InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Virginia passes additional VCDPA amendments
On March 7, the Virginia House and Senate passed HB 714, which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.
As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor, and if enacted, will take effect January 1, 2023.
State AGs investigate streaming service for privacy violations
On March 2, a coalition of state attorneys general, led by California Attorney General Rob Bonta, announced a nationwide investigation into a video streaming service regarding whether it is violating state consumer protection laws and putting children at risk by promoting its social media platform to children and young adults while its use is associated with physical and mental health harm to youth. According to the California AG, the investigation will examine the harm that the platform may cause to young users and what the platform knew about that harm, and will focus on, among other things, the techniques it utilized to boost young user engagement, including strategies or efforts to increase the duration of time spent on the platform and the frequency of engagement with the platform.
NYDFS will take expedited measures to enforce Russian sanctions
On March 2, New York Governor Kathy Hochul announced that NYDFS will increase its sanctions enforcement actions against Russia, including taking measures to expedite the procurement of blockchain analytics tools to detect exposure among regulated licensed virtual currency businesses to Russian individuals, banks, and other entities sanctioned by the Biden administration. “Accelerating the procurement process is a critical step to strengthen the Department's ability to enforce anti-money laundering and Bank Secrecy Act laws in this immediate crisis and beyond,” the announcement stated, explaining that “[l]everaging purpose-built technologies and service providers for virtual currency protects the financial system from illicit activity including money laundering, terrorist financing and ransomware activity.” NYDFS Superintendent Adrienne A. Harris added that monitoring transactions and exposure in real-time is imperative for preventing actors from attempting to evade sanctions through the transmission of virtual currency. The announcement follows NYDFS guidance on cybersecurity and virtual currency issued last week, which raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine that could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure. (Covered by a Buckley Special Alert.) Governor Hochul also issued an Executive Order at the end of February, which directed all New York State agencies and authorities to review and divest public funds from Russia.
Florida house tries again on consumer privacy legislation
On March 2, the Florida house passed HB 9, which would, among other things, regulate the sale and sharing of consumers’ personal data and provide consumers the right to sue over alleged violations. This is the state’s latest attempt to pass comprehensive consumer privacy legislation. Last year, the Florida legislatures failed to reconcile differences in their bills before the session ended. Highlights of the bill (which include changes from last session’s versions) include:
- Applicability. The bill will apply to any entity meeting the definition of a controller, processor, or third party that buys, sells, or shares consumers’ personal information and (i) has global annual gross revenues exceeding $50 million; (ii) annually buys, receives, sells, or shares personal information of at least 50,000 consumers, households, or devices; or (iii) derives 50 percent or more of its global annual revenue from the selling or sharing of personal information. The bill sets forth numerous exemptions from its requirements, including personal information shared “with a financial service provided solely to facilitate short term, transactional payment processing for the purchase of products or services”; deidentified or aggregated personal information; data governed by certain federal, state, or local regulations or used to exercise or defend legal claims; certain personal information collected through a controller’s direct interaction with a consumer that is used to advertise or market products or services that are produced or offered directly by the controller; personal information used in the context of a consumer’s role or former role with the controller; specified protected health information; financial institutions covered by the Gramm-Leach-Bliley Act; personal information disclosed during intentional interactions or disclosed as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller; and personal information used to fulfill the terms of a written warranty, a product recall, or public- or peer-reviewed scientific or statistical research in the public interest.
- Consumer rights. Under the bill, consumers will be able to, among other things, access their personal data; request deletion or make corrections; and opt out of the sale or sharing of personal information to third-parties. Controllers will be required to deliver the requested information free of charge within 45-calendar days (a one-time additional 45-day extension may be granted), but are not required to provide personal information to a consumer more than twice in a 12-month period. Controllers will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances. Additionally, the bill will provide controllers the ability to charge a consumer who exercises any of their rights under the bill “a different price or rate, or provide a different level or quality of goods or services to the consumer” provided the “difference is reasonably related to the value provided to the controller by the consumer’s data or is related to a consumer’s voluntary participation in a financial incentive program, including a bona fide loyalty, rewards, premium features, discounts, or club card program offered by the controller.” Financial incentives that are not unjust, unreasonable, coercive, or usurious may also be offered as long as consumers give prior consent and are allowed to revoke consent at any time. The bill further stipulates that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Disclosures. The bill will require controllers that collect consumers’ personal information to disclose certain information regarding data collection and selling practices to consumers at or before the point of collection. This information “may be provided through a general privacy policy or through a notice informing the consumer that additional specific information will be provided upon a certain request.” Additionally, processors or third parties must require any subcontractor to meet the same obligations with respect to personal information. Businesses also will be prohibited from collecting or using additional categories of personal information without first notifying consumers.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information.
- Private cause of action, right to cure. The bill will provide a private right of action to allow consumers to bring a civil action under certain circumstances for injunctive or declaratory relief, and establishes a damage amount of either statutory damages of at least $100 but not more than $750 per consumer per incident, or actual damages, whichever is greater. Consumers may obtain specific relief from businesses with annual gross revenues greater than $50 million. In lawsuits involving businesses with annual gross revenues exceeding $500 million, consumers also are permitted to recover attorneys’ fees and costs. Civil actions must be filed within one year after discovery of the violation. The Department of Legal Affairs is also authorized to take action against a controller, processor, or third party for unfair or deceptive acts or practices. Fines may be tripled if a violation involves consumers 18 years of age or younger, or if a controller, processor, or third party fails to cure the violation upon written notice within 45 calendar days.
If enacted in its current form, the bill would take effect January 1, 2023. The bill must be approved by the Florida senate and any differences reconciled before being sent to the governor.
District Court rules apps’ terms of service hyperlinks were clear and conspicuous
On February 23, the U.S. District Court for the Eastern District of New York ruled that parties must arbitrate class claims concerning alleged fraudulent transactions on app users’ accounts. Plaintiffs—users of the defendants’ mobile payment platform who claimed that third parties fraudulently withdrew funds from their app accounts—alleged that the defendants’ inadequate dispute resolution process “improperly places the burden on the user to prove that a disputed transaction was unauthorized” in violation of the EFTA and N.Y. Gen. Bus. Law § 349. Defendants, however, countered that the plaintiffs agreed to arbitrate any disputes related to their app accounts, and moved to compel arbitration and dismiss the complaint. The court analyzed the applicable sign-up flows and ruled that in signing up for the apps, users agreed to unambiguous terms of service, which included an arbitration agreement presented in a clickable hyperlinked URL. The court rejected plaintiffs’ assertion that a reasonably prudent smartphone user would not think to click on the terms of service hyperlink, stating that the hyperlink for both apps provided reasonably clear and conspicuous interfaces. The court further found that the claims were subject to arbitration because plaintiffs’ specifically assented to the arbitration provisions and that the parties’ agreed to present any question of arbitrability to an arbitrator.
New Mexico caps interest rates on small-dollar loans at 36%
On March 1, the New Mexico governor signed HB 132, which amends certain provisions related to the state’s small dollar lending requirements. Among other things, the bill makes several amendments to the New Mexico Bank Installment Loan Act of 1959 (BILA) and the New Mexico Small Loan Act of 1955 (SLA) by raising the maximum installment loan amount to $10,000 and providing the following: (i) “no lender shall make a loan pursuant to the [BILA] to a borrower who is also indebted to that lender pursuant to the [SLA] unless the loan made pursuant to the [SLA] is paid and released at the time the loan is made”; (ii) only federally insured depository institutions may make a loan under the BILA with an initial stated maturity of less than one hundred twenty days; (iii) a lender that is not a federally insured depository institution may not make a loan under the BILA “unless the loan is repayable in a minimum of four substantially equal installment payments of principal and interest”; and (iv) lenders, aside from federally insured depository institutions, may not make a loan with an annual percentage rate (APR) greater than 36 percent (a specified APR increase is permitted if the prime rate of interest exceeds 10 percent for three consecutive months). When calculating the APR, a lender must include finance charges as defined in Regulation Z “for any ancillary product or service sold or any fee charged in connection or concurrent with the extension of credit, any credit insurance premium or fee and any charge for single premium credit insurance or any fee related to insurance.” Excluded from the calculation are fees paid to public officials in connection with the extension of credit, including fees to record liens, and fees on a loan of $500 or less, provided the fee does not exceed five percent of the loan’s total principal and is not imposed on a borrower more than once in a twelve-month period.
The act also expands the SLA’s scope on existing anti-evasion provisions to specify that a person may not make small dollar loans in amounts of $10,000 or less without first having obtained a license from the director. The amendments also expand the scope of the anti-evasion provisions to include (i) the “making, offering, assisting or arranging a debtor to obtain a loan with a greater rate of interest . . . through any method, including mail, telephone, internet or any electronic means, regardless of whether the person has a physical location in the state”; and (ii) “a person purporting to act as an agent, service provider or in another capacity for another entity that is exempt from the [SLA]” provided the person meets certain specified criteria, such as “the person holds, acquires or maintains, directly or indirectly, the predominate economic interest in the loan” or “the totality of the circumstances indicate that the person and the transaction is structured to evade the requirements of the [SLA].” Under the act, a violation of a provision of the SLA that constitutes either an unfair or deceptive trade practice or an unconscionable trade practice is actionable under the Unfair Practices Act.
The act also makes various amendments to a licensees’ books and records requirements to facilitate the examinations and investigations conducted by the Director of the Financial Institutions Division of the Regulation and Licensing Department. Failure to comply may result in the suspension of a license. Additionally, the act provides numerous amended licensing reporting requirements concerning the loan products offered by a licensee, average repayment times, and “the number of borrowers who extended, renewed, refinanced or rolled over their loans prior to or at the same time as paying their loan balance in full, or took out a new loan within thirty days of repaying that loan,” among other things. The act also outlines credit reporting requirements, advertising restrictions, and requirements for the making and paying of small dollar loans, including specific limitations on charges after judgment and interest.
The act takes effect January 1, 2023.
Utah legislature passes privacy bill
Recently, the Utah legislature passed SB 227, which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here.) Highlights of the bill include:
- Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that also “has annual revenue of $25,000,000 or more” and “controls or processes personal data of 100,000 or more consumers” or “derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.” Certain entities are exempt from the bill’s requirements, including governmental entities and third parties under contract with a governmental entity that acts on behalf of that entity; tribes; institutions of higher education; nonprofits; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; financial institutions and affiliates subject to federal privacy disclosure requirements; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
- Consumer rights. Under the bill, consumers will be able to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data.
- Controllers’ and processors’ responsibilities. Under the bill, data controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, “unless the request is the consumer’s second or subsequent request during the same 12-month period.” Data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing deidentified data or pseudonymous data.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it gives the Division of Consumer Protection investigative power and grants the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.
If enacted in its current form, the bill would take effect December 31, 2023.
Virginia passes amendments on CDPA for data deletion
On February 25, the Virginia House and Senate passed HB 381, which amends Section 59.1-577 of the Virginia Consumer Data Protection Act (VCDPA) related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA. As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor.
Fed, NYDFS fine Pakistan bank over $50 million for AML deficiencies
On February 24, the Federal Reserve Board and NYDFS announced an enforcement action against a Pakistan-based bank for alleged anti-money laundering (AML) violations. According to the Fed’s consent order and NYDFS’s consent order, following examinations conducted by the Fed and NYDFS in 2014 and 2015, the bank’s New York branch was identified as having deficiencies in its AML compliance and risk management programs, including compliance with related federal laws, rules, and regulations. According to the NYDFS press release, the bank did not comply with a Written Agreement with the Fed and NYDFS entered into in 2016 in which the bank acknowledged oversight and compliance deficiencies and agreed to remediate them. According to NYDFS, “[t]hese continued failures revealed that the Branch’s senior management were unwilling or unable to promote a culture of compliance, adequate resources were not provided for compliance programs, and the Bank failed to adequately supervise the Branch by allowing problems to worsen year after year. The conditions at the Branch demonstrated severe weaknesses, and unsafe, unsound conditions requiring urgent restructuring.”
Under the terms of the consent orders, the bank is required to pay civil money penalties of approximately $20.4 million to the Fed and $35 million to NYDFS. In addition to the monetary penalties, the bank is required to, among other things: (i) create a written plan detailing enhancements to the policies and procedures of the bank’s BSA/AML compliance program, its Suspicious Activity Monitoring and Reporting program, and its customer due diligence requirements; (ii) engage an independent consultant to conduct a comprehensive evaluation of the bank’s remediation efforts; and (iii) submit a status report within 60 days regarding a system of internal controls “reasonably designed to ensure compliance with BSA/AML requirements.” NYDFS acknowledged the bank’s “cooperation with the investigation and its ongoing remedial efforts.”
FTC bans debt relief scheme operators
On February 28, the FTC announced the permanent ban of the operators (collectively, “defendants”) of a debt relief scheme from processing debt relief payments and ordered the defendants to pay a $5.3 million fine. According to the FTC’s July 2020 complaint, which was filed jointly with the Florida attorney general in the U.S. District Court for the Middle District of Florida, the defendants allegedly engaged in deceptive and abusive practices by selling their credit card interest rate reduction services to consumers in violation of the FTC Act, the Telemarketing Sales Rule, and the Florida Deceptive and Unfair Trade Practices Act. The FTC and Florida AG claimed that the defendants utilized telemarketing calls promising to reduce consumers’ credit card interest rates permanently and substantially, and, after posing as representatives or affiliates of consumers’ credit card companies, the defendants allegedly claimed they could save consumers thousands of dollars in credit card interest and enable them to pay off their debt faster. The complaint also asserted that the defendants, at times, opened new credit cards that offered low introductory interest rates and transferred the balances of consumers’ existing debt to the new cards. For that, customers paid upfront fees of between $995 and $4,995 while also paying “substantial” fees to transfer the balances.
Under the terms of the settlement, the operators are permanently prohibited from participating the debt relief industry, misrepresenting material facts in connection with any product or service, and engaging in deceptive and abusive telemarketing acts and practices, unsubstantiated claims, and other payment practices. Two individual defendants agreed to pay a $225,000 monetary penalty and the other defendant agreed to pay $200,000.