InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Pennsylvania amends privacy bill
On November 3, the Pennsylvania governor signed SB 696 to amend the Breach of Personal Information Notification Act. The bill, among other things, prohibits employees of the Commonwealth from using non-secured Internet connections. The bill also includes data storage policy provisions, which establish that an entity that maintains, stores, or manages computerized data on behalf of Pennsylvania that constitutes personal information must develop a policy to govern reasonably proper storage of the personal information. The bill further notes that a goal of the policy must be to reduce the risk of future breaches of the security of the system. The bill is effective 180 days after approval by the governor.
CPPA says comments on modified draft privacy rules due November 21
On November 3, the California Privacy Protection Agency (CPPA) Board officially posted updated draft rules for implementing the Consumer Privacy Rights Act of 2020, which amends and builds on the California Consumer Privacy Act of 2018. The draft rules were previously released in advance of a CPPA Board meeting held at the end of October (see previous InfoBytes coverage here for a detailed breakdown of the proposed changes). A few notable changes between the versions include:
- A requirement that a business must treat an opt-out preference signal as a valid request to opt out of sale/sharing for not only that browser or device but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
- A requirement that if a business does not ask a consumer to affirm their intent with regard to a financial incentive program, “the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or devise and any consumer profile the business associates with that browser or device.” However if a consumer submits an opt-out of sale/sharing request but does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal with respect to the consumer’s participation in the financial incentive program.
- The addition of the following provision: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Comments on the amended draft rules are due November 21 by 8 am PT.
4th Circuit vacates $10.6 million judgment, orders district court to reevaluate class standing
On October 28, the U.S. Court of Appeals for the Fourth Circuit remanded a $10.6 million damages award it had previously approved in light of the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez. As previously covered by InfoBytes, in January, the Supreme Court vacated the judgment against the defendants and ordered the 4th Circuit to reexamine its decision in light of TransUnion (which clarified the type of concrete injury necessary to establish Article III standing, and was covered by InfoBytes here). Previously, a divided 4th Circuit affirmed a district court’s award of $10.6 million in penalties and damages based on a summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act (covered by InfoBytes here). During the appeal, the defendants argued that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones, but the appellate court majority determined, among other things, that there was not a large number of uninjured members within the plaintiffs’ class because plaintiffs paid for independent appraisals and “received appraisals that were tainted.” At the time, the 4th Circuit “concluded that the ‘financial harm’ involved in paying for a product that was ‘never received’ was ‘a classic and paradigmatic form of injury in fact.’” On remand, the 4th Circuit considered questions of standing and ultimately determined that TransUnion requires the district court to reevaluate the standing of class members.
Pennsylvania sues lead generator for facilitating telemarketers’ robocalls
On November 3, the Pennsylvania attorney general announced a lawsuit against a New York-based lead generation company that connects advertisers to potential new customers through the consumers’ personal data for allegedly causing hundreds of thousands of robocalls to be placed to consumers in the Commonwealth. The defendant, along with several of its subsidiaries, allegedly collected personal information, including phone numbers and personal information of consumers on Pennsylvania’s Do Not Call List, that was then sold to telemarketing companies. According to the complaint, the defendants allegedly engaged in deceptive and misleading business practices in connection with their lead-generation practices, by obtaining consumers’ information through various promotional opportunities without clearly disclosing that by providing their contact information, consumers were consenting to receiving telemarketing calls from hundreds of potential sellers. The complaint alleges that from 2018 to 2021, over 4.2 million Pennsylvania consumers registered their information on one of the defendants’ websites. “Under the [Telemarketing Sales Rule (TSR)], a consumer’s express agreement to accept calls delivering a prerecorded message may not be obtained by a lead generator, who is not a seller or a telemarketer. The express agreement must be obtained directly by the seller or telemarketer from the consumer,” the complaint said. Moreover, even if the defendants were not directly making the telemarketing calls themselves, assisting and facilitating the calls is itself a violation of the rules, the complaint noted.
The defendants are charged with violating several federal and state telemarketing laws, including the TSR, and Pennsylvania’s Telemarketer Registration Act (TRA) and Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. The AG’s office seeks a declaration permanently enjoining the defendants from violating the telemarketing and consumer protection laws, along with civil penalties of $1,000 per violation and $3,000 per violation involving a victim age 60 or older. The suit also seeks disgorgement, costs, and a permanent bar on selling consumer data collected in violation of the TSR and TRA.
CSBS provides tips on NMLS annual renewal
On October 20, the Conference of State Bank Supervisors (CSBS) announced that individuals and businesses in the mortgage, money transmission, debt collection, and consumer financial services industry are encouraged by state regulators to prepare for November 1, which is the beginning of the Nationwide Multistate Licensing System (NMLS) annual license renewal. The announcement noted the number of individual state licenses eligible for renewal is 13 percent higher than the same time last year, while the number of company licenses eligible for renewal is up 16 percent compared to this time last year. CSBS provided five tips for licensees to prepare for NMLS renewal, which include, among other things, resetting NMLS passwords to conform with new requirements that went into effect this past March and to review state-specific renewal requirements. CSBS also noted that the renewal period in most states runs from November 1 to December 31.
Arizona streamlines DBA licensing requirements
At the end of September, amended financial services licensing provisions under Arizona SB 1394 took effect. SB 1394 streamlines licensing requirements for companies that are currently required to obtain separate licenses for trade names or assumed names (often known as “doing business as” or DBAs). Specifically, SB 1394 will allow most companies that the Department of Insurance and Financial Institutions (DIFI) licenses to operate with additional trade names under a single license, provided the company notifies DIFI in writing prior to using the assumed name or trade name. Companies, however, may not use an assumed name or trade name that (i) is “so substantially similar” to another company’s name that it may cause public uncertainty or confusion; or (ii) may deceive or mislead the public as to the type of business conducted by the company. DIFI applauded the bill’s passage in an announcement released earlier this year, saying consumers will still be able to look up companies under a trade name and file complaints against a company’s trade name. “Licensees will save time and money by linking additional DBAs to a single license name without having to pay for and maintain multiple licenses,” DIFI said, noting that it still “maintains all regulatory authority including the ability to investigate, examine, and take action against the parent business.”
NYDFS revises state CRA regulations
On October 26, NYDFS released revisions to its proposed state Community Reinvestment Act regulation, which would allow the Department to obtain the necessary data to evaluate the extent to which New York-regulated banking institutions are serving minority- and women-owned businesses in their communities. The revised proposed regulation addresses comments received during a prior 60-day comment period that began last November (covered by InfoBytes here), and is intended to minimize compliance burdens by making sure the regulation’s proposed language complements requirements in the CFPB’s proposed rulemaking for collecting data on credit access for small and minority- and women-owned businesses. Among other things, the revised proposed regulation would require regulated entities to inquire as to whether a business applying for a loan or credit is minority- or women-owned or both, and submit a report to the Department providing application details, such as the date, type of credit applied for and the amount, whether the application was approved or denied, and the size and location of the business. Additionally, the revised proposed regulation (i) establishes processes for regulated entities when soliciting, collecting, storing, and reporting information related to their provision of credit to minority- and women-owned businesses, including when requests for information should be made, and notifications informing applicants of their right to refuse to offer information in response to a request and that the provided information may not be used for any discriminatory purpose; (ii) provides that, to the extent feasible, underwriters should not be able to access information provided by an applicant; (iii) stipulates how long a regulated entity is required to preserve gathered information; and (iv) provides a sample data collection form that regulated entities may choose to use. According to NYDFS, the revisions are designed to make sure regulated entities abide by fair lending laws when collecting and submitting the necessary data. Comments will be accepted for 45 days following publication in the State Register.
States launch investigation into banks’ ESG investing and banking
On October 19, a coalition of 19 state attorneys general, led by Missouri, Arizona, Kentucky, and Texas, announced that six large U.S. banks were served civil investigative demands (CIDs) asking for information related to their involvement with the U.N.’s Net-Zero Banking Alliance (NZBA). The Missouri AG’s office, which has led the opposition against ESG (environmental, social, governance) investing and banking practices, stated that NZBA-member banks are required to set emissions reduction targets in their lending and investment portfolios to reach net zero by 2050. According to the Missouri AG, the NZBA serves to “starve companies engaged in fossil fuel-related activities of credit on national and international markets” by requiring banks to cede authority to the U.N. The CIDs seek information from the banks on topics related to, among other things, (i) their involvement in affiliated global climate initiatives; (ii) how NZBA and Principles for Responsible Banking objectives have been incorporated into their operations; and (iii) the extent to which the banks have fulfilled their “commitment to ‘facilitat[e] the necessary transition in the real economy through prioritizing client engagement and offering products and services to support clients’ transition,’” as well as their “commitment to ‘engag[e] on corporate and industry (financial and real economy) action, as well as public policies, to help support a net-zero transition of economic sectors in line with science and giving consideration to associated social impacts.’”
District Court grants FDCPA defendant’s motion for summary judgment
On October 18, the U.S. District Court for the Eastern District of Pennsylvania granted a second summary judgment motion by a debt collection agency (defendant) in an FDCPA suit, after the plaintiff filed a motion for reconsideration, ruling that a collection letter sent to the plaintiff was not false, deceptive, misleading, unfair or unconscionable. According to the order, the plaintiff received two bills after being treated at a hospital for an automobile accident: one in the amount of $675, which was adjusted from $900 because the plaintiff lacked insurance, and a second bill from a doctor’s network for $468. The hospital placed the unpaid account with the defendant who in turn sent a collection letter to the plaintiff, which was the only contact between the plaintiff and the defendant. The plaintiff filed suit, alleging that under Pennsylvania’s Motor Vehicle Financial Responsibility Law the defendant was permitted to attempt to collect only $141.15, and that its failure to do so violated the FDCPA. This value was based on the Current Procedural Terminology (CPT) code associated with the doctor’s network bill, but the hospital’s bill did not contain a CPT code. The district court found that the plaintiff did not demonstrate any material issue of disputed fact that the services provided by the hospital were or should have been billed under the same CPT code as the doctor’s network bill, nor did the plaintiff provide sufficient evidence to prove that the amount billed by the hospital violated state law, and therefore, granted the defendant’s motion for summary judgment.
West Virginia AG pings CFPB on "unconstitutionally appropriated" funds
On October 24, the West Virginia attorney general sent a letter to CFPB Director Rohit Chopra, and to the leadership of both the House Financial Services Committee and the Senate Banking Committee, regarding the constitutionality of the Bureau’s continuing operation. As previously covered by a Buckley Special Alert, the U.S. Court of Appeals for the Fifth Circuit held that the CFPB funding structure created by Congress violated the Appropriations Clause of the Constitution, which provides that “no money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law.” The 5th Circuit ruled that, although the CFPB spends money pursuant to a validly enacted statute, the structure violates the Appropriations Clause because the CFPB obtains its funds from the Federal Reserve (not the Treasury), the CFPB maintains funds in a separate account, the Appropriations Committees do not have authority to review the agency’s expenditures, and the Bureau exercises broad authority over the economy. In the letter, the AG argued that the Bureau cannot discharge its duties in a constitutionally permissible way. He further noted that the Bureau “plainly cannot do that with a funding scheme that ‘sever[s] any line of accountability between [Congress] and the CFPB.’” The AG urged the Bureau to reassess its future plans and to reevaluate whether its present regulations have any effect. The letter also requested answers to a series of questions, no later than November 1: (i) “Does the agency believe that any of the regulations that it promulgated under the unconstitutional funding scheme remain in effect? If so, which ones—and why? Similarly, how does the decision affect past enforcement actions?”; and (ii) “What plans does the Bureau plan to undertake to comply with the ruling? How will its ongoing enforcement efforts be effected? How will this change affect any promulgation of regulations? How will bank supervision continue, if at all?”