InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Colorado enacts medical debt collection bill
On June 9, the Colorado governor signed HB 1285, which prohibits hospitals from taking certain debt collection actions against a patient if the hospital is not in compliance with hospital price transparency laws. Specifically, the bill prohibits hospitals that are not in compliance with a price transparency rule that went into effect in January 2021 from placing debts with third-party collection agencies, filing lawsuits to collect on unpaid debts, and reporting debts to credit reporting agencies. The bill also establishes that a patient may file suit if they believe that a hospital was not in material compliance with price transparency laws.
District Court dismisses suit alleging improper inspection fees
On June 6, the U.S. District Court for the District of New Jersey granted a defendant bank’s motion to dismiss, ruling that the plaintiff’s inspection fee allegations are barred on collateral estoppel grounds. The plaintiff filed a class action suit claiming the defendant’s computer software orders property inspections after borrowers’ loans are in default and then charges borrowers for the improper inspection fees. According to the opinion, the defendant initiated foreclosure proceedings in 2012 against the plaintiff in state court after she missed payments. The parties litigated the matter for several years in state court, and in 2018, the plaintiff filed a motion for leave to add class action claims related to the defendant’s inspection fee collection system. The state court denied plaintiff’s motion, finding the proposed claims to be without merit and futile. Final judgment of foreclosure was granted to the bank. Similar proceedings involving the same class action counterclaims occurred after the defendant requested that the judgment be vacated to add an additional lien holder as a defendant. The defendant again applied for entry of final judgment, but withdrew this application allegedly in response to the Covid-19 pandemic. Ultimately the state court dismissed the foreclosure action without prejudice for lack of prosecution. The plaintiff filed an instant complaint in federal court.
The defendant argued that the plaintiff “should be collaterally estopped from bringing these claims because the New Jersey Superior Court ruled on the exact issues [plaintiff] raises here in the prior foreclosure action brought by [defendant] against [plaintiff] in state court, ultimately dismissing them with prejudice.” The plaintiff countered “that because the foreclosure action was dismissed without entry of judgment, collateral estoppel does not apply.” In agreeing with the defendant, the court stated that “the doctrine of collateral estoppel applies whenever an action is ‘sufficiently firm to be accorded conclusive effect,” adding that the state court’s orders in the foreclosure action are “sufficiently firm as to warrant conclusive effect.” According to the court, “[t]hese decisions—particularly the second dismissal with prejudice—were clearly intended to be the final adjudication of the precise issues that [plaintiff] is now attempting to relitigate in the instant action.”
NYDFS releases stablecoin guidance
On June 8, NYDFS released new regulatory guidance on the issuance of U.S. dollar-backed stablecoins, establishing criteria for regulated virtual currency companies seeking to issue stablecoins in the state. The guidance outlines baseline criteria for USD-backed stablecoins, including that: (i) a “stablecoin must be fully backed by a Reserve of assets,” such that the Reserve’s market value “is at least equal to the nominal value of all outstanding units of the stablecoin as of the end of each business day”; (ii) stablecoin issuers “must adopt clear, conspicuous redemption policies, approved in advance by [NYDFS] in writing, that confer on any lawful holder of the stablecoin a right to redeem units of the stablecoin from the Issuer in a timely fashion at par for the U.S. dollar”; (iii) Reserve assets must be segregated from an issuer’s proprietary assets and “held in custody with U.S. state or federally chartered depository institutions and/or asset custodians”; (iv) a Reserve must consist of specific assets subject to NYDFS-approved overcollateralization requirements and restrictions; and (v) a Reserve must undergo an examination of its management’s assertions at least once a month by a licensed certified public accountant.
NYDFS emphasized that these criteria are not the only requirements it may impose when issuing stablecoins, and informed regulated entities that it will also consider a range of potential risks prior to granting a regulated entity authorization to issue stablecoins. This includes risk related to “cybersecurity and information technology; network design and maintenance and related technology and operational considerations; Bank Secrecy Act/anti-money-laundering [] and sanctions compliance; consumer protection; safety and soundness of the issuing entity; and the stability/integrity of the payment system, as applicable.” Additional requirements may be imposed on regulated entities to address any of these risks.
NYDFS noted that the regulatory guidance is not applicable to USD-backed stablecoins listed, but not issued, by regulated entities, and stated it “does expect regulated entities that list USD-backed stablecoins to consider this guidance when submitting a request for coin issuance or seeking approval for a coin self-certification policy.”
District Court: Company must face data breach claims
On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in part and denying in part defendant’s motion to dismiss, the court declined to dismiss several of the plaintiffs’ claims for negligence, ruling that the second amended complaint sufficiently alleged that the defendant employed inadequate data security and that plaintiffs suffered an actual injury as a result of the data breach because the monitoring services offered by the defendant were insufficient and offered for too short of time causing certain plaintiffs to purchase additional identity protection products and/or services. However, other negligence claims were dismissed after the court determined that some of the plaintiffs failed to allege any actual damages or out-of-pocket expenses. Additionally, while the court allowed several state law claims to proceed, it dismissed claims brought under the California Consumer Protection Act due to the plaintiff’s failure to provide the requisite pre-suit notice within the 30-day time period as required by law, finding the failure could not be cured by the passage of time. Other state law claims, involving violations of the Wisconsin Deceptive Trade Practices Act and Pennsylvania Unfair Trade Practices and Consumer Protection Law, were also dismissed due to a failure to articulate cognizable losses.
States vow to enter information agreements with FCC against robocalls
On May 31, a coalition of 41 state attorneys generals, on behalf of the National Association of Attorneys General, sent a letter to the FCC commending the agency for its efforts in combating robocalls. Specifically, the AGs praised the FCC’s “leadership in encouraging states to enter into information sharing agreements to facilitate fast, effective information sharing during the course of robocall investigations.” The AGs stated that they “believe these information sharing agreements represent an important continuation of the progress made to date in combatting robocalls,” and entering the agreements “honor our country’s tradition of federalism and evidences a mutual commitment to working towards addressing complex issues collaboratively.” Not all the signatories had entered information sharing agreements with the FCC at the time the letter was sent, but the letter affirmed “their commitment to making a good faith attempt to sign the agreements,” and encouraged the FCC to reach out to the included point of contact for each state to move forward with the agreements.
California’s privacy agency posts CPRA proposal
Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the February meeting that the rulemaking process will extend into the second half of the year. An updated formal rulemaking timeline may be released during the June 8 meeting.
The draft regulations, which were introduced outside of the rulemaking process, set forth a working draft of the regulations to implement the CPRA and modify certain provisions and propose new regulations, including:
- Adding, amending, and striking certain definitions. The CPRA draft regulations modify the definitions in the CCPA regulations. Specifically, the amendments strike “affirmative authorization” and “household” from its list of definitions, but adds new terms such as “disproportionate effect,” “first party,” “frictionless manner,” “notice of right to limit,” “opt-out preference signal,” as well as terms related to a consumer’s right to request to correct, opt-in to sale/sharing, delete, know, or limit.
- Outlining restrictions on the collection and use of personal information. The draft regulations state that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate,” and “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses also must obtain a consumer’s explicit consent prior to collecting, using, retaining, and/or sharing the personal information for any purpose that is unrelated or incompatible with the original purpose for which the personal information was collected or processed.
- Providing disclosure and communications requirements. Disclosures and communications are required to be easy to read and understandable to consumers, be available in languages in which the business ordinarily provides information, and be reasonably accessible to consumers with disabilities. The draft regulations also stipulate requirements for website and mobile application links.
- Describing requirements for submitting CCPA requests and obtaining consumer consent. The draft regulations set forth methods for submitting CCPA requests and obtaining consumer consent, including requirements regarding the manner in which such requests and consents may be obtained. For example, the requests and consents must be easy to understand, must include symmetry in choice, and avoid confusing and manipulative language. Methods that do not comply with these requirements may be considered a “dark pattern” and will not constitute consumer consent.
- Amending requirements related to a business’s privacy notice. The draft regulations would amend the requirements related to the information that must be included in a privacy notice related to a business’s online and offline practices regarding the collection, use, sale, sharing, and retention of personal information; and an explanation of CPRA rights conferred on consumers regarding their personal information, how they can exercise their rights, and what they can expect from this process.
- Amending notices required by the CCPA. The draft regulations set forth additional requirements related to the notice at collection, the notice of right to opt-out of sale/sharing, and the “Do Not Sell or Share My Personal Information” link, such as updates to the content of the notices, location of the notices/links, and the effects of certain requests (e.g. “clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice”). The draft regulations would also amend the notice of financial incentive.
- Providing instructions for the Notice of Right to Limit Use of Sensitive Personal Information. The draft regulations outline requirements for businesses to comply with a consumer’s rights to limit the use of sensitive personal information. They also provide businesses the option to use an alternative opt-out link to allow “consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate…links.”
- Amending methods for handling consumer requests to delete, correct, and know. The draft regulations outline additional documentation requirements, as well as guidance on responding to consumer requests, including explanations for denying a request. Notably, in response to a request to know, “a business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Additionally, a company that intends to collect additional categories of information that are “incompatible” with the originally disclosed purpose must provide a new notice at collection and obtain new consent.
- Opt-out preference signals. The draft regulations set forth requirements for opt-out preference signals and how businesses should respond to such preferences. Specifically, the draft regulations provide that processing an opt-out preference must be done in a “frictionless manner” and includes examples.
- Addressing consumer requests for limiting the use and disclosure of sensitive personal information. Businesses will be required to provide two or more designated methods for submitting requests to limit and must, among other things, comply with a request to limit “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” All service providers, contractors, and third parties must comply as well. The regulations set forth exceptions to the limitations for using and disclosing sensitive personal information.
The draft regulations also amend provisions related to contract requirements for service providers/contractors/third parties, verification of requests, authorized agents, minor consumers, discriminatory practices, requirements for businesses collecting large amounts of personal information, and investigations and enforcement.
Maryland amends security procedures standards
On May 29, Maryland HB 962 was enacted under Article II, Section 17(c) of the Maryland Constitution - Chapter 502, which amends the Maryland Personal Information Protection Act. The bill, among other things, expands the types of businesses that are required to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized use. The bill also decreases the period within which certain businesses must provide required notifications to consumers after a data breach. Violation of the bill’s provisions are considered to be an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA), subject to MCPA’s civil and criminal penalty provisions. The law is effective October 1.
Florida amends money service businesses provisions to define “control persons”
On May 26, the Florida governor signed HB 389, which amends provisions related to money service businesses and related licensing requirements. The bill, among other things, replaces the term “officers” with “control person” and expands the definition of “control person” to designate the type of individuals that may be considered to control a licensee. As a result of this amendment, the bill sets forth and clarifies various requirements related to the vetting and reporting of control persons, as opposed to officers generally, going forward. The law is effective October 1.
DFPI requests comments on oversight of crypto asset-related financial products and services
On June 1, the California Department of Financial Protection and Innovation (DFPI) issued a request for public comments from stakeholders on developing guidance related to the oversight of crypto asset-related financial products and services. DFPI will proceed with rulemaking under the authority of the California Consumer Financial Protection Law (CCFPL). The request is in accordance with an executive order issued by the California governor last month, which called on the state to create a transparent and consistent framework for companies operating in blockchain, cryptocurrency, and related financial technologies. (Covered by InfoBytes here.) DFPI’s request outlines various topics and questions concerning regulatory priorities, CCFPL regulation and supervision, and marketing monitoring functions, but notes that stakeholders “may comment on any potential area for rulemaking relating to crypto asset-related financial products and services,” including under other statutes administered or enforced by DFPI such as the Corporate Securities Law, Escrow Law, California Financing Law, or Money Transmission Act. The deadline to submit comments is August 5.
DFPI issues NPRM to implement process for handling consumer complaints and inquiries under the CCFPL
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement and interpret certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, AB 1864 was signed in 2020 to enact the CCFPL, which, among other things: (i) establishes UDAAP authority for DFPI; (ii) authorizes DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful, arguably representing an enhancement of DFPI’s enforcement powers in contrast to Dodd-Frank and existing California law; (iii) provides DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that administration of the law will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), DFPI’s oversight authority was expanded to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.
The NPRM proposes new rules to implement section 90008, subdivisions (a), (b), and (d)(2)(D), of the CCFPL related to consumer complaints and inquires. According to DFPI’s notice, section 90008 subdivisions (a) and (b) authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries. Additionally, subdivision (d)(2)(D) “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
Among other things, the NPRM:
- Identifies entities exempt from the consumer complaints and inquiries requirements;
- Requires covered persons to respond to consumer complaints and to establish policies and procedures for receiving and responding to complaints, including providing a complaint form, acknowledging receipt of complaints, tracking complaints, the timeline for responding to complaints, the contents for such a response, and recordkeeping of such complaints;
- Sets forth requirements for responding to complaints, including documenting when complaints do not require further investigation, performing an investigation of a complaint if warranted, and requiring corrective action to resolve a complaint such as an account adjustment, credit, or refund, and appropriate steps to prevent recurrence of the issue, which may include policy changes and employee training;
- Requires designation of an officer with primary responsibility for the complaint process;
- Requires covered persons to submit to DFPI a quarterly complaint report, which will be made public, and an annual inquiries report;
- Sets forth requirements for covered persons to respond to inquiries from consumers and develop and implement written policies and procedures for responding to such inquiries;
- Provides that covered persons must develop and implement written policies and procedures for responding to requests from DFPI regarding consumer complaints; and
- Exempts certain information, such as nonpublic or confidential information, including confidential supervisory information, from disclosure to consumers.
Written comments on the NPRM are due by July 5.