currently allow state-chartered banks to charge the interest allowed by the state where they are located, regardless of where the borrower is located and regardless of conflicting out-of-state law. Section 525, however, provides states with the authority to opt out of these sections.
Modifications to the UCCC impact requirements for alternative charges for loans not exceeding $1,000, and include the following changes:
- Reduces the permissible acquisition charge on the original loan or any refinanced loan from 10 to eight percent of the amount financed;
- Reduces permissible monthly installment account handling charges based on categories of the amount financed;
- Increases the minimum loan term from 90 days to six months;
- Removes the ability for a lender to charge a delinquency charge on a loan;
- Amends provisions relating to the conditions upon which an acquisition charge must be refunded to a consumer; and
- Limits the number of times a lender can refinance a consumer loan to once a year.
The amendments take effect July 1, 2024, and only apply to consumer credit transactions made after that date.
Colorado establishes medical debt collection requirements
On May 4, the Colorado governor signed SB 23-093 to cap the interest rate on medical debt at three percent per year. The Act outlines numerous provisions, including that entities collecting on a medical debt must provide a consumer with a written copy of a payment plan within seven days for medical debt that is payable in four or more installments. The Act also outlines requirements for accelerating or declaring a payment plan longer operative, and lays out prohibited actions (such as collecting on a debt or reporting a debt to a consumer reporting agency within a certain timeframe) relating to medical debt that an entity knows, or reasonably should know, is under review or being appealed. An entity that files a legal action to collect a medical debt must provide to a consumer (upon written request) an itemized statement concerning the debt and must allow a consumer to dispute the debt’s validity after receiving the statement. Entities are prohibited from engaging in collection activities until the itemized statement is delivered. The Act outlines self-pay requirements and estimates, and further provides that it is a deceptive trade practice to violate outlined provisions relating to billing practices, surprise billing, and balance billing laws. The Act takes effect immediately and applies to contracts entered into after the effective date.
Colorado restricts vehicle value protection agreements
On March 23, the Colorado governor signed SB 23-015, which prohibits placing conditions on the terms of a vehicle sale, lease, or the extension or terms of credit, upon the purchase of a vehicle value protection agreement. In addition, the bill requires, among other things, that such agreements must outline eligibility requirements, coverage conditions or exclusions, provide certain consumer notices, and must benefit the consumer “upon the trade-in, total loss, or unrecovered theft of a covered vehicle.” Providers of such agreements must also obtain a contractual liability insurance policy that guarantees their obligations under the agreement. Finally, the act establishes that value protection agreements themselves are not insurance and are exempt from state insurance regulations.
Colorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.
Colorado releases privacy act updates
Last month, the Colorado attorney general released a third version of draft rules to implement and enforce the Colorado Privacy Act (CPA). A hearing on the proposed draft rules was held February 1. As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. The attorney general also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The attorney general previously released two versions of the draft rules last year (covered by InfoBytes here and here).
The third set of draft rules seeks to address additional concerns raised through public comments and makes a number of changes, including:
- Clarifying definitions. The modifications add, delete, and amend several definitions, including those related to “bona fide loyalty program,” “information that a [c]ontroller has a reasonable basis to believe the [c]onsumer has lawfully made available to the general public,” “publicly available information,” “revealing,” and “sensitive data inference” or “sensitive data inferences.” Among other things, the definition of “publicly available information” has been narrowed by removing the exception to the definition that had excluded publicly available information that has been combined with non-publicly available information. Additionally, sensitive data inferences now refer to inferences which “are used to” indicate certain sensitive characteristics.
- Right to opt out and right to access. The modifications outline controller requirements for complying with opt-out requests, including when opt-out requests must be completed, as well as provisions for how privacy notice opt-out disclosures must be sent to consumers, and how consumers are to be provided mechanisms for opting-out of the processing of personal data for profiling that results in the provision or denial of financial or lending services or other opportunities. With respect to the right to access, controllers must implement and maintain reasonable data security measures when processing any documentation related to a consumer’s access request.
- Right to correct and right to delete. Among other changes, the modifications add language providing consumers with the right to correct inaccuracies and clarify that a controller “may decide not to act upon a [c]onsumer’s correction request if the [c]ontroller determines that the contested [p]ersonal [d]ata is more likely than not accurate” and has exhausted certain specific requirements. The modifications add requirements for when a controller determines that certain personal data is exempted from an opt-out request.
- Notice and choice of universal opt-out mechanisms. The modifications specify that disclosures provided to consumers do not need to be tailored to Colorado or refer to Colorado “or to any other specific provisions of these rules or the Colorado Privacy Act examples.” Additionally, a platform, developer, or provider that provides a universal opt-out mechanism may, but is not required to, authenticate that a user is a resident of the state.
- Controller obligations. Among other things, a controller may choose to honor an opt-out request received through a universal opt-out mechanism before July 1, 2024, may respond by choosing to opt a consumer out of all relevant opt-out rights should the universal opt-out mechanism be unclear, and may choose to authenticate that a user is a resident of Colorado but is not required to do so.
- Purpose specification. The modifications state that controllers “should not specify so many purposes for which [p]ersonal [d]ata could potentially be processed to cover potential future processing activities that the purpose becomes unclear or uninformative.” Controllers must modify disclosures and necessary documentation if the processing purpose has “evolved beyond the original express purpose such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the original express purpose.”
- Consent. The modifications clarify that consent is not freely given when it “reflects acceptance of a general or broad terms of use or similar document that contains descriptions of [p]ersonal [d]ata [p]rocessing along with other, unrelated information.” Requirements are also provided for how a controller may proactively request consent to process personal data after a consumer has opted out.
- User interface design, choice architecture, and dark patterns. The modifications provide that a consumer’s “ability to exercise a more privacy-protective option shall not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.” The modifications also specify principles that should be considered when designing a user interface or a choice architecture used to obtain consent, so that it “does not impose unequal weight or focus on one available choice over another such that a [c]onsumer’s ability to consent is impaired or subverted.”
Additional modifications have been made to personal data use limitations, technical specifications, public lists of universal opt-out mechanisms, privacy notice content, loyalty programs, duty of care, and data protection assessments. Except for provisions with specific delayed effective dates, the rules take effect July 1 if finalized.
On February 28, the attorney general announced that the revised rules were adopted on February 23, but are subject to a review by the attorney general and may require additional edits before they can be finalized and published in the Colorado Register.
Colorado AG releases consumer lending study
On January 23, the Colorado attorney general announced that it sent a study examining the availability of consumer lending in the state to the Colorado General Assembly. Among other things, the study analyzed the availability of safe and affordable credit in Colorado and focused on the availability of two types of loans: (i) small-dollar loans, defined as loans up to $1,000, and (ii) larger installment loans.
Regarding small-dollar loans in Colorado, Proposition 111 enacted in 2018, capped rates on deferred deposit loans at 36 percent. As such, the study noted that there was a significant decrease in the number of lenders who were making deferred deposit (payday) loans and the number of licensed locations as of 2018. It was reported that 95,747 individuals in Colorado obtained alternative charge loans in 2021, which represented a significant decline from 2018. The study also found that, while there was a drop in the number of retail outlets, available evidence indicates consumers who qualify are able to obtain alternative charge loans, given the growth of online lending.
The affordability of alternative charge borrowers is mixed, according to the report. It appears that about one in five borrowers experience substantial difficulty in making the required payments. Other measures suggest a substantially lower percentage struggle.
Regarding larger installment loans, 39,295 consumers obtained “Other Supervised Loans” (defined as loans with an APR above 12 percent) from non-depositories, and non-depositories took by assignment an additional 87,880 Other Supervised Loans in 2021. The number of originated Other Supervised Loans in 2021 was nearly identical to the number originated in 2019. Overall, 25.9 percent of consumers who applied for Other Supervised Loans were approved.
Credit unions to pay $4 million in GAP fee refunds
On January 4, the Colorado attorney general announced settlements with two credit unions that will pay a combined $4 million in refunds to borrowers in the state who were entitled to “guaranteed automobile protection” (GAP) fee refunds. An investigation conducted by the Consumer Protection Section of the Colorado Department of Law found that the credit unions historically failed to refund unearned GAP fees owed to consumers. According to the state, the credit unions act as creditors by purchasing retail installment sales contracts from auto dealers that include GAP purchased by Colorado consumers. The state explained in its announcement that borrowers pay the full GAP fee when they purchase a car (the fee is typically only earned gradually over the loan’s lifetime). However, should a borrower prepay the loan prior to maturity or the car is repossessed and sold at auction before the loan is paid off, Colorado law requires lenders to refund the unearned portion of the GAP fee to the borrower, the state said.
The assurances of discontinuance (see here and here) apply to all consumer credit transactions entered into with consumers in the state related to any alleged unfair conduct committed by the credit unions related to GAP fee refund practices. In additional to paying consumer remediation and $100,000 each to the state, the credit unions also agreed to alter their business practices to ensure that applicable refunds will be provided to consumers going forward.
Colorado releases second draft of Colorado Privacy Act rules
On December 21, the Colorado attorney general released a second set of draft rules for the Colorado Privacy Act (CPA). As previously covered by a Buckley Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The first set of draft rules was issued last September and published by the Secretary of State on October 10 (covered by InfoBytes here).
The second set of draft rules seeks to address concerns raised through public comments as well as feedback received during three stakeholder sessions. The AG seeks specific input on questions related to (i) clarifications to definitions; (ii) the use of IP addresses to verify consumer opt-out requests; (iii) implementation of a universal opt-out mechanism; (iv) controller obligations related to meaningful privacy notices; and (v) bona fide loyalty programs. Among other things, the modifications would:
- Clarify definitions. The modifications add, delete, and amend several definitions, including those related to “biometric identifiers,” “commercial product or service,” “controller,” “employee,” “employer,” “employment records,” “noncommericial purpose,” “personal data,” “process,” “processor,” “profiling,” and terms involving automated processing.
- Amend purpose-based privacy notices. The modifications remove the requirement that privacy notices be purpose-based, and will instead require that the processing purpose and type of personal data processed be connected in a way that provides consumers a meaningful understanding of how their personal data will be used. The AG seeks feedback on ways the draft rules can “be made interoperable with California’s privacy notice requirements, while still considering the CPA’s purpose specification, secondary use requirements, and ensuring that a consumer has a meaningful understanding of the way their personal data will be used when they interact with a controller.” Feedback is also requested on whether controllers “who have updated their privacy policies to comply with California’s privacy notice requirements anticipate making a separate policy for Colorado, updating a California specific privacy notice to include Colorado or other state requirements, or revising the main privacy policy/notice to meet Colorado and other non-California state requirements[.]”
- Update universal opt-out mechanism. The modifications grant controllers six months from the date a universal opt-out mechanism is recognized by the AG to begin complying with that new mechanism. An initial public list of approved opt-out mechanisms will be published no later than January 1, 2024, and will be updated periodically.
- Clarify security measures and duty of care. The modifications provide additional details about the duty to safeguard personal data, and will require controllers to, among other things, consider “[a]pplicable industry standards and frameworks,” and the sensitivity, amount, and original source of the personal data when identifying reasonable and appropriate safeguards. The modifications also include provisions related to the processing of sensitive data inferences and specifies deletion requirements.
- Reduce data protection assessment requirements. The modifications reduce the information that must be included in a controller’s data protection assessment.
- Clarify privacy notice changes. The modifications clarify when a controller must notify a consumer of “substantive or material” changes to its data processing that trigger updates to its privacy notice. The modifications emphasize that disclosure of a new processing purpose in a privacy policy alone does not constitute valid consent.
- Address refreshing of consumer consent. The modifications provide that consumer consent must be refreshed when a consumer has not interacted with the controller in the last 12 months, and (i) the controller is processing sensitive personal information; or (ii) is processing personal data for secondary data use that involves profiling for a decision that could result “in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” However, controllers will not be required to refresh consent in situations where consumers have the ability to update their own opt-out preferences at any time.
Comments on the second set of draft rules are due February 1. If the formal rulemaking hearing on the proposed rules (scheduled for February 1) extends beyond that date, comments must be received on or before the last day of the hearing.