InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Consumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” heard from consumer privacy advocates on lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, and what types of consumer protections should be considered in future federal legislation. Committee Chairman, Senator John Thune, opened the hearing by emphasizing the importance of promoting privacy without stifling innovation. Senator Thune stated that, while understanding the experience of technology and telecommunications companies in this space is important, any new federal privacy law must also incorporate views from affected industry stakeholders and consumer advocates.
The consumer privacy advocate witnesses agreed there is a need for heightened consumer protections and rights, and that the time is ripe to have a debate on what a consumer data privacy law at the federal level would look like and how it would work with state level laws. However, witnesses cautioned that federal legislation should create a floor and not a ceiling for privacy that will not prevent states from passing their own privacy laws. One of the witnesses who led the effort behind the California ballot initiative that resulted in the CCPA emphasized that federal legislation should contain a robust enforcement mechanism, while a witness from the Center for Democracy & Technology said that (i) lawmakers should give the FTC the ability to fine companies that violate consumers’ privacy and provide the agency with more resources; and (ii) a federal law should cover entities of all sizes and clarify what secondary and third-party uses of data are permissible.
Among other things, the hearing also discussed topics addressing: (i) GDPR open investigations; (ii) support for state Attorney General enforcement rights; (iii) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; and (iv) consumers’ rights to control their personal data.
Coalition of state Attorneys General encourages FCC to create rules to block illegal robocalls
On October 8, a collation of 35 state Attorneys General submitted reply comments in response to a public notice seeking ways the FCC could create rules that will enable telephone service providers to block illegal robocalls. In their comments to the FCC, the coalition encourages the FCC to implement rules and additional reforms that go beyond the agency’s 2017 call-blocking order, which allows phone companies to proactively block illegal robocalls originating from certain types of phone numbers. (See previous InfoBytes coverage here.) “Many illegal robocallers, however, simply do not care about the law and have a more insidious agenda — casting a net of illegal robocalls to ensnare vulnerable victims in scams to steal money or sensitive, personal information,” the coalition stated. “[C]riminals are estimated to have stolen 9.5 billion dollars from consumers through phone scams in 2017.” The coalition encourages collaboration between states, federal counterparts, and the domestic and international telecommunications industry, and applauds recent progress on the implementation of frameworks such as the “Secure Telephone Identity Revisited” and “Secure Handling of Asserted information using toKENs” protocols that assist service providers in identifying illegally spoofed calls.
Washington state Attorney General says debt buyers are collection agencies, files lawsuit for operating without a license
On September 21, the Washington state Attorney General announced that it filed a lawsuit against several collection agencies and their owner (defendants) for allegedly purchasing and suing on charged-off consumer debts in violation of the Washington Collection Agency Act (WCAA) and the Washington Consumer Protection Act (WCPA). The complaint alleges that defendants bought and then obtained judgements on at least 3,500 consumer debts without first obtaining a collection agency license under the WCAA. Under the WCAA, a debt buyer is a collection agency and must therefore “be licensed as a collection agency if it enters into contracts with sellers of debt accounts or takes other affirmative steps to acquire accounts for collection, either directly or through an agent.” Failure to obtain a license as required under the WCAA amounts to a per se violation of the WCPA. Because defendants bought and sued on consumer debts before obtaining a license in 2013, the Attorney General claimed that they violated the WCAA and the WCPA. The complaint seeks civil money penalties of up to $2,000 per violation for each violation of the WCPA, restitution for affected consumers, and reimbursement of legal costs and fees.
Global ride-sharing company settles with state Attorneys General for $148 million over data breach
On September 26, the California Attorney General announced that a global ride-sharing company reached a joint settlement with all 50 state Attorneys General and the District of Columbia for $148 million to resolve allegations that the company failed to safeguard user data and to notify authorities after a 2016 data breach. As previously covered by InfoBytes, in November 2017, the company disclosed, via press release, a 2016 data breach that exposed the personal data of 57 million riders and drivers, where hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. During subsequent state investigations, authorities discovered that, after the company discovered the breach, it paid hackers $100,000 to delete the acquired data and to keep silent about the breach.
According to the California announcement, the $148 million settlement benefits all 50 states and the District of Columbia, with California receiving $26 million. In addition to the penalty, the settlement allegedly requires the company to implement various conduct provisions, including (i) integrating privacy considerations and protections into the development and design of products; (ii) implementing and maintaining robust data security practices and accurately representing them; (iii) developing and maintaining a comprehensive information security program; (iv) reporting data security incidents to states on a quarterly basis for two years; and (v) maintaining a “Corporate Integrity Program.”
California amends the California Consumer Privacy Act of 2018
On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:
- The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
- The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
- The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
- The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
- The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
- The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
- The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.
New York Attorney General sues nine student debt relief companies
On September 20, the New York Attorney General announced a lawsuit against nine student loan debt relief companies, along with their financing company, and two individuals (collectively, “defendants”), alleging that the defendants fraudulently, deceptively, and illegally marketed, sold, and financed student debt relief services to consumers nationwide. Among other things, the complaint alleges that the defendants (i) sent direct mail solicitations to consumers that deceptively appeared to be from a governmental agency or an entity affiliated with a government agency; (ii) misrepresented that they would apply fees paid by borrowers to student loan balances; (iii) charged consumers over $1,000 for services that were available for free; (iv) requested upfront payments in violation of federal and state credit repair and debt relief laws; (v) charged usurious interest rates; and (vi) provided consumers with “incomplete and harmful advice,” such as counseling borrowers to consolidate federal student loans without explaining that in certain circumstances borrowers could “lose months or years of loan payments they had already made that would qualify toward forgiveness of their loans under the Public Service Loan Forgiveness Program.” The New York Attorney General maintains that these practices violated several federal and state consumer protection statutes, including the Telemarketing Sales Rule, New York General Business Law, the state’s usury cap on interest rates as covered by New York Banking Law and New York General Obligations Law, disclosure requirements under the Truth in Lending Act, and the Federal Credit Repair Organization Act.
FTC and NYAG settle with debt collectors who falsely threatened consumers
On September 21, the FTC announced settlements with multiple New York debt collection operations and their principals (defendants) for unlawful debt collection practices. The settlements are a result of 2015 joint lawsuits by the FTC and the New York Attorney General, alleging the defendants unlawfully used threats and abusive language, including false threats that consumers would be arrested, to collect more than $45 million in supposed debts (previously covered by InfoBytes here). The settlement orders ban the defendants from the business of debt collection and prohibit the defendants from (i) misrepresenting information related to financial products and services; (ii) disclosing, using, or benefitting from the consumer information obtained through the course of the debt collection activities; and (iii) failing to disclose of such personal information properly. The two orders (located here and here) impose a $22.5 million judgment against one set of defendants, and a judgment of $4.4 million against other defendants. The judgments are suspended as to some of the defendants due to inability to pay.
New York Attorney General issues Virtual Markets Integrity Report, following cryptocurrency integrity initiative
On September 18, the New York Attorney General’s office announced the results of its Virtual Markets Integrity Initiative, a fact-finding inquiry into the policies and practices of platforms used by consumers to trade virtual or “crypto” currencies. As previously covered in InfoBytes, last April questionnaires were sent to 13 virtual asset trading platforms to solicit information on their operations, policies, internal controls, and safeguards to protect consumer assets. The resulting Virtual Markets Integrity Report finds that virtual asset trading platforms vary significantly in the comprehensiveness of their response to the risks facing the virtual markets, and presents three broad areas of concern: (i) the potential for conflicts of interest due to platforms engaging in various overlapping business lines that are not restricted or monitored in the same way as traditional trading environments; (ii) a lack of protection from abusive trading platforms and practices; and (iii) limited protections for customer funds, such as the insufficient availability of insurance for virtual asset losses and platforms that do not conduct any type of independent auditing of virtual assets. According to the report, the Attorney General’s office also referred three platforms to the New York Department of Financial Services for potential violations of the state’s virtual currency regulations.
New Mexico Attorney General sues technology companies over COPPA violations regarding the collection of children’s personal data
On September 12, the New Mexico Attorney General announced the filing of a lawsuit against a group of technology companies for allegedly designing and marketing mobile gaming applications (apps) targeted towards children that contain illegal tracking software. The complaint asserts that the defendants’ practices violate both the Children’s Online Privacy Protection Act (COPPA) and New Mexico’s Unfair Practices Act, and pose the risk of data breaches and third-party access. Among other things, the complaint alleges the defendants’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. The complaint seeks injunctive relief and nominal and punitive damages.
Court dismisses NYAG’s claims under CFPA after determining Title X is invalid
On September 12, the U.S. District Court for the Southern District of New York issued an order dismissing the New York Attorney General’s (NYAG) claims against a New Jersey-based finance company and its affiliates (defendants) under the Consumer Financial Protection Act (CFPA). In doing so, the court reversed its June ruling that the NYAG could proceed with its CFPA claims despite the court’s conclusion that the CFPB’s organizational structure, as defined by Title X of the Dodd-Frank Act, is unconstitutional and therefore, the CFPB lacks authority to bring claims against the defendants, as previously covered by InfoBytes.
According to the new order, the remedy for Title X’s constitutional defect is to invalidate Title X in its entirety, which therefore invalidates the NYAG’s statutory basis for bringing claims under the CFPA. The court concluded that it lacked jurisdiction over NYAG’s remaining state law claims and dismissed the NYAG’s action against the defendants in its entirety.
The amended order is the culmination of a process that began with an August request by the CFPB for the court to enter a final judgment with respect to its dismissal of the CFPB’s claims, which would allow the Bureau to appeal to the U.S. Court of Appeals for the 2nd Circuit. (Previously covered by InfoBytes here.) After numerous letters were submitted by all the parties, the court granted the CFPB’s request for entry of final judgment and granted the defendant’s request to stay the NYAG claims during the pendency of the CFPB’s appeal. The NYAG subsequently responded with a letter requesting clarity on the court’s jurisdiction over the claims, which resulted in the new order dismissing the NYAG claims in their entirety.