Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
9th Circuit reverses decision in COPPA suit
In December, the U.S. Court of Appeals for the Ninth Circuit reversed and remanded a district court’s decision to dismiss a suit alleging that a multinational technology company used persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of the Children’s Online Privacy Protection Act (COPPA). According to the opinion, the company used targeted advertising “aided by sophisticated technology that delivers curated, customized advertising based on information about specific users.” The opinion further explained that “the company’s technology ‘depends partly on what [FTC] regulations call ‘persistent identifiers,’ which is information ‘that can be used to recognize a user over time and across different Web sites or online services.’” The opinion also noted that in 2013, the FTC adopted regulations under COPPA that barred the collection of children’s “persistent identifiers” without parental consent. The plaintiff class claimed that the company used persistent identifiers to collect data and track their online behavior surreptitiously and without their consent, and alleged state law claims arising under the constitutional, statutory, and common law of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee, in addition to COPPA violations. The district court ruled that the “core allegations” in the third amended complaint were squarely covered, and preempted, by COPPA.
On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. To determine this, the appellate court examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The appellate court stated that it was not “persuaded that the insertion of ‘treatment’ in the preemption clause here evinces clear congressional intent to create an exclusive remedial scheme for enforcement of COPPA requirements.” The opinion noted that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.”
District Court issues judgment against debt-collection law firm
On January 11, the U.S. District Court for the Southern District of New York entered a proposed stipulated final judgment and order against a defendant New York debt-collection law firm. As previously covered by InfoBytes, the Bureau’s complaint alleged that between 2014 and 2016 the defendant initiated over 99,000 collection lawsuits in an attempt to collect debts by relying on “non-attorney support staff, automation, and both a cursory and deficient review of account files,” in violation of both the FDCPA and the Consumer Financial Protection Act. The Bureau alleged the lawsuits contained names and signatures of attorneys despite those attorneys “not being meaningfully involved in reviewing the merits of the lawsuits,” including not reviewing pertinent documentation related to the debts, such as account applications, billing statements, payment histories, and the terms and conditions governing an account. Moreover, the defendant allegedly did not perform reviews of the contracts related to debt sales, despite filing lawsuits on behalf of debt buyers that have been accused of unlawful debt collection practices.
In order to continue with debt-collection litigation, for each collection suit, the settlement requires the defendant to possess documents with specific information about the debt, including the name of the original creditor, evidence that the consumer authorized the debt, the chain of assignment supporting any sale of the debt, and a break-down of how the debt amount was calculated. The defendant must also certify that the attorney whose name appears on the complaint reviewed the supporting documentation and ensure the complaint is consistent with that documentation. Any pending lawsuit in which the defendant does not certify its compliance with the specific information and meaningful attorney review requirements must be voluntarily dismissed. The also order requires the defendant to pay a $100,000 penalty to the Bureau.
DOJ says court will oversee social media company’s housing ads into 2026
On January 9, the DOJ informed a New York federal judge that it had reached a follow-up agreement with a global social media company to ensure its compliance with a June 2022 settlement that required the company to stop using a tool that allowed advertisers to exclude certain users from seeing housing ads based on their sex and estimated race/ethnicity. Explaining that the tool violated the Fair Housing Act, the letter said the company agreed to allow the tool to expire and agreed to build a system to reduce variances in its housing ad delivery system related to sex and estimated race/ethnicity. A follow-up agreement reached between the parties on compliance targets established that the company will be subject to court oversight and regular compliance review through June 27, 2026. The company released a statement following the settlement announcing it is making changes “in part to address feedback we’ve heard from civil rights groups, policymakers and regulators about how our ad system delivers certain categories of personalized ads, especially when it comes to fairness.” The company further noted that “while HUD raised concerns about personalized housing ads specifically, we also plan to use this method for ads related to employment and credit. Discrimination in housing, employment and credit is a deep-rooted problem with a long history in the US, and we are committed to broadening opportunities for marginalized communities in these spaces and others.”
District Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including names, Social Security numbers, driver’s license numbers, dates of birth, and username/password information. According to plaintiffs’ amended complaint, the defendant insurance software providers failed to notify affected individuals about the data breach until on or after May 10, 2021, despite commencing an investigation in March. Plaintiffs maintained that the defendants’ alleged failure to comply with FTC cybersecurity guidelines and industry data protection standards put at risk their financial and personal records, and said they now face years of constant surveillance to prevent potential identity theft and fraud. Under the terms of the settlement (see also plaintiffs’ memorandum of law in support of the motion for final approval), class members will each receive up to $5,000 for out-of-pocket expenses, including up to eight hours of lost time at $25/hour, as well as 12 months of financial fraud protection. Members of a California subclass will receive additional benefits of between $100 and $300 each. The defendants are also responsible for paying each named plaintiff a $2,000 service award and must pay over $3 million in attorney fees, costs, and expenses.
District Court stays stablecoin suit pending arbitration proceedings
On January 6, the U.S. District Court for the Northern District of California granted a defendant cryptocurrency exchange’s motion to compel arbitration in a class action alleging the exchange, along with the issuer of a stablecoin cryptocurrency, misrepresented the stability of the coin when offering it on the exchange’s platform. The defendants filed separate motions to compel arbitration, however, the plaintiffs claimed, among other things, that since they opened their accounts, the exchange’s user agreement, which contains an arbitration agreement, “has been unilaterally modified more than 20 times.” They further maintained that the exchange’s motion to compel arbitration should be denied because the arbitration provision is “unconscionable and thus unenforceable” and “the delegation clause is inapplicable and unconscionable.”
District Court preliminarily approves data breach suit
On January 9, the U.S. District Court for the District of New Mexico granted preliminary approval of a class action settlement in a data breach suit that allegedly compromised approximately 191,000 individuals’ personally identifiable information (PII). According to the plaintiffs’ motion, the class alleged that their PII and personal health information were compromised when cybercriminals breached the defendant’s systems. If granted final approval, the settlement class would consist of four categories of relief: (i) reimbursement for lost time (up to four hours at $15 per hour) and out-of-pocket expenses up to $500; (ii) reimbursement for extraordinary losses up to $3,500; (iii) two years’ free credit monitoring services; and (iv) equitable relief in the form of security improvements to the defendant’s system.
District Court grants $11.9 million settlement in ATM fees suit
In December, the U.S. District Court for the District of New Jersey granted preliminary approval of a $11.9 million settlement in a class action suit resolving allegations pertaining to a defendant national bank’s out-of-network ATM fees. According to the plaintiff’s motion, the plaintiffs challenged a fee assessed by the defendant “when its accountholders check their account balance at a [an out-of-network] ATM, referred to herein as an ‘Out of Network ATM Balance Inquiry Fee’ or ‘OON ATM Balance Inquiry Fee.’” The plaintiffs alleged that such fees on balance inquiries, when combined with fees assessed by the bank and by the out-of-network ATM owner, resulted in three total fees on a single cash withdrawal at an out of network ATM, and violated the terms of the defendant’s account agreement.
DOJ, HUD say Fair Housing Act extends to algorithm-based tenant screening
On January 9, the DOJ and HUD announced they filed a joint statement of interest in a pending action alleging discrimination under the Fair Housing Act (FHA) against Black and Hispanic rental applicants based on the use of an algorithm-based tenant screening system. The lawsuit, filed in the U.S. District Court for the District of Massachusetts, alleged that Black and Hispanic rental applications who use housing vouchers to pay part of their rent were denied rental housing due to their “SafeRent Score,” which is derived from the defendants’ algorithm-based screening software. The plaintiffs claimed that the algorithm relies on factors that disproportionately disadvantage Black and Hispanic applicants, such as credit history and non-tenancy related debts, and fails to consider that the use of HUD-funded housing vouchers makes such tenants more likely to pay their rents. Through the statement of interest, the agencies seek to clarify two questions of law they claim the defendants erroneously represented in their motions to dismiss: (i) the appropriate standard for pleading disparate impact claims under the FHA; and (ii) the type of companies that fall under the FHA’s application.
The agencies first challenged that the defendants did not apply the proper pleading standard for a claim of disparate impact under the FHA. Explaining that in order to establish an FHA disparate impact claim, “plaintiffs must show ‘the occurrence of certain outwardly neutral practices’ and ‘a significantly adverse or disproportionate impact on persons of a particular type produced by the defendant’s facially neutral acts or practices,’” The agencies disagreed with the defendants’ assertion that the plaintiffs “must also allege specific facts establishing that the policy is ‘artificial, arbitrary, and unnecessary.” This contention, the agencies said, “conflates the burden-shifting framework for proving disparate impact claims with the pleading burden.” The agencies also rejected arguments that the plaintiffs must challenge the entire “formula” of the scoring system and not just one element in order to allege a statistical disparity, in addition to providing “statistical findings specific to the disparate impact of the scoring system.” According to the agencies, the plaintiffs adequately identified an “essential nexus” between the algorithm’s scoring system and the disproportionate effect on certain rental applicants based on race.
The agencies also explained that residential screening companies, including the defendants, fall under the FHA’s purview. While the defendants argued that the FHA does not apply to companies “that are not landlords and do not make housing decisions, but only offer services to assist those that do make housing decisions,” the agencies contended that this misconstrues the clear statutory language of the FHA and presented case law affirming that FHA liability reaches “a broad array of entities providing housing-related services.”
“Housing providers and tenant screening companies that use algorithms and data to screen tenants are not absolved from liability when their practices disproportionately deny people of color access to fair housing opportunities,” Assistant Attorney General Kristen Clarke of the DOJ’s Civil Rights Division stressed. “This filing demonstrates the Justice Department’s commitment to ensuring that the Fair Housing Act is appropriately applied in cases involving algorithms and tenant screening software.”
9th Circuit affirms decision in FCRA, CFPA, and TSR suit
In December, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s ruling holding an individual liable for violations of the FCRA, the TSR, and the CFPA after the defendant, who allegedly “played a central role” in the scheme — and other defendants — were sued by the CFPB for allegedly obtaining individuals’ credit reports illegally and charging advance fees for debt relief services. As previously covered by InfoBytes, the CFPB filed a complaint in 2020 claiming the defendants violated the FCRA by, among other things, illegally obtaining consumer reports from a credit reporting agency for millions of consumers with student loans by representing that the reports would be used to “make firm offers of credit for mortgage loans” and to market mortgage products. However, the Bureau alleged that the defendants instead resold or provided the reports to numerous companies, including companies engaged in marketing student loan debt relief services. The defendants also allegedly violated the TSR by charging and collecting advance fees for their debt relief services and violated both the TSR and CFPA by placing telemarketing sales calls and sending direct mail to encourage consumers to consolidate their loans, while falsely representing that consolidation could lower student loan interest rates, improve borrowers’ credit scores, and allow borrowers to change their servicer to the Department of Education. Settlements have already been reached with certain defendants (covered by InfoBytes here, here, and here). In August 2021, the U.S. District Court for the Central District of California granted the Bureau’s motion for summary judgment against the individual defendant after determining that undisputed evidence showed that the individual defendant, among other things, “obtained and later used prescreened lists from [a consumer reporting agency] without a permissible purpose” in order to send direct mail solicitations from the businesses that he controlled to consumers on the lists as opposed to firm offers of credit or insurance. (Covered by InfoBytes here.)
In September 2021, the district court entered judgment in favor of the Bureau against the individual defendant. While the individual defendant objected to the judgment, the district court ultimately determined that the Bureau is entitled to a judgment for monetary relief of over $19 million as redress for fees paid by affected consumers. This restitution is owed jointly and severally with the student loan debt relief company defendants in the amounts imposed in default judgments entered against each of them (covered by InfoBytes here).
On the appeal, the 9th Circuit cited “undisputed” evidence demonstrating how the individual defendant “violated” the FCRA, TSR, and CFPA. According to the appellate court, the defendant “is individually liable for corporate violations of the CFPA.” The appellate court further noted that the individual defendant “‘participated directly’ in these deceptive practices and ‘had the authority to control them,’” had a “central role” in these practices,” was “‘recklessly indifferent to the truth or falsity of the misrepresentations,’ and did not attempt to verify the truthfulness of statements” regarding the companies he controlled.
Social media users denied preliminary injunction in privacy suit
On December 22, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for preliminary injunction in a privacy suit. According to the order, the plaintiffs alleged that the social media company improperly acquired their confidential health information in violation of state and federal law and in contravention of the company’s own policies regarding the use and collection of users’ data. The plaintiffs alleged that each of their healthcare providers allegedly installed the company’s software, which is a free and publicly available piece of code that the company allows third-party website developers to install on their patient portals. When the plaintiffs logged into the portal on their medical provider’s website, the software allegedly transmitted certain information to the social media company. The plaintiffs claimed that the software allowed the company to intercept personally identifiable medical information and the content of patient communications for its financial gain. The court found,however, that though the plaintiffs “raise potentially strong claims on the merits and their alleged injury would be irreparable if proven,” the “plaintiffs need to show ‘that the law and facts clearly favor [their] position, not simply that [they are] likely to succeed.’” The court also noted that the company’s “core defense is that it has systems in place to address the receipt of the information at issue and that it would be unfairly burdensome and technologically infeasible for them to take further action.” The court continued, “[w]ithout further factual development, it is unclear where the truth lies, and plaintiffs do not meet the high standard required for a mandatory injunction.”
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit