InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court denies class cert in data breach suit
On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private information. Plaintiffs alleged the defendant contracted with a third-party reservation site, which required consumers to provide payment card information and other personally identifying information (PII). The plaintiffs contended that during the data breach, hackers accessed customer data, and argued that “had [the third party] ‘employed multiple levels of authentication,’ rather than ‘single factor authorization,’ the ‘hacker would not . . . have been able to access the system.” Plaintiffs further claimed that the defendant served as the third party’s agent and was therefore responsible for its conduct.
In declining to certify the class, the court ruled that the plaintiffs failed to successfully allege any of their three claims on behalf of the class. The court reviewed the plaintiffs’ breach of contract claims, which alleged that the defendant promised to safeguard class members’ PII but failed to provide notice on its website that a third party was processing the payment information. According to the court, the plaintiffs could not show that all of the proposed class members would have believed they were providing their information to the defendant because the defendant’s “Book Now” button sent the user to the third party’s website and the defendant’s privacy policy disclosed its use of third party websites. The court also rejected the plaintiffs’ assertion that the defendant disclosed personal information in violation of California Civil Code because the information was hacked rather than disclosed by either the defendant or the third party. With respect to the plaintiffs’ Texas Deceptive Trade Practices Act claims, the plaintiffs argued that the defendant’s statements about protective measures were misleading because the third party did not employ multi-layer authentication. The court concluded that class treatment of those claims was improper as it could not determine whether the practice was misleading for the entire class as the question is dependent on whether class members believed they were providing PII to the defendant or to the third party.
Michigan Court of Appeals affirms dismissal of post-judgment interest case, says state court rule precludes class actions
On April 21, the Michigan Court of Appeals affirmed a trial court’s dismissal of a post-judgment interest putative class action after concluding that a court rule that precludes “‘actions’ based on claimed violations of statutes that permit[ ] recovery of statutory damages in lieu of actual damages” necessitated the dismissal of the plaintiff’s class action claim. According to the opinion, after the plaintiff defaulted on her $900 credit card debt, the debt was assigned to the defendant debt collector who calculated the plaintiff’s unpaid balance to be $6,241.20. The defendant sought judgment against the plaintiff in that amount, plus interest, fees, and costs, and obtained a default judgment against the plaintiff after she did not respond. The defendant consequently obtained several writs of garnishment, all of which indicated that post-judgment interest had been added to the debt. Several years later, the plaintiff filed a putative class action alleging the defendant violated the FDCPA and the Michigan Regulation of Collection Practices Act (RCPA) by overstating how much she owed “and by impermissibly inflating [defendant’s] costs and the amount of interest it charged.” The state trial court dismissed the plaintiff’s class action claims with prejudice on the basis that Michigan Court Rules (MCR) preclude her from recovering statutory damages under the RCPA because the RCPA does not explicitly permit class actions. The court also dismissed her individual claims for lack of subject-matter jurisdiction.
On appeal, the plaintiff argued that the trial court erred when it dismissed her class action claims under MCR because she also sought equitable relief and actual damages; however, the Michigan Court of Appeals pointed to a provision in the MCR that states “[a]n action for a penalty or minimum amount of recovery without regard to actual damages imposed or authorized by statute may not be maintained as a class action unless the statute specifically authorizes its recovery in a class action.” The Court of Appeals explained that the RCPA is implicated under this rule because (i) it permits the recovery of statutory damages; and (ii) does not contain a provision explicitly permitting class actions, and as such, “plaintiff’s class action claims must be dismissed irrespective of the fact that she also sought injunctive relief, declaratory relief, and actual damages.” The Court of Appeals further held that even if the plaintiff attempted to plead individual claims, the case would not be allowed to proceed because the actual damages in this case are not high enough to meet the jurisdictional minimum amount in Michigan.
CFPB, New York sue remittance provider
On April 21, the CFPB and New York attorney general filed a complaint against a remittance provider (defendant) for allegedly violating the Electronic Funds Transfer Act and its implementing Regulation E and the Remittance Rule (the Rule) and the Consumer Financial Protection Act (CFPA), among various consumer financial protection laws. The Bureau’s announcement called the defendant a “repeat offender” citing that in 2018, the FTC filed a motion for compensatory relief and modified order for permanent injunction against the defendant, which alleged that it failed to adopt and implement a comprehensive fraud prevention program mandated by the 2009 order (covered by InfoBytes here). The CFPB complaint alleges that from October 2018 through 2022, the defendant: (i) violated the Remittance Rule requirements by repeatedly failing “to provide fund availability dates that were accurate, when the Rule required such accuracy”; (ii) “repeatedly ignored the Rule’s error-resolution requirements when addressing notices of error from consumers in New York, including in this district, and elsewhere;” and (iii) failed to establish policies and procedures designed to ensure compliance with money-transferring laws, in violation of Regulation E. The complaint further noted that the defendant’s “own assessments of consumers’ complaints showed that the dates Defendants disclosed to consumers, repeatedly, were wrong,” and that the defendant “found multiple delays in making funds available to designated recipients, including delays that constituted errors under the Rule,” among other things. Finally, the Bureau claims that the defendant violated the CFPA “by failing to make remittance transfers timely available to designated recipients or to make refunds timely available to senders.” The Bureau’s complaint seeks consumer restitution, disgorgement, injunctive relief, and civil money penalties. According to a statement released by CFPB Director Rohit Chopra, "the remittance market is ripe for reinvention, and the CFPB will be examining ways to increase competition and innovation for the benefit of both families and honest businesses, while also avoiding creating a new set of harms."
NYDFS encourages banks to expand access to low-cost banking services
On April 15, NYDFS issued guidance determining that offering a “Bank On” certified deposit accounts would satisfy a New York Basic Banking services law that requires institutions to offer low-cost banking services to consumers. According to NYDFS, Bank On accounts (which offer services that eliminate several fees, including overdraft, account activation, closure, dormancy, inactivity, and low balance fees) may be offered as an alternative to existing basic banking accounts. Following an assessment of the New York banking industry to determine the receptiveness and operational viability of offering Bank On accounts, NYDFS concluded that “all New York State regulated banking institutions, as defined under Section 14-f.9(a) of the New York Banking Law . . ., will be deemed to satisfy the Basic Banking requirements under the New York Banking Law and the General Regulations of the Superintendent, by offering Bank On accounts as an alternative to Basic Banking accounts.” Banking institutions may offer Bank On accounts instead of Basic Banking accounts without the need to submit a separate application to the NYDFS for approval. However, because the national standards for Bank On accounts are subject to change without input from NYDFS, institutions that offer the accounts should keep up to date on the national standards.
The guidance follows an announcement from New York Governor Kathy Hochul stating that the “COVID-19 pandemic has shown how important it is for every New Yorker to have financial security.” Stressing that “access to low-cost banking services is critical to managing and securing their financial needs,” Hochul stated that “[t]hese new accounts will help hard working individuals in underserved communities get the affordable, accessible banking options they need and is a crucial step towards ensuring a more inclusive economy for all.”
NYDFS encourages banks to expand access to low-cost banking services
On April 15, NYDFS issued guidance determining that offering a “Bank On” certified deposit accounts would satisfy a New York Basic Banking services law that requires institutions to offer low-cost banking services to consumers. According to NYDFS, Bank On accounts (which offer services that eliminate several fees, including overdraft, account activation, closure, dormancy, inactivity, and low balance fees) may be offered as an alternative to existing basic banking accounts. Following an assessment of the New York banking industry to determine the receptiveness and operational viability of offering Bank On accounts, NYDFS concluded that “all New York State regulated banking institutions, as defined under Section 14-f.9(a) of the New York Banking Law . . ., will be deemed to satisfy the Basic Banking requirements under the New York Banking Law and the General Regulations of the Superintendent, by offering Bank On accounts as an alternative to Basic Banking accounts.” Banking institutions may offer Bank On accounts instead of Basic Banking accounts without the need to submit a separate application to the NYDFS for approval. However, because the national standards for Bank On accounts are subject to change without input from NYDFS, institutions that offer the accounts should keep up to date on the national standards.
The guidance follows an announcement from New York Governor Kathy Hochul stating that the “COVID-19 pandemic has shown how important it is for every New Yorker to have financial security.” Stressing that “access to low-cost banking services is critical to managing and securing their financial needs,” Hochul stated that “[t]hese new accounts will help hard working individuals in underserved communities get the affordable, accessible banking options they need and is a crucial step towards ensuring a more inclusive economy for all.”
Colorado seeks comments on privacy rulemaking; draft regulations to come this fall
Recently, the Colorado attorney general released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The considerations seek informal public input on any area of the CPA, including those “that need clarification, consumer concerns, anticipated compliance challenges, impacts of the CPA on business or other operations, cost concerns, and any underlying or related research or analyses.” As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters. Finally, the AG has authority to develop technical specifications for at least one universal opt-out mechanism.
The AG’s office stated that it plans to adopt a principle-based model for the state’s rulemaking approach rather than a prescriptive one, and outlined five principles intended to help implement the CPA:
- rules should protect consumers and help consumers understand and exercise their rights;
- rules should clarify ambiguities as necessary to promote compliance and minimize unnecessary disputes;
- rules should facilitate efficient and expeditious compliance by ensuring processes are simple and straightforward for consumers, controllers and processors, and enforcement agencies;
- rules should facilitate interoperability and allow the CPA to function alongside protections and obligations created by other state, national, and international frameworks; and
- rules should not be unduly burdensome so to as to prevent the development of adaptive solutions to address challenges presented by advances in technology.
The pre-rulemaking considerations laid out several questions for input related to topics addressing universal opt-out mechanisms, consent for processing consumer data in specific circumstances, dark patterns, data protection assessments that screen for heightened risk of harm, the effects of profiling on consumers, opinion letters and interpretive guidance, offline and off-web data collection, and differences and similarities between the CPA and laws in other jurisdictions. A formal notice of rulemaking and accompanying draft regulations will be issued this fall. Comments may be submitted through the AG’s portal here.
NYDFS to collect assessment fees from licensed virtual currency businesses
On April 9, the New York governor signed S. 8008-C, which enacts the state’s 2023 fiscal year budget and requires, among other things, NYDFS to start charging a new assessment fee to all virtual currency businesses licensed in New York in order to cover the costs associated with their oversight and “defray operating expenses.” Specifically, Section 206 is amended to read: “The expenses of every examination of the affairs of any person regulated pursuant to this chapter that engages in virtual currency business activity shall be borne and paid by the regulated person so examined, but the superintendent, with the approval of the comptroller, may in the superintendent’s discretion for good cause shown remit such charges.” The amendments do not specify a specific assessment amount, however regulated companies engaged in virtual currency business activity “shall be assessed by the superintendent for the operating expenses of the department that are solely attributable to regulating such persons in such proportions as the superintendent shall deem just and reasonable.”
NYDFS Superintendent Adrienne A. Harris issued a press release the same day praising the budget adoption as it now allows the Department to collect supervisory costs from licensed virtual currency businesses as it does for banking and insurance companies. Noting that “New York was the first to start licensing and supervising virtual currency companies,” Harris said that the “new authority will empower the Department to build staff with the capacity and expertise to best regulate and support this rapidly growing industry.”
Massachusetts settles with financial company
On April 13, the Massachusetts attorney general announced a settlement with a California-based finance company (defendant) resolving allegations that it violated Massachusetts law by purchasing and collecting on dog leases – which are illegal in Massachusetts. The settlement also alleges that the company engaged in illegal debt collection practices such as calling debtors too frequently while attempting to collect on the leases. Under the terms of the settlement, the defendant must pay over $930,000, which includes $175,000 in restitution to approximately 200 consumers, and a $50,000 fine. The defendant is prohibited from collecting on any active leases involving dogs in Massachusetts and must transfer full ownerships of the dogs to the consumers. The defendant must also cancel any outstanding amount owed on the leases, totaling approximately $700,000.
The Massachusetts AG has been investigating financial companies who originate or purchase dog leases – calling the practice “exploitive” because it uses “dogs as emotional leverage” over debtors – and encouraged consumers who are victims of dog leases to call the AG’s office or to file a complaint online.
Virginia enacts additional consumer data protections
On April 11, the Virginia governor signed legislation enacting additional amendments to the Virginia Consumer Data Protection Act (VCDPA). Both bills take effect July 1.
HB 714 (identical bill SB 534) expands the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.
HB 381 amends VCDPA provisions related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA.
As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
Virginia and Tennessee specify automatic renewal cancellation requirements
On April 11, the Virginia governor signed HB 78, which relates to automatic renewal or continuous service offers to consumers. The bill, among other things, requires that suppliers of automatic renewals or continuous service offers through an online website make a conspicuous online option available for canceling a recurring purchase of a good or service. Under the Virginia Consumer Protection Act, the bill establishes that failing to make available such option to cancel is prohibited. The bill is effective July 1.
On April 8, the Tennessee governor signed HB 1652, which also requires that suppliers of automatic renewals or continuous service offers through an online website make a conspicuous online option available for canceling a recurring purchase of a good or service. The bill is effective January 1, 2023.