InfoBytes

Section Content

Filter

Tags

Operator

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

March 31, 2023

California OAL approves CCPA regulations

On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.

The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.

Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance State Issues State Regulators California CPRA CPPA CCPA
March 9, 2023

House committees move forward on data privacy

On March 1, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy” to continue discussions on the need for comprehensive federal privacy legislation. House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) delivered opening remarks, commenting that discussions during the hearing will build upon the bipartisan American Data Privacy and Protection Act (ADPPA), which advanced through the committee last July by a vote of 53-2. As previously covered by InfoBytes, the ADPPA (see H.R. 8152) was sent to the House floor during the last Congressional session, but never came up for a full chamber vote. The bill has not been reintroduced yet.

A subcommittee memo highlighted that absent a comprehensive federal standard, “there are insufficient limits to what types of data companies may collect, process, and transfer.” The subcommittee flagged the data broker industry as an example of where there are limited restrictions or oversight to prevent the creation of consumer profiles that link sensitive data to individuals. Other areas of importance noted by the subcommittee relate to data security protections, data minimization requirements, digital advertising, and privacy enhancing technologies. The subcommittee heard from witnesses who agreed that a comprehensive privacy framework would benefit consumers.

One of the witnesses commented in prepared remarks that preemption is key, calling the current patchwork of state laws confusing and costly to businesses and consumers. “Consumers need a strong and consistent law to protect them across jurisdictions and market sectors, and to clarify what privacy rights they should expect and demand as they navigate the marketplace,” the witness said. The witness also stated that the FTC is currently relying on outdated law, noting that while Section 5 of the FTC Act is frequently used, “virtually all of the FTC’s privacy and data security cases are settlements. That means that many of the legal theories advanced, as well as the remedies obtained, have never been tested in court.”

In advance of the hearing, the California governor, the California attorney general, and the California Privacy Protection Agency sent a joint letter opposing preemption language contained in H.R. 8152. “[B]y prohibiting states from adopting, maintaining, enforcing, or continuing in effect any law covered by the legislation, [the ADPPA] would eliminate existing protections for residents in California and sister states,” the letter warned. The letter asked Congress “to set the floor and not the ceiling in any federal privacy law” and “allow states to provide additional protections in response to changing technology and data privacy protection practices.”

Separately, at the end of February, Chairman of the House Financial Services Committee, Patrick McHenry (R-NC) introduced the Data Privacy Act of 2023 (see H.R. 1165). The bill moved out of committee by a 26-21 vote, and now goes to the full House for consideration. Among other things, the bill would modernize the Gramm-Leach-Bliley Act to better align the statute with the evolving technological landscape. The bill would also ensure consumers understand how their data is being collected and used and grant consumers power to opt-out of the collection of their data and request that their data be deleted at any time. Additional provisions are intended to protect against the misuse or overuse of consumers’ personal data and impose disclosure requirements relating to data collection methods, how data is used and who it is shared with, data retention policies, and informed choice. The bill is designed to provide consistency across the country to reduce compliance burdens, McHenry said.

Privacy, Cyber Risk & Data Security Federal Issues Federal Legislation House Energy and Commerce Committee House Financial Services Committee Gramm-Leach-Bliley State Issues CPPA Consumer Protection
February 10, 2023

California’s privacy agency finalizes CPRA regulations

On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).

According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:
- Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
- Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
- Providing disclosure and communications requirements. The proposed changes also introduce formatting and presentation requirements, clarifying that disclosures must be easy to read and understandable and conform to applicable industry standards for persons with disabilities, and that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and, for mobile applications, that conspicuous links should be accessible in the business’ privacy policy.
- Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
- Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
- Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
- Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
- Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
- Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt. The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.
The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.

Separately, on February 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.

Privacy, Cyber Risk & Data Security State Issues California CCPA CPPA CPRA Compliance State Regulators Opt-Out Consumer Protection
December 22, 2022

California privacy agency holds public meeting on CPRA

On December 16, the California Privacy Protection Agency (CPPA) Board held a public meeting to discuss the ongoing status of the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here). The CPPA stated it anticipates conducting additional preliminary rulemaking in early 2023. After public input is received, the CPPA will discuss proposed regulatory frameworks for risk assessments, cybersecurity audits, and automated decisionmaking.

During the board meeting, the CPPA introduced sample questions and subject areas for preliminary rulemaking that will be provided to the public at some point in 2023, and finalized and approved at a later meeting. The questions and topics relate to, among other things, (i) privacy and security risk assessment requirements, including whether the CPPA should follow the approach outlined in the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, as well as other models or factors the agency should consider; (ii) benefits and drawbacks for businesses should the CPPA accept a business’s risk assessment submission that was completed in compliance with GDPR’s or the Colorado Privacy Act’s requirements for these assessments; (iii) how the CPPA can ensure cybersecurity audits, assessments, and evaluations are thorough and independent; and (iv) how to address profiling and logic in automated decisionmaking, the prevalence of algorithmic discrimination, and whether opt-out rights with respect to a business’s use of automated decisionmaking technology differ across industries and technologies. The CPPA said it is also considering different rules for businesses making under $25 million in annual gross revenues.

Privacy, Cyber Risk & Data Security State Issues California CPPA CPRA CCPA Consumer Protection Agency Rule-Making & Guidance
November 8, 2022

CPPA says comments on modified draft privacy rules due November 21

On November 3, the California Privacy Protection Agency (CPPA) Board officially posted updated draft rules for implementing the Consumer Privacy Rights Act of 2020, which amends and builds on the California Consumer Privacy Act of 2018. The draft rules were previously released in advance of a CPPA Board meeting held at the end of October (see previous InfoBytes coverage here for a detailed breakdown of the proposed changes). A few notable changes between the versions include:
- A requirement that a business must treat an opt-out preference signal as a valid request to opt out of sale/sharing for not only that browser or device but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
- A requirement that if a business does not ask a consumer to affirm their intent with regard to a financial incentive program, “the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or devise and any consumer profile the business associates with that browser or device.” However if a consumer submits an opt-out of sale/sharing request but does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal with respect to the consumer’s participation in the financial incentive program.
- The addition of the following provision: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Comments on the amended draft rules are due November 21 by 8 am PT.

Privacy, Cyber Risk & Data Security State Issues CPPA CCPA CPRA Agency Rule-Making & Guidance Consumer Protection
October 21, 2022

California’s privacy agency amends draft privacy rules ahead of meeting

In advance of an upcoming meeting of the California Privacy Protection Agency Board (CPPA) scheduled for October 28-29, the agency posted updated draft rules for implementing the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here).

The proposed changes to the draft rules respond to comments received during the 45-day comment period, in which several businesses expressed concerns that the requirements were confusing and complying would be costly. (See also Explanation of Modified Text of Proposed Regulations.) Key clarifying modifications include:
- Adding, amending, and striking certain definitions. The proposed changes would, among other things, revise the definition of “disproportionate effort” to clarify that it applies to service providers, contractors, and third parties as well as to businesses. The revisions also provide additional details concerning factors that should be considered when evaluating whether responding to a consumer request would require disproportionate effort. The changes also add and amend terms such as “first party,” “information practices,” “nonbusiness,” “privacy policy,” and “unstructured.”
- Outlining restrictions on how a consumer’s personal information is collected or used. The revisions propose criteria for how a business should evaluate the “reasonable expectation” of consumers concerning the collection or processing of their personal information, including how to determine the purpose for which the personal information is collected, whether it is reasonably necessary and proportionate for achieving the stated purposes, and whether it is a “business purpose” under the CCPA/CPRA. According to the CPPA’s explanation of the modified text, the “factors consider relevant GDPR principles for harmonization while articulating the statutory requirements and intent of the CCPA.”
- Providing disclosure and communications requirements. The proposed changes clarify that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and provide guidance on the placement of conspicuous links in a mobile environment.
- Clarifying requirements for obtaining consumer consent. The revisions explain how different user interfaces and “choice architecture” can impair or interfere with a consumer’s ability to make a choice, and thus fail to meet the definition of consent. The revisions further address provisions related to dark patterns, explaining that “[i]f a business did not intend to design the user interface to subvert or impair user choice, but the business knows of and does not remedy a user interface that has that effect, the user interface may still be a dark pattern. Similarly, a business’s deliberate ignorance of the effect of its user interface may also weigh in favor of establishing a dark pattern.”
- Amending requirements related to a business’s privacy notice. The revisions eliminate requirements for a business to either disclose the names or business practices of third parties that the business allows to collect personal information from the consumer in the business’s notice at collection. Additionally, a business and third party may provide a single notice at collection that outlines the required information about their collective information practices.
- Amending the right to limit the use/disclosure of sensitive personal information. The proposed changes clarify that a business does not need to provide a notice of right to limit the use of sensitive personal information if the business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer. Additionally, the revisions would make it optional for businesses to provide a means by which consumers can confirm their request to limit in order to simplify implementation at this time.
- Clarifying request to delete provisions. The revisions confirm that a business’s service provider or contractor may delete collected personal information pursuant to the written contract that it has with the business. Additionally, businesses will be permitted to provide a link to a support page or other resource that explains a consumer’s data deletion options.
- Amending requests to correct/know. The proposed changes clarify that businesses, service providers, and contractors may delay compliance with requests to correct with respect to information stored on archived or backup systems. The amendments also, among other things, clarify that consumers should make good-faith efforts to provide businesses with all relevant information available at the time of the request, provide flexibility and discretion to a business concerning whether it will provide the consumer with the name of the source from which the business received the alleged inaccurate information, and clarify that a business only needs to disclose specific pieces of personal information that it maintains and has collected about the consumer in order to confirm that the business has corrected the inaccurate information that was the subject of the consumer’s request to correct. With respect to a consumer’s right to know, the proposed changes would allow a consumer to request a specific time period for which their request to know applies.
- Amending opt-out preference signals. The proposed changes specify that a business that does not sell or share personal information is not required to process an opt-out preference signal as a valid request to opt-out. However, for businesses that do sell or share personal information, processing the opt-out preference signal means that the business is treating it as a valid request to opt-out of sale/sharing. The revisions also address when a business can ignore an opt-out signal to allow a consumer to continue to participate in a financial incentive program, and explain that when a consumer is known to the business, the “business shall not interpret the absence of an opt-out preference signal after the consumer previously sent an opt-out preference signal as consent to opt-in to the sale or sharing of personal information.” Moreover, a business may choose to display whether it has processed the consumer’s optout preference signal as a valid request to opt-out of sale/sharing on its website.
- Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
- Clarifying requests to limit use and disclosure of sensitive personal information. The revisions clarify how sensitive personal information may be used to “prevent, detect, and investigate” security incidents “even if this business purpose is not specified in the written contract required by the CCPA and these regulations.”
The proposed changes also delete examples concerning notices of the right to opt-out of the sale/sharing of personal information through connected devices and augmented or virtual reality to simplify implementation at this time. Additionally, the proposed changes further clarify provisions related to requirements for service providers, contractors, and third parties, specifying, among other things, that businesses must contractually require these entities to provide the same level of privacy protection as is required of businesses by the CCPA and these regulations.

Privacy, Cyber Risk & Data Security State Issues California CPPA CPRA CCPA Consumer Protection Agency Rule-Making & Guidance
September 20, 2022

California adopts “first-in-nation” act to safeguard children’s online data and privacy

On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services that are “likely to be accessed by children” under 18 years of age based on certain factors. These factors include whether the feature is: (i) “directed to children,” as defined by the Children’s Online Privacy Protection Act (COPPA); (ii) “determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children”; (iii) advertised to children; (iv) is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children; (v) designed to appeal to children; or (vi) determined to be, based on internal company research, significantly accessed by children. Notably, in contrast to COPPA, the Act more broadly defines “child” as a consumer who is under the age of 18 (COPPA defines “child” as an individual under 13 years of age).

The Act also outlines specific requirements for covered businesses, including:
- Businesses must configure all default privacy settings offered by the online service, product, or feature to one that offers a high level of privacy, “unless the business can demonstrate a compelling reason that a different setting is in the best interests of children”;
- Businesses must “concisely” and “prominently” provide clear privacy information, terms of service, policies, and community standards suited to the age of the children likely to access the online service, product, or feature;
- Prior to offering any new online services, products, or features that are likely to be accessed by children before July 1, 2024, businesses must complete a Data Protection Impact Assessment (DPIA) on or before the same date. Businesses must also document any “risk of material detriment to children” that arises from the DPIA, create a mitigation plan, and, upon written request, provide the DPIA to the state attorney general;
- Businesses must “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers”;
- Should an online service, product, or feature allow a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, businesses must provide an obvious signal to the child when the child is being monitored or tracked;
- Businesses must “[e]nforce published terms, policies and community standards established by the business, including, but not limited to, privacy policies and those concerning children”; and
- Businesses must provide prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns.
Additionally, covered businesses are prohibited from using a child’s personal information (i) in a way that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being; or (ii) for any reason other than a reason for which the personal information was collected, unless a business can show a compelling reason that using the personal information is in the “best interests of children.” The Act also places restrictions on profiling, collecting, selling, or sharing children’s geolocation data, or using dark patterns to encourage children to provide personal information beyond what is reasonably expected.

The Act also establishes the California Children’s Data Protection Working Group, which will study and report to the legislature best practices for implementing the Act, and will also, among other things, evaluate ways to leverage the expertise of the California Privacy Protection Agency in the long-term development of data privacy policies that affect the privacy, rights, and safety of children online. The state attorney general is tasked with enforcing the Act and may seek an injunction or civil penalty against any business that violates its provisions. Violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and up to $7,500 per affected child for each intentional violation; however, businesses may be provided a 90-day cure period if they have achieved “substantial compliance” with the Act’s assessment and mitigation requirements.

The Act takes effect July 1, 2024.

Privacy, Cyber Risk & Data Security State Issues State Legislation Consumer Protection California COPPA CPPA State Attorney General Enforcement
September 2, 2022

Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023

The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.

According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.

As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.

Privacy, Cyber Risk & Data Security State Issues State Legislation CCPA CPRA CPPA Agency Rule-Making & Guidance Consumer Protection
August 18, 2022

California Privacy Protection Agency opposes federal privacy bill

On August 15, the California Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) opposing H.R.8152, the American Data Privacy and Protection Act (ADPPA). The CPPA expressed concerns that the proposed legislation “could nearly eliminate” the agency’s ability to fulfill its responsibility to protect Californians’ privacy rights and claimed that the bill’s provisions are “substantively weaker” than the California Privacy Rights Act. “ADPPA represents a false choice, that the strong rights of Californians and others must be taken away to provide privacy rights federally,” the CPPA stressed in its letter. “Americans deserve, and the Agency could support, a framework that offers both: a floor of federal protections that preserves the ability of the states to continue to improve protections in response to future threats to consumer privacy.”

Last month the U.S. House Committee on Energy and Commerce voted 53-2 to send the ADPPA to the House floor with amendments that would enable the California agency to enforce the federal law (covered by InfoBytes here). However, the CPPA noted that “the language in the bill still raises significant uncertainties for the Agency were it to seek to enforce the federal measure.” Additionally, the bill, which has been revised from its initial draft (covered by a Buckley Special Alert), would preempt the current patchwork of five state privacy laws—which “would be an anomaly,” the CPPA said, given that current federal privacy laws such as the Health Information Portability and Accountability Act, the Gramm Leach Bliley Act, and the FCRA all contain language allowing states to adopt stronger protections. Pointing out that the bill’s “preemption language is especially concerning given the rate at which technology continues to advance and evolve,” the CPPA stressed the importance of states being able to build on their existing laws and allowing voters to seek out additional protections.

Privacy, Cyber Risk & Data Security State Issues Federal Issues Federal Legislation Consumer Protection CPPA California American Data Privacy and Protection Act
July 15, 2022

California’s privacy agency initiates formal CPRA rulemaking

On July 8, the California Privacy Protection Agency (CPPA) initiated formal rulemaking procedures to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), a law amending and building on the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during a February meeting that the rulemaking process will extend into the second half of the year.

The July proposed regulations modify definitions in the CCPA regulations; outline restrictions on the collection and use of personal information; provide disclosure and communications requirements; describe requirements for submitting CCPA requests and obtaining consumer consent; amend required privacy notices; provide instructions for the Notice of Right to Limit Use of Sensitive Personal Information; amend methods for handling consumer requests to delete, correct, and know; set forth requirements for opt-out preference signals; and address consumer requests for limiting the use and disclosure of sensitive personal information. Comprehensive details of the modified provisions and proposed regulations are available in previous InfoBytes coverage here.

The CPPA stated in its notice of proposed rulemaking that the proposed regulations serve three primary purposes: to (i) “update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA”; (ii) “operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law”; and (iii) “reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.” The CPPA emphasized that the proposed regulations are designed to factor in privacy laws in other jurisdictions and “implement compliance with the CCPA in such a way that it would not contravene a business’s compliance with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and consumer privacy laws recently passed in Colorado, Virginia, Connecticut, and Utah.” This design, the CPPA said, will simplify compliance for businesses operating across jurisdictions and avoid unnecessary confusion for consumers who may not understand which laws apply to them.

A hearing on the proposed regulations is scheduled for August 24 and 25. Comments are due August 23.

Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance State Issues California CPRA CCPA CPPA Consumer Protection

InfoBytes Blog

Filter

California OAL approves CCPA regulations

House committees move forward on data privacy

California’s privacy agency finalizes CPRA regulations

California privacy agency holds public meeting on CPRA

CPPA says comments on modified draft privacy rules due November 21

California’s privacy agency amends draft privacy rules ahead of meeting

California adopts “first-in-nation” act to safeguard children’s online data and privacy

Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023

California Privacy Protection Agency opposes federal privacy bill

California’s privacy agency initiates formal CPRA rulemaking

Pages

Upcoming Events

1071
23 NYCRR 600
23 NYCRR Part 102
23 NYCRR Part 200
23 NYCRR Part 500
AARMR
Aaron Mahler
ABA
Ability To Repay
ABS
Abusive
ACA International
Acceleration
Accounting
ACFIN
ACH
Add-On Products
Adjudication
Adjustable Rate Mortgage
Administrative Procedure Act
Administrative Procedures Act
Adverse Action
Advertisement
Advisers Act
Advisory Board
Advisory Committee
Advisory Council
Advisory Opinion
AECA
Affiliated Business Relationship
Affinity Products
Affirmative Defense
Affordable Housing
Afghanistan
Africa
Agency Rule-Making & Guidance
Agent
Agreement
Alabama
Alaska
Algorithms
ALJ
Alternative Data
AMA
Amanda Raines Lawrence
American Data Privacy and Protection Act
American Depositary Receipts
American Depository Receipts
American Rescue Plan Act of 2021
Americans with Disabilities Act
Amicus Brief
Ancillary Products
Andorra
Andrew Grant
Andrew Louis
Andrew Schilling
ANPR
Anti-Corruption
Anti-Money Laundering
Anti-Money Laundering Act of 2020
Anti-Retaliation
Antiquities
Antiterrorism Act
Antitrust
APEC CBPR
APHIS
Appeals
Appellate
Appraisal
Appraisal Management Companies
APR
APY
Aquisition
Arbitration
Argentina
Arizona
Arkansas
ARRC
Article 291A
Artificial Intelligence
Assessments
Asset Management
Asset-Based Lending
Assignee Liability
ATM
Attorney Fees
Attorney-Client Privilege
Audit
Auto Finance
Auto Insurance
Auto Leases
Auto Lending
Auto-Renewal
Autodialer
Automated Telephone Dialing
Autopay
AVMs
BAFT
Balkans
Ballot Initiative
Bank Charter
Bank Compliance
Bank Consultants
Bank for International Settlements
Bank Holding Companies
Bank Holding Company Act
Bank Lending
Bank Merger Act
Bank Mergers
Bank Partnership
Bank Privilege
Bank Regulatory
Bank Resolution
Bank Secrecy Act
Bank Supervision
Banking
Bankruptcy
Bankruptcy Code
Banks
Basel
Basel Committee
BCBS
Belarus
Ben Olson
Beneficial Ownership
Biden
Big Data
Biggert-Waters Act
Biometric Data
BIPA
Bitcoin
Blockchain
Board of Governors
Bona Fide Error
Bond
Borrower Defense
Bosnia
Braskem SA
Brazil
Breach of Contract
Bribery
Broker
Broker-Dealer
Brokered Deposits
Budget
Bulgaria
Burma
Burundi
Business Continuity
Business Email Compromise
Business Opportunity Rule
Buy Now Pay Later
CA UCL
CAATSA
California
California Consumer Financial Protection Law
California Financing Law
California Money Transmission Act
California Securities Law
Call Report
Cambodia
Canada
Cannabis Banking
Capital
Capital Planning
Capital Requirements
CARD Act
CARES Act
CARU
Cash Assistance Programs
Cash Checking
Cash-Out Refinance
CBDC
CBLR
CCAR
CCFPL
CCPA
CCPA/EU
CCRA
CDBO
CDC
CDD Rule
CDFI
Cease and Desist
CECL
Census Bureau
Central African Republic
Central Bank Digital Currency
CFDL
CFIUS
CFP Act
CFPA
CFPB
CFPB Act
CFPB NLRB
CFPB Succession
CFTC
Chamber of Commerce
Champerty
Check Cashing
China
Chris Witeck
CID
CIDs
CIPA
CISA
Cities & Counties
Civil Fraud Actions
Civil Money Penalties
Civil Procedure
CLA
Class Action
Class Certification
Clawback
Clickwrap Agreement
Climate-Related Financial Risks
Closed-End Credit
Cloud Computing
Cloud Technology
CMBS
Collateral Estoppel
College Scorecard
Colorado
Colorado Privacy Act
Combating the Financing of Terrorism
Combating Weapons of Mass Destruction Proliferation Financing
Comment Letter
Commercial Finance
Commercial Lending
Commercial Mortgage Backed Securities
Commodity Exchange Act
Communications Decency Act
Community Banks
Compensation
Competition
Compliance
Compliance Aids
Comptroller's Handbook
Comptroller's Licensing Manual
Computer Fraud and Abuse Act
Confessions of Judgement
Conforming Loan
Congo
Congress
Congressional Inquiry
Congressional Oversight
Congressional Review Act
Connecticut
Consent
Consent Order
Consolidated Appropriations Act
Constitution
Construction
Consumer Complaints
Consumer Credit
Consumer Credit Fairness Act
Consumer Credit Outcomes
Consumer Data
Consumer Data Protection Act
Consumer Education
Consumer Finance
Consumer Leasing Act
Consumer Lending
Consumer Lending | Consumer Finance
Consumer Protection
Consumer Protection Act
Consumer Redress
Consumer Reporting
Consumer Reporting Agency
Consumer Review Fairness Act
Contempt
Contracts
Cookies
COPPA
Cordray
Corporate Compliance Program
Corporate Enforcement Policy
Corporate Governance
Corporate Transparency Act
Correspondent Banking
Correspondent Lenders
Corruption
Costa Rica
Courts
Covered Savings Association
Covid-19
Covid-19 Consumer Protection Act
CPA
CPPA
CPRA
CRA
CRE Lending
Credit Application
Credit Builder Loans
Credit Bureau
Credit Card Laundering
Credit Cards
Credit Furnishing
Credit Monitoring
Credit Practices Rule
Credit Rating Agencies
Credit Ratings
Credit Repair
Credit Repair Organizations Act
Credit Report
Credit Reporting Agency
Credit Risk
Credit Risk Retention Regulation
Credit Scores
Credit Sellers
Credit Services Business
Credit Union
Criminal Enforcement
Critical Infrastructure
CROA
Cross Border Activities
Crowdfunding
Crypto Mixer
Cryptocurrency
CSBS
Cuba
CUNA
CUSO
Customer Due Diligence
Customer Identification Program
CVC
CVF
Cyber Insurance
Cyber Risk & Data Security
Cyber Threat Intelligence Integration Center
D.C. Circuit
DACA
Damages
Dark Patterns
Dark Pools
Data
Data Aggregator
Data Analytics
Data Breach
Data Brokers
Data Collection / Aggregation
Data Point Reports
Data Protection
Data Scraping
DBO
DC Circuit
De Novo Bank
De-Risking
Debit Cards
Debt Buyer
Debt Buying
Debt Cancellation
Debt Collection
Debt Collection Licensing Act
Debt Management
Debt Relief
Debt Settlement
Debt Verification
Decentralized Finance
Deceptive
Default
Deferred Deposit Lenders
Deferred Deposits
Deferred Interest
Deficiency Claim
Delaware
Denmark
Department of Agriculture
Department of Commerce
Department of Defense
Department of Education
Department of Health and Human Services
Department of Homeland Security
Department of Justice
Department of Labor
Department of State
Department of Treasury
Department of Veterans Affairs
Deposit Advance
Deposit Insurance
Deposit Products
Depository Institution
Deposits
Derivatives
DFPI
Digital Assets
Digital Collateral
Digital Commerce
Digital Currency
Digital Identity
Digital Insights and Trends
Digital Platform
Digital Wallets
Digitalization
Directors & Officers
Disaster Relief
Discharge
Disclosures
Discount Window
Discovery
Discrimination
Disgorgement
Disparate Impact
Dispute Resolution
Distributed Ledger
District of Columbia
Diversity
Diversity and Inclusion Subcommittee
Do Not Call Registry
Dodd-Frank
DOJ
DOL Fiduciary Rule
Douglas Gansler
Downpayment Assistance
DPA
Drug Enforcement Administration
Drug Enforcement Administration
DSIB
Due Process
Durbin Amendment
E-Discovery
E-SIGN Act
E-Signature
Earned Wage Access
ECIP
ECOA
eCommerce
Economic Aid Act
Ecuador
Ed Tech
EDGAR
EEOC
EFTA
EGRPRA
EGRRCPA
EIDL
Eighth Circuit
Elder Financial Exploitation
Electronic Check
Electronic Filing
Electronic Fund Transfer
Electronic Mortgages
Electronic Payments
Electronic Records
Electronic Signatures
Electronic Transfers
Eleventh Circuit
Elizabeth McGinn
Elizabeth Warren
Eminent Domain
Employer-Driven Debt Products
En Banc
Endorsements
Enforcement
English v. Trump
Escrow
ESG
ESIGN
Eskom
Ethiopia
EU
EU-US Data Privacy Framework
EU-US Privacy Shield
European Union
Evictions
examin
Examination
Exchange-Traded Funds
Executive Compensation
Executive Order
Export Controls
FACTA
FAFT
Fair Access to Credit Act
Fair Credit Billing Act
Fair Credit Reporting Act
Fair Housing
Fair Housing Act
Fair Labor Standards Act
Fair Lending
Fair Servicing
False Claims Act / FIRREA
Fannie Mae
FAQs
Farm Credit Administration
FASB
FATF
Faxes
FBAR
FBI
FCA
FCC
FCPA
FCPA Enforcement Action
FCPA Pilot Program
FCRA
FDA
FDCPA
FDI Act
FDIA
FDIC
FDiTech
Federal Advisory Committee Act
Federal Arbitration Act
Federal Communications Act
Federal Deposit Insurance Act
Federal Home Loan Banks
Federal Insurance Office
Federal Issues
Federal Legislation
Federal Register
Federal Reserve
Federal Reserve Act
Federal Reserve Bank of Boston
Federal Reserve Bank of New York
Federal Reserve Banks
Federal Reserve System
FedNow
Fedral Issues
Fees
FEMA
FFIEC
FHA
FHFA
FHLB
FICO
Fiduciary Duty
Fiduciary Rule
FIFA
Fifth Circuit
Finance
Finance Charge
Financial Advisers
Financial CHOICE Act
Financial Conduct Authority
Financial Crimes
Financial Inclusion
Financial Institutions
Financial Literacy
Financial Services
Financial Services Authority
Financial Stability
Financial Stability Board
Financial Technology
FinCEN
Finder's Fee
FINRA
Fintech
Fintech Charter
FIRREA
First Amendment
First Circuit
Flexibility Act
Flood Disaster Protection Act
Flood Insurance
Florida
FOIA
FOMC
For-Profit College
Forbearance
Force-placed Insurance
Foreclosure
Foreign Banks
Foreign Exchange Trading
Foreign Sovereign Immunities Act
Foreign Terrorist Organization
Forfeiture Order
Fourth Amendment
Fourth Circuit
France
Fraud
FRB
Freddie Mac
Fredrick Levin
FSA
FSB
FSOC
FTC
FTC Act
FTCA
Fund Transfers
Funding Structure
FVRA
G-7
G-Fees
G20
G7
GAAP
Gambling
GAO
GAP Fees
GAP Waivers
Garnishment
GDPR
Georgia
Germany
GFE
Gift Cards
Ginnie Mae
GLBA
Governance
Governors
Gramm-Leach-Bliley
GSE
GSE Patch
GSEs
GSIBs
GTO
Guaranteed Asset Protection
Guaranty Agency
Guatemala
Guinea
Haiti
Hamas
HAMP
HAMP / HARP
Hawaii
Hazard Insurance
Health Breach Notification Rule
Health Care
Hearing
HECM
Hedge Fund
HELOC
Hemp Businesses
HERA
HEROES Act
Herzegovina
High Frequency Trading
Higher Education Act
Hizballah
HMDA
HOA
HOEPA
HOLA
Holder Rule
Holding Foreign Companies Accountable Act
Home Affordable Refinance Program
Home Equity Loans
Home Inspection
Home Owners' Loan Act
Honduras
Hong Kong
House Appropriations Committee
House Committee on Education
House Energy and Commerce Committee
House Financial Services Committee
House Judiciary Committee
House Oversight Committee
House Small Business Committee
House Subcommittee on Consumer Protection and Commerce
Housing Finance Reform
HPML
HQLA
HUD
Hunstein
IBOR
ICBA
ICE
Idaho
Identity Theft
IIF
ILC
Illicit Finance
Illinois
Illinois Banking Act
Illinois Savings Bank Act
ILSA
IMF
Incentive Compensation
Income Share Agreements
Income-Driven Repayment
Indemnification
Indemnity Claims
India
Indiana
Indictment
Indonesia
Information Commissioner's Office
Information Furnisher
Initial Coin Offerings
Injunction
Innovation
Installment Loans
Institution-Affiliated Party
Insurance
Insurance Licensing
Interchange Fees
Interest
Interest Rate
International
Internet
Internet Commerce
Internet Lending
Internet of Things
Investigations
Investment
Investment Adviser
Investment Advisers Act
Investment Company Act
Iowa
Iran
Iraq
Ireland
IRRRL
IRS
ISIS
Israel
IT
ITAR
Jeffrey Hydrick
Jeffrey Naimon
John Doe v CFPB
John Kromer
John Redding
Jon Langlois
Junk Fees
Jurisdiction
Kansas
Kentucky
Kickback
Know Before You Owe
Kokesh
Korea
Kuwait
KYC
Landlords
Language Access
LCR
Lead Aggregation
Lead Generation
Least Sophisticated Consumer
Lebanon
Lender Certification
Lender Placed Insurance
Lending
LFI
Liberia
LIBOR
Libya
Licensing
Lien Stripping
Limited English Proficiency
Liquidity
Liquidity Standards
LISCC
Listing Agreement
Litigation
Litigation Funding
Liu v. SEC
Living Wills
LO Comp Rule
Loan Broker
Loan Modification
Loan Origination
Loans
Loss Mitigation
Louisiana
LTV Ratio
Luxembourg
Machine Learning
Macroprudential
Madden
Main Street Lending Program
Maine
Malaysia
Manley Williams
Manufactured Housing
MAP Rule
Marketing
Marketing Services Agreements
Marketplace Lending
Markups
MARS Rule
Martin Act
Maryland
Massachusetts
Maxine Waters
MBS
MDI
MDL
Mediation
Medical Data
Medical Debt
Medical Marijuana
Merchant Cash Advance
Merchant Services
Merger
Mexico
MHA
Michigan
Military Allotment System
Military Lending
Military Lending Act
Ministry of Justice
Minnesota
Minority Depository Institution
Miscellany
Mississippi
Missouri
MLA
MLETR
MLO
MMLF
Mobile Banking
Mobile Commerce
Mobile Payment Systems
Mobile Payments
Mobile Top-Ups
Model Valuation
Moldova
Monetary Policy
Money Laundering
Money Service / Money Transmitters
Money Service Business
Monitoring
Montana
Moorari Shah
Mortgage Advertising
Mortgage Broker
Mortgage Fraud
Mortgage Insurance
Mortgage Insurance Premiums
Mortgage Lenders
Mortgage Licensing
Mortgage Modification
Mortgage Origination
Mortgage Relief
Mortgage Servicing
Mortgage-Backed Securities
Mortgagee Letters
Mortgages
Mortgages Servicing
MOUs
Multi-Factor Authentication
Multi-State Mortgage Committee
Multifamily
Mutual Fund
N.D. Cal.
NACHA
NAFCU
NASAA
Nasdaq
National Association of Attorneys General
National Bank
National Bank Act
National Fair Housing Alliance
National Flood Insurance Act
National Flood Insurance Program
National Mortgage Servicing Settlement
National Mortgage Settlement
NCLC
NCRC
NCUA
Nebraska
Negative Option
Negligence
Net Interest Margin
Net Neutrality
Net Worth Sweep
Nevada
New Hampshire
New Jersey
New Mexico
New York
New York CRA
NFT
NGFS
Nicaragua
Nigeria
Ninth Circuit
NIST
NMLS
No Action Letter
No Surprises Act
Non-Depository Institution
Nonbank
Nonbank Lending
Nonbank Supervision
Noncompete
Nondepository
Nonprofit
North Carolina
North Dakota
North Korea
Norway
Notary
Notice
NSF Fees
NYDFS
Obama
OCC
OCC EGRPRA
Of Interest to Non-US Persons
OFAC
OFAC Designations
OFAC Sanctions
Office of Science and Technology
OFR
Ohio
OIG
OIRA
Oklahoma
OMB
Ombudsman
Online Banking
Online Contract
Online Lending
Open Banking
Open-End Credit
Operation Choke Point
Operational Resilience
Operational Risk
Opt-In
Opt-Out
Orderly Liquidation Authority
Oregon
OREO
OSHA
OTS
Overdraft
Overdrafts
PA Department of Banking and Securities
PACE
PACE Programs
Pakistan
Paraguay
Patriot Act
Payday Lending
Payday Rule
Payment Processors
Payment Systems
Payments
PCAOB
Peer-to-Peer
Penalty Offense Authority
Pennsylvania
Pension Advance
Pension Benefits
Petrobras
Petroleos de Venezuela
Phantom Debt
PHH v. CFPB
Pilot Program
PLUS Loans
PPP
PPPLF
Predatory Lending
Preemption
Preliminary Injunction
Prepaid Accounts
Prepaid Cards
Prepaid Rule
Prepayment
Prescreened Offers
President-Elect
Privacy
Privacy Act
Privacy Notices
Privacy of Consumer Financial Information Rule
Privacy Rule
Privacy, Cyber Risk & Data Security
Privacy/Cyber Risk & Data Security
Private Right of Action
Pro Bono
Project Catalyst
Property Tax
Prudential Regulators
PSLF
PTFA
Public Banking
Public Health Service Act
Public Records
Puerto Rico
Punitive Damages
Qualified Mortgage
Qualified Residential Mortgage
Qualified Written Request
Qui Tam Action
Racial Bias
Racketeering
Ransomware
Rate Lock
Ray Baum's Act
Real Estate
Real Estate Appraisal
Recordkeeping
Redemption
Redlining
Referrals
Refinance
Regtech
Regulation
Regulation A
Regulation B
Regulation C
Regulation CC
Regulation D
Regulation DD
Regulation E
Regulation F
Regulation H
Regulation II
Regulation J
Regulation M
Regulation N
Regulation O
Regulation P
Regulation V
Regulation W
Regulation X
Regulation XX
Regulation Y
Regulation YY
Regulation Z
Regulator Enforcement
Regulatory Sandbox
Rejected Transactions
Relator
Remittance
Remittance Rule
Remittance Transfer Rule
Remote Work
Rent-a-Bank
Rent-to-Own
Rental Assistance
REO
Repeat Offender
Repossession
Repurchase
Rescission
Research
RESPA
Responsible Banking
Responsible Business Conduct
Restitution
Retail Banking
Reverse Mortgages
Reverse Redlining
Rewards Programs
RFI
Rhode Island
RICO
Riegle-Neal Act
Ripeness
Risk Governance
Risk Management
RMBS
Robo-Advisor Service
Robo-signing
Robocalls
Robotext
ROE
Romania
Rooker-Feldman
ROSCA
Rosenthal Fair Debt Collection Practices Act
RTC
Rulemaking Agenda
Rural Communities
Rural Housing Service
Russia
S. 2155
SAFE Act
Safe Harbor
Safeguards Rule
Sales Incentive Compensation
Sales-Based Financing
Sanctions
SAP
Sarbanes-Oxley
SARs
Sasha Leonhardt
Saudi Arabia
SBA
SBREFA
SCRA
SDN List
SDNY
Seasoned QM
SEC
Second Circuit
Section 1033
Section 1071
Section 19
Section 8
Securities
Securities Act
Securities Exchange Act
Securitization
Securitization Safe Harbor Rule
Security Freeze
Seila Law
Selling Guide
Semiannual Risk Report
Senate Banking Committee
Senate Finance Committee
Senate Judiciary Subcommittee
Seniors
Separation of Powers
Service Contracts
Service Fees
Servicemembers
Servicer
Servicing
Servicing Guide
Servicing Transfers
Sessions
Settlement
Seventh Circuit
SFO
Shareholders
Shell Companies
Short Sale
Shutdown Relief
SIFA
SIFIs
SIGTARP
Singapore
Single-Director Structure
Sixth Circuit
SLHC
Small Business
Small Business Financing
Small Business Lending
Small Business Regulatory Enforcement Fairness Act
Small Dollar Lending
Small Entity Compliance Guide
Social Media
SOFR
Somalia
Song-Beverly Credit Card Act
Sons and Daughters
Soundboard
South Africa
South Carolina
South Dakota
South Korea
Sovereign Immunity
SOX
SPAC
SPCP
Special Alerts
Spokeo
Spoofing
Sports Betting
SRR
Stablecoins
Standard Setting
Standing
State Attorney General
State Issues
State Legislation
State Regulation
State Regulators
Statute of Limitations
Steering
STIR/SHAKEN
Stress Test
Structured Settlement
Student Lending
Student Loan Servicer
Student Loan Servicing Act
Subject Matter Jurisdiction
Subprime
Subscriptions
Sudan
Supervision
Supply Chain
Surcharge
Surveillance
Swap Margin Rule
Swaps
Swiss-U.S. Privacy Shield
Switzerland
Symposium
Synthetic Identity Fraud
Syria
Systemic Risk
TAILOR Act
TARP
Taskforce
TCPA
Technology
Techsprint
Telemarketing
Telemarketing and Consumer Fraud and Abuse Prevention Act
Telemarketing Sales Rule
Temporary Waiver
Tenant Rights
Tennessee
Tenth Circuit
Terms of Use
Terrorist Financing
Terrorist Financing Targeting Center
Texas
Text Messages
Third Circuit
Third-Party
Third-Party Risk Management
Third-Party Service Providers
TILA
Time-Barred Debt
TISA
Title Insurance
Title Loans
Tokens
Tort Claims
TRACED Act
Transactions
Transnet
Travel Act
Tribal Immunity
Tribal Lending
TRID
TRO
Troubled Debt Restructuring
True Lender
Trump
Trust Fund
Truth in Caller ID Act
Truth in Savings Act
TSR
Turkey
Ty Yankov
U.K.
U.N.
U.S. Court of Federal Claims
U.S. House
U.S. Postal Inspection Service
U.S. Senate
U.S. Solicitor General
U.S. Supreme Court
U.S. Trade Representative
UCCC
UDAAP
UDAA{
UDAP
UETA
Uganda
UK
UK Bribery Act
UK FCA
UK FSA
UK OFT
UK PRA
UK Prevention of Corruption Act
UK Regulatory Reform
UK Serious Fraud Office
Ukraine
Ukraine Invasion
Unbanked
UNCITRAL
Unclaimed Property
Underserved
Underwriting
Unfair
Uniform Money Services Act
Uniform Mortgage-Backed Security
United Arab Emirates
Unsecured Loans
Unsophisticated Debtor
URLA
USDA
USERRA
UST
Usury
Utah
Valerie Hletko
Valid When Made
Validation Notice
VCDPA
Vehicle Title
Vendor
Vendor Management
Vendors
Venezuela
Venture Capital
Vermont
Veto
Vicarious Liability
Vietnam
Virginia
Virginia Consumer Protection Act
Virtual Currency
Vision 2020
VoIP
Volcker Rule
Walter Zalenski
Warren Traiger
Washington
West Virginia
Whistleblower
White Collar
White House
Wholesale Lending
Wire Act
Wire Fraud
Wire Tapping
Wire Transfers
Wiretap Act
Wisconsin
Work-Product Privilege
Writ of Certiorari
Writ of Mandamus
WSLA
Wyoming
Yemen
Yield Spread Premium
Zimbabwe