InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Appellate court reverses BIPA decision
On November 30, the Illinois Court of Appeal for the Fourth Appellate District reversed and remanded a trial court’s decision to grant a defendant plating company’s motion for summary judgment in a Biometric Information Privacy Act (BIPA) suit. The plaintiff began working for the defendant in 2014. From the beginning of his employment, the plaintiff clocked into his job using a fingerprint, but the defendant did not have a written retention-and-destruction schedule for biometric data until 2018. The plaintiff was subsequently terminated and then filed suit claiming that the defendant violated BIPA by failing to establish a retention-and-destruction schedule for the possession of biometric information until four years after it first possessed the plaintiff’s biometric data. The trial court granted the defendant’s motion for summary judgment, finding that section 15(a) of BIPA established no time limits by which a private entity must establish a retention-and-destruction schedule for biometric data. The plaintiff appealed.
The appellate court reversed the trial court’s order, finding that Section 15(a) specified that a private entity “in possession of” biometric data must develop a written policy laying out its retention and destruction protocols, and the duty to develop a schedule is triggered by possession of the biometric data. The appellate court noted that its decision “is consistent with the statutory scheme, which imposes upon private entities the obligation to establish [BIPA]-compliant procedures to protect employees' and customers' biometric data.” The appellate court went on to note that it “can discern no rational reason for the legislature to have intended that a private entity ‘develop’ a ‘retention schedule and guidelines for permanently destroying’ (id. § 15(a)) biometric data at a different time from that specified in the notice requirement in section 15(b), which itself must inform the subject of the length of time for which the data will be stored (i.e., retained), etc.” The appellate court concluded “that the duty to develop a schedule upon possession of the data necessarily means that the schedule must exist on that date, not afterwards,” and stressed that this is “the only reasonable interpretation” in light of BIPA's “preventive and deterrent purposes.”
Furthermore, the appellate court rejected the defendant’s argument that “the statutory duty is satisfied so long as a schedule exists on the day that the biometric data possessed by a defendant is no longer needed or the parties’ relationship has ended," stating that the statutory language “belies this interpretation.”
States say student loan trusts are subject to the CFPA’s prohibition on unfair debt collection practices
On November 15, a bipartisan coalition of 23 state attorneys general led by the Illinois AG announced the filing of an amicus brief supporting the CFPB’s efforts to combat allegedly illegal debt collection practices in the student loan industry. As previously covered by InfoBytes, in February, the U.S. District Court for the District of Delaware stayed the Bureau’s 2017 enforcement action against a collection of Delaware statutory trusts and their debt collector after determining there may be room for reasonable disagreement related to questions of “covered persons” and “timeliness.” The district court certified two questions for appeal to the U.S. Court of Appeals for the Third Circuit related to (i) whether the defendants qualify as “covered persons” subject to the Bureau’s enforcement authority; and (ii) whether the case can be continued after the Supreme Court’s 2020 decision in Seila Law v. CFPB (which determined that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau—covered by a Buckley Special Alert). Previously, the district court concluded that the suit was still valid and did not need ratification because—pointing to the majority opinion in the Supreme Court’s decision in Collins v. Yellen (covered by InfoBytes here)—“‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[,]’” and therefore the Bureau’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” The district court later acknowledged, however, that Collins “is a very recent Supreme Court decision” whose scope is still being “hashed out” in lower courts, which therefore “suggests that there is room for reasonable disagreement and thus supports an interlocutory appeal here.”
The states argued that they have a “substantial interest” in protecting state residents from unlawful debt collection practices, and that this interest is implicated by this action, which addresses whether the defendant student loan trusts are “covered persons” subject to the prohibition on unfair debt collection practices under the CFPA. Urging the 3rd Circuit to affirm the district court’s decision to deny the trusts’ motion to dismiss, the states contended among other things, that hiring third-party agencies to collect on purchased debts poses a large risk to consumers. These types of trusts, the states said, “profit only when the third parties that they have hired are able to collect on the flawed debt portfolios that they have purchased.” Moreover, “[d]ebt purchasing entities, including entities like the [t]rusts, are thus often even more likely than the original creditors to resort to unlawful tactics in undertaking collection activities,” the states stressed, explaining that in order to combat this growing problem, many states apply their prohibitions on unlawful debt collection practices “to all debt purchasers that seek to reap profits from these illegal activities, including those purchasers that outsource collection to third parties.” The Bureau’s decision to do the same is therefore appropriate under the CFPA, the states wrote, adding that “as a practical matter, these debt purchasers are as problematic as debt purchasers that collect on their own debt. The [t]rusts’ request to be treated differently because of their decision to hire third party agents to collect on the debts that they have purchased (and reap the profits on) should be rejected.”
District Court says university is a financial institution exempt from state privacy law
On November 4, the U.S. District Court for the Northern District of Illinois granted a defendant university’s motion to dismiss Illinois’ Biometric Information Privacy Act claims (BIPA), ruling that because the defendant participates in the Department of Education’s Federal Student Aid Program, it is a “financial institution” subject to Title V of the Gramm-Leach-Bliley Act (GLBA) and therefore exempt from BIPA. Plaintiff sued the defendant claiming the university used technology to collect biometric identifiers to surveil students taking online exams. According to the plaintiff, the defendant’s use of this technology violated students’ biometric privacy rights because the defendant did not obtain students’ written consent to collect and use that data, failed to disclose what happens with the data after collection, and failed to adhere to BIPA’s retention and destruction requirements.
The court disagreed and dismissed the putative class action. The court explained that the defendant’s direct student lending and participation in the Federal Student Aid Program allows it to qualify as a “financial institution,” defined by the GLBA as “any institution the business of which is engaging in financial activities.” As such, it is expressly exempt from BIPA. The court rejected plaintiff’s argument that the defendant did not fit within this definition because it is in the business of higher education rather than financial activities because at least five other courts that have also concluded that “institutions of higher education that are significantly engaged in financial activities such as making or administering student loans” qualify for exemption. The court also referred to a 2000 FTC rule issued when the Commission had both enforcement and rulemaking authority under the GLBA. The rule considered colleges and universities to be financial institutions if they “appear to be significantly engaged in lending funds to consumers,” which the court found to be “particularly persuasive because it evidences longstanding, consistent, and well-reasoned interpretation of the statute that it had been tasked to administer.”
FDIC announces Illinois disaster relief
On October 25, the FDIC issued FIL-49-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Illinois affected by severe storms and flooding from July 25-28. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
District Court enters $228 million judgment in BIPA class action
On October 12, the U.S. District Court for the Northern District of Illinois entered a judgment for $228 million after a jury found that a defendant railway company committed 45,600 reckless or intentional violations of the Illinois Biometric Information Privacy Act (BIPA). The jury’s judgment, which does not include pre-judgment interest, was entered against the defendant in the amount of $228 million (BIPA provides for statutory damages of $5,000 for every willful or reckless violation and $1,000 for every negligent violation). Class members consisting of more than 44,000 truck drivers alleged in their second amended complaint that the defendant violated BIPA when it collected, captured, and stored their biometric identifiers and biometric information without obtaining their informed written consent or providing written disclosures explaining the purpose and duration of such use. The defendant countered that it should not be held liable for biometric data collection conducted on its behalf by a third-party contractor because BIPA does not impose liability for the acts of a third party. The court disagreed, ruling, among other things, that BIPA’s language “makes clear that [the defendant] need not have ‘collected’ the data itself to be liable,” and that there is evidence that the defendant “ultimately called the shots on whether and how biometric information is collected.”
District Court denies defendant summary judgment in data breach suit
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest information database—and that the breach caused that loss—should be admissible. As previously covered by InfoBytes, a consolidated class action suit was filed by consumers after they allegedly learned that the defendant took more than four years to discover the data breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted to provide data security services reported an anomaly pertaining to the defendant’s guest information database. In total, the breach impacted approximately 133.7 million guest records.
Last May, the court granted in part and denied in part certification of eight class actions against the defendant, noting that the plaintiffs did not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendant’s argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”
According to the recent opinion, the City of Chicago alleged that the defendant violated the city’s consumer protection ordinance by failing to safeguard the personal information of city residents and misrepresented that it had reasonable security safeguards in place. The defendant argued that the City of Chicago’s claims exceeded the limit of the city’s authority under the Illinois Constitution, because it attempted to apply its ordinance to a specific data-security incident. The court found that the Illinois Constitution permits the City of Chicago, a “home-rule unit,” to enforce its consumer protection ordinance against the defendant for harm and injuries arising from the data security incident. Additionally, the court found “in order to respect ’the constitutional design’ granting broad home rule authority and permitting concurrent local and state authority, ‘the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.’” The court also found that the City of Chicago has standing to bring claims for monetary fines, citing that “expert opinions establish, by a preponderance of the evidence, that Chicago suffered an injury-in-fact—the loss of tax revenue—that was traceable to the data breach, and that can be redressed by monetary fines paid by [the defendant].”
District Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement, the plaintiff alleged that the defendant violated Illinois law by collecting fingerprint scan data from Illinois users of vending machine systems without written notice and consent. According to the settlement, class members include all individuals who scanned their finger(s) in one or more of defendants’ vending systems in Illinois between August 23, 2014 and November 2021, which totals approximately 63,450 individuals. Each class member will receive approximately $413, and the settlement includes roughly $2.2 million in attorney fees for class counsel.
Illinois amends Collection Agency Act provisions
On May 27, the Illinois governor signed HB 5220, which makes various amendments to provisions related to the state’s Collection Agency Act. Among other things, the amendments strike language repealing specified provisions and add, amend, and strike certain definitions, including amending “financial institution” to include “consumer installment lenders, payday lenders, sales finance agencies, and any other industry or business that offers services or products that are regulated under any Act administered by the [Director of the Division of Financial Institutions].” The amendments further provide that an adjudicated finding by the FTC or other federal or state agency that shows a licensee violated the FDCPA or its rules is grounds for disciplinary action. Also, at the discretion of the Secretary (after having first received the recommendation of the Collection Agency Licensing and Disciplinary Board), an “accused person’s license may be suspended or revoked, if the evidence constitutes sufficient grounds for such action.” Moreover, the amendments restore language providing that the Department of Financial and Professional Regulation may obtain written recommendations from the Collection Agency Licensing and Disciplinary Board “regarding standards of professional conduct, formal disciplinary actions, and the formulation of rules affecting these matters.” The Act takes effect January 1, 2023.
Illinois amendments address confidentiality of customer financial records
On May 13, the Illinois governor signed SB 3971, which makes various amendments to Illinois Banking Act and Savings Bank Act provisions concerning the confidentiality of customer financial records. Among other things, the Act provides that a bank must disclose financial records “only after the bank sends a copy of the subpoena, summons, warrant, citation to discover assets, or court order,” to the person establishing the relationship with the bank if living (or the person’s representative otherwise), at the person’s last known address. Further, such requests must be sent through a third-party commercial carrier or courier, with delivery charge fully prepaid, by hand or by electronic delivery at an email address on file with the bank (provided the person has consented to electronic delivery).
The Act also stipulates that a bank retain customer financial records “in a manner consistent with prudent business practices and in accordance with this Act and applicable State or Federal laws, rules, and regulations.” A bank may also destroy records (with reasonable precautions taken to ensure the confidentiality of the information contained in the records) except where a retention period is required by law. The Act is effective immediately.
Illinois adopts rules implementing Predatory Loan Prevention Act
On April 22, the Illinois Department of Financial and Professional Regulation (IDFPR) published in the Illinois Register a notice of adopted rules to implement the Predatory Loan Prevention Act (PLPA or the Act). As previously covered by InfoBytes, the Act was signed into law in March 2021 to prohibit lenders from charging more than 36 percent APR on all non-commercial consumer loans under $40,000, including closed-end and open-end credit, retail installment sales contracts, and motor vehicle retail installment sales contracts. Violations of the Act constitute a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act and carry a potential fine up to $10,000. Additionally, any loan with an APR exceeding 36 percent will be considered null and void.
In general, the adopted rules require lenders to provide a disclosure to consumers about the 36 percent APR rate cap established by the PLPA, incorporate the APR calculation method required by the PLPA, and amend the rules for reporting of payday loans to the state database. The rules specify that words in the definitions are not defined to have the same meaning as in Regulation Z, including any interpretation by the CFPB. For purposes of calculating the PLPA ARP, the rules specify that the calculation excludes only certain specified bona fide fees, but includes finance charges, loan application fees, and fees imposed for participation in any plan or arrangement for a loan, “even if that charge would be excluded from the finance charge under Regulation Z.”
The IDFPR made several amendments related to rate cap disclosure notices. These specify that all loan applications must include a separate rate cap disclosure signed by the consumer (disclosures must be provided in English and in the language in which the loan was negotiated) that clearly and conspicuously states: “A lender shall not contract for or receive charges exceeding a 36% annual percentage rate on the unpaid balance of the amount financed for a loan, as calculated under the Illinois Predatory Loan Prevention Act (PLPA APR). Any loan with a PLPA APR over 36% is null and void, such that no person or entity shall have any right to collect, attempt to collect, receive, or retain any principal, fee, interest, or charges related to the loan. The annual percentage rate disclosed in any loan contract may be lower than the PLPA APR.”
The rules take effect August 1.