InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court dismisses state law claims concerning scanned email allegations
On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the amended complaint, the defendant allegedly misrepresented its privacy and security practices in violation of federal and state law by, among other things, sharing customer data with unauthorized third parties (some of which suffered data breaches), using customer data to develop products and services to sell to other companies, and falsely promising it complied with privacy and confidentiality standards. Plaintiffs alleged the company scanned 400 billion customer emails to obtain insights for its API, which it then sold to others.
In its prior ruling, the court dismissed plaintiffs’ Wiretap Act and Stored Communications Act claims but allowed the WPA claims to proceed. The defendant then filed a motion for partial reconsideration, arguing that the WPA claim is also premised on the same scanned email theory as with the other two claims that were already dismissed. The court agreed that the plaintiffs failed to sufficiently allege that their emails were scanned and dismissed the WPA claims without leave to amend because the “interception or disclosure of a communication” was necessary “in order for the conduct to be actionable.”
California Court of Appeal: Including extraneous language in FCRA disclosure may constitute willful violation
On April 19, the California Court of Appeal for the Fourth Appellate District reversed a trial court’s summary judgment order and held that the inclusion of extraneous language in an employer’s FCRA disclosures to job applicants may constitute willful violation of the FCRA. The plaintiff filed a putative class action against the defendant employer, contending that it willfully violated the FCRA by providing job applicants with a disclosure that included extraneous language unrelated to the topic of consumer reports. The plaintiff alleged that the disclosure violated the FCRA’s requirement for providing a standalone disclosure informing the applicant that the employer may obtain the applicant’s consumer report when making a hiring decision upon applicant’s consent. The defendant filed a motion for summary judgment arguing that no reasonable jury could find that the plaintiff’s FCRA violation was willful, because the erroneous disclosure form was the result of a drafting mistake that took place when the defendant modified a sample disclosure provided by a consumer reporting agency to ensure compliance with the FCRA. The trial court granted the defendant’s motion, finding that any non-compliance resulted from a drafting was an inadvertent error.
On appeal, the Court of Appeal reversed and remanded with instructions that the trial court deny the motion for summary judgment. The appellate court found that “a reasonable jury could find that [the employer] acted willfully because it violated an unambiguous provision of the FCRA.” The Court of Appeal noted that that there’s evidence that at least one of the defendant’s employees was aware that the extraneous language would be included in the disclosure form. In addition, the continuous use of the allegedly problematic disclosure form for nearly two years could signify recklessness. The Court of Appeal reasoned further that the defendant’s “continued and prolonged use” of the “problematic” disclosure form “suggest[ed] that it had no proactive monitoring system in place to ensure its disclosure was FCRA-complaint.”
Nevada Supreme Court affirms ruling in default notice suit
On April 7, the Nevada Supreme Court denied a petition for rehearing and reaffirmed its prior conclusion that, under Nevada law, when a notice of rescission is recorded after a notice of default, the rescission cancels the acceleration triggered by the notice of default, and resets a statutory 10-year period for automatically clearing a lien on real property. NRS § 106.240 “provides a means by which liens on real property are automatically cleared from the public records after a certain period of time,” and specifically “provides that 10 years after the debt secured by the lien has become ‘wholly due’ and has remained unpaid, ‘it shall be conclusively presumed that the debt has been regularly satisfied and the lien discharged.’” The specific question before the Nevada Supreme Court was what effect a notice of rescission has on NRS § 106.240’s 10-year period when the notice is recorded after a notice of default. The Nevada Supreme Court upheld the lower court’s decision determining that “because a notice of rescission rescinds a previously recorded notice of default, the notice of rescission ‘effectively cancelled the acceleration’ triggered by the notice of default, such that NRS 106.240’s 10-year period was reset.”
District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.
In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”
Illinois adopts rules implementing Predatory Loan Prevention Act
On April 22, the Illinois Department of Financial and Professional Regulation (IDFPR) published in the Illinois Register a notice of adopted rules to implement the Predatory Loan Prevention Act (PLPA or the Act). As previously covered by InfoBytes, the Act was signed into law in March 2021 to prohibit lenders from charging more than 36 percent APR on all non-commercial consumer loans under $40,000, including closed-end and open-end credit, retail installment sales contracts, and motor vehicle retail installment sales contracts. Violations of the Act constitute a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act and carry a potential fine up to $10,000. Additionally, any loan with an APR exceeding 36 percent will be considered null and void.
In general, the adopted rules require lenders to provide a disclosure to consumers about the 36 percent APR rate cap established by the PLPA, incorporate the APR calculation method required by the PLPA, and amend the rules for reporting of payday loans to the state database. The rules specify that words in the definitions are not defined to have the same meaning as in Regulation Z, including any interpretation by the CFPB. For purposes of calculating the PLPA ARP, the rules specify that the calculation excludes only certain specified bona fide fees, but includes finance charges, loan application fees, and fees imposed for participation in any plan or arrangement for a loan, “even if that charge would be excluded from the finance charge under Regulation Z.”
The IDFPR made several amendments related to rate cap disclosure notices. These specify that all loan applications must include a separate rate cap disclosure signed by the consumer (disclosures must be provided in English and in the language in which the loan was negotiated) that clearly and conspicuously states: “A lender shall not contract for or receive charges exceeding a 36% annual percentage rate on the unpaid balance of the amount financed for a loan, as calculated under the Illinois Predatory Loan Prevention Act (PLPA APR). Any loan with a PLPA APR over 36% is null and void, such that no person or entity shall have any right to collect, attempt to collect, receive, or retain any principal, fee, interest, or charges related to the loan. The annual percentage rate disclosed in any loan contract may be lower than the PLPA APR.”
The rules take effect August 1.
Florida court grants sovereign immunity to lender and company officials
On April 11, a Florida county court concluded that a defendant lender and certain company officials were entitled to sovereign immunity in a case concerning alleged usury claims. The plaintiff claimed the lender used its supposed federally-recognized tribal affiliation to escape state usury regulations. The court dismissed the complaint, however, finding that the lender is an “arm of the tribe” under a six-prong test established by the U.S. Court of Appeals for the Tenth Circuit in Breakthrough Management Group, Inc. v. Chukchansi Gold Casino & Resort. The test determines whether sovereign immunity should apply by examining, among other factors, an entity’s creation, the amount of control a tribe has over the entity, and the financial relationship between the tribe and the entity. According to the court, the defendant’s evidence suggests that the tribe created the defendant as a business entity “to generate and contribute revenues” to the tribe’s general fund. The court found that insufficient detail was presented to support the plaintiff’s assertion that the defendant pays a relatively small percentage of its gross revenues to the tribe. The court added that the plaintiff also failed to present evidence proving that large portions of the defendant’s revenue were distributed to non-tribal entities. In dismissing the case with prejudice, the court also dismissed claims against three individual defendants because they were entitled to sovereign immunity. The court concluded that the plaintiff’s allegations demonstrated that the individuals committed the alleged wrongs in their capacities as employees and officers and therefore the “real party in interest” is the lender.
DFPI concludes MTA licensure not required for direct purchase and sale of cryptocurrency
Recently, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to the purchase and sale of virtual currency. The redacted opinion letter examines whether a Company that offers customers the opportunities to deposit fiat currency to a Company account and then draw down that balance to purchase virtual currency from the company requires MTA licensure. The Company explained that virtual currency is purchased from a third party and is transferred to the customer’s Company-issued virtual currency wallet where it can then be stored, transferred to an external wallet, or sold for fiat currency. When a customer later wants to sell the purchased virtual currency for fiat currency, the transaction occurs in a similar fashion. The Company stated that “virtual currency sales to customers are from the Company’s own inventory,” and that for purposes of the opinion, DFPI “assumes these sales occur independently of the Company’s own transactions with third parties.”
DFPI concluded that because the Company’s activities are limited to directly purchasing and selling cryptocurrency to customers, it does not require an MTA license because it does “not involve the sale or issuance of stored value or receiving money for transmission.” Specifically, DFPI stated that because the “customer’s fiat currency balance in the Company account does not meet the definition of stored value” and because “funds in that account can only be used for virtual currency purchases from the Company or transferred out to the customer’s external bank account,” the closed loop stored value “does not constitute issuance of stored value that is regulated under the MTA.” DFPI reminded the Company that its determination is limited to the presented facts and that any change could lead to different conclusions.
Illinois adopts amendments to Consumer Installment Loan Act
On April 22, the Office of the Illinois Secretary of State published in the Illinois Register a notice by the Department of Financial and Professional Regulation of adopted amendments to certain parts of its Consumer Installment Loan Act (CILA). Under the amendments, a licensee may obtain a license under the CILA for the exclusive purpose and use of making title secured loans. The amendments also require consumer installment lenders to provide a disclosure to consumers regarding the 36 percent annual percentage rate (APR) rate cap established by the Predatory Loan Prevention Act Annual Percentage Rate. These amendments eliminate small consumer loans and implement rules for reporting, to the state database, consumer installment loans. Additionally, the amendments include the implementation of a new definition and new rules for title-secured loans. The amendments are effective August 1.
Arizona establishes mortgage broker provisions
On April 22, the Arizona governor signed SB 1204, which amends state provisions regarding mortgage broker and banker licensing. Among other things, the bill: (i) provides that “a parent company may apply for and be granted a certificate of exemption on behalf of an entity that allows a responsible individual to reside out of state,” as long as certain criteria is met; (ii) establishes qualifications, application, bond, fees, and renewal requirements for licensing of mortgage brokers; and (iii) states that “[a] person shall APPLY for a license or for a renewal of a license in writing on the forms, in the manner and accompanied by the information prescribed by the deputy director.”
District Court approves final $85 million class action privacy settlement despite objections
On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”