InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
8th Circuit says website terms of use are unenforceable
On October 8, the U.S. Court of Appeals for the Eight Circuit overturned a district court’s ruling that a corporate defendant’s arbitration clause found in its website’s terms of use was unenforceable. The 8th Circuit disagreed holding that a triable issue of material fact existed as to whether the plaintiffs agreed to arbitrate. Relying on a notation on the back of the gift cards that directed purchasers to its website where the terms of use and arbitration agreement were located, the defendant argued that the plaintiffs had agreed to arbitration. The district court disagreed explaining that plaintiffs “could not assent to it. . .unless they saw it first. For that reason, there was no ‘need’ to hold ‘a trial on the question of arbitrability.’”
On the appeal, the 8th Circuit explained that the district court’s task was to determine if the defendant and the plaintiffs had an arbitration agreement, and, if so, what it covered; however, the district court improperly addressed the question of mutual consent, which was in dispute and “generally a factual question.” According to the 8th Circuit, where there is a material dispute of fact regarding whether there was an agreement to arbitrate, the Federal Arbitration Act requires the district court to proceed to a trial on the issue.
District Court grants final approval in BIPA settlement
On October 13, the U.S. District Court for the Northern District of Illinois granted final approval to a $2.6 million class action settlement between a sports entertainment chain (defendant) and a class of former employees, resolving allegations that the defendant was responsible for improperly collecting and storing employees’ data in violation of Illinois’ Biometric Information Privacy Act (BIPA). According to the final settlement (which was preliminarily approved in June by the court), plaintiffs alleged that the defendant violated BIPA by collecting and disclosing Illinois employees’ biometric data through a finger-scan timekeeping system without following BIPA’s written disclosure and consent requirements. The gross settlement fund is approximately $2.6 million, with $22,000 awarded to the settlement administrator, approximately $865,000 allocated for attorney fees, and nearly $35,000 designated for litigation costs.
District Court allows usury claims to proceed, says class action waivers do not bar certification
On October 14, the U.S. District Court for the Eastern District of Virginia granted class certification in an action alleging a payday lending operation violated RICO and Virginia’s usury law by partnering with federally-recognized tribes to issue loans with allegedly usurious interest rates. The plaintiffs alleged that the defendants (“founders, funders, [or] closely held owners of [a lender] that serviced the high-interest loans made by certain tribal lending entities”) participated in a lending scheme to circumvent state usury laws. The plaintiffs seek declaratory and injunctive relief, damages, and attorney’s fees and costs arising from claims alleging that the defendants, among other things: (i) used income derived from the collection of unlawful debt to further assist the operations of the enterprise; (ii) participated in an enterprise involving the unlawful collection of debt; (iii) collected unlawful debt; (iv) entered into unlawful agreements; (v) issued unlawful loans with interest rates exceeding 12 percent; and (vi) were thus unjustly enriched. The court granted class certification after finding that the existence of a class action waiver in loan agreements between plaintiffs and tribal lenders did not bar class certification. The court explained that “[b]ecause the class action waivers exist to ‘make unavailable to the borrowers the effective vindication of federal statutory protections and remedies,’ the prospective waiver doctrine applies.” The waivers were thus unenforceable.
District Court remands debt collection class action to state court for lack of standing
On October 12, the U.S. District Court for the Northern District of Illinois granted plaintiff’s motion to remand a debt collection class action lawsuit back to state court. The plaintiff claimed the defendants violated the Illinois Collection Agency Act and FDCPA Section 1692c(b) by using a third-party mailing vendor to print and mail collection letters to class members. According to the plaintiff’s complaint filed in state court, conveying the information to the vendor—an allegedly unauthorized party—served as a communication under the FDCPA. The defendants removed the case to federal court, but on review, the court determined the plaintiff did not have Article III standing to sue because Congress did not intend to prevent debt collectors from using mail vendors when the FDCPA was enacted. Specifically, the court disagreed with the U.S. Court of Appeals for the Eleventh Circuit’s decision in Hunstein v. Preferred Collection & Management Services, which held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” (Covered by InfoBytes here.) In this case, the court stated it “is difficult to imagine Congress intended for the FDCPA to extend so far as to prevent debt collectors from enlisting the assistance of mailing vendors to perform ministerial duties, such as printing and stuffing the debt collectors’ letters, in effectuating the task entrusted to them by the creditors—especially when so much of the process is presumably automated in this day and age.” According to the court, “such a scenario runs afoul of the FDCPA’s intended purpose to prevent debt collectors from utilizing truly offensive means to collect a debt.”
District Court grants final approval of $92 million class action settlement over privacy violations
On August 22, the U.S. District Court for the Northern District of Illinois granted final approval of a class action settlement, resolving claims that a China-based technology company and its subsidiaries (collectively, “defendants”) violated Illinois’ Biometric Information Privacy Act (BIPA), among other things, by defying state and federal privacy laws through a social media platform and entertainment application (app). The first of the 21 putative class actions comprising this multidistrict litigation were filed in 2019, and the other 20 putative class actions were filed in 2020 in separate federal districts. Class members, comprised of U.S. residents who used the app prior to preliminary approval, and an Illinois subclass of all Illinois residents who used the app to create videos before preliminary approval, filed a consolidated amended class action complaint in 2020, claiming that the defendants harvested and profited from users’ private information, including their biometric data, geolocation information, personally identifiable information, and unpublished digital recordings. The defendants argued, among other things, that the class members consented to the alleged misconduct by accepting the app’s terms of service.
Under the terms of the settlement, the defendants must pay “$92 million in monetary relief and an array of injunctive relief for the putative settlement class.” The settlement also requires the defendants to, among other things: (i) refrain from using the app to collect or store certain U.S. user data, including biometric data and geolocation information, without making the necessary disclosures; (ii) delete all pre-uploaded user-generated content collected from U.S. users who did not “save” or “post” the content; and (iii) require a new, yearly training program for the defendants’ employees and contractors regarding compliance with data privacy laws.
District Court: Company must face CCPA class action after ransomware attack
Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data as required by the California Consumer Privacy Act (CCPA). Following a 2020 ransomware attack, class members claimed that sensitive information (including nonencrypted and nonredacted personal information) stored on the defendants’ network was compromised. The defendants countered that class members failed to establish that the defendants qualify as a “business” under the statute as opposed to a “service provider.”
As previously covered by a Buckley Special Alert, the CCPA, which became effective January 1, 2020, defines a “business” as an entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.” The CCPA defines a “service provider” as an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” While the CCPA provides a limited private right of action for actual or statutory damages against a business, actions against service providers can only be brough by the California attorney general. According to the court, class members adequately alleged that the defendants act as a business rather than a service provider based on allegations that they, among other things, collect consumers’ personal information from consumers (instead of receiving personal information from another business), and determine “the purposes and means of the processing of consumers’ personal information.” The court also rejected the defendants’ argument that class members failed to “plausibly” establish that their information was stolen because the ransomware attack merely encrypted the data on the defendants’ computer systems. “It may be that [p]laintiff’s personal information was not exfiltrated in a nonencrypted and nonredacted form,” the court stated, “[b]ut at this stage, especially when the bases for dismissal upon which [d]efendants rely do not appear in the complaint, the Court concludes that [p]laintiff’s allegations are sufficient to survive a motion to dismiss.”
District Court: Maryland escrow law does not confer private right of action
On September 22, the U.S. District Court for the District of Maryland granted a national bank’s motion for summary judgment in an action claiming the bank allegedly failed to pay interest on mortgage escrow accounts. The plaintiff filed a putative class action asserting various claims including for violation of Section 12-109 of the Maryland Consumer Protection Act (MCPA), which requires lenders to pay interest on funds maintained in escrow on behalf of borrowers. In response, the bank filed a motion to dismiss on the basis that the MCPA is preempted by the National Bank Act and by 2004 OCC preemption regulations. In 2020, the court denied the bank’s motion to dismiss after it determined, among other things, that under Dodd-Frank, national banks are required to pay interest on escrow accounts when mandated by applicable state or federal law. (Covered by InfoBytes here.) Citing previous decisions in similar escrow interest cases brought against the same bank in other states (covered by InfoBytes here and here), the court stated that Section 12-109 “does not prevent or significantly interfere with [the bank’s] exercise of its federal banking authority, because [Section] 12-109’s ‘interference’ is minimal, when compared with statutes that the Supreme Court has previously found were preempted.” The court further noted that state law—which “still allows [the bank] to require escrow accounts for its borrowers”—provides that the bank must pay a small amount of interest to borrowers if it chooses to maintain escrow accounts.
However, in its most recent ruling, the court held that the MCPA does not authorize the plaintiff to sue either. “[T]his court finds that § 12-109 does not confer a private right of action,” the court wrote, adding that the plaintiff’s breach of contract claim could not get around a notice-and-cure provision in her mortgage agreement that she had not complied with before suing. The plaintiff argued that these requirements did not apply because “her self-styled breach of contract claim is actually a statutory claim because the allegedly breached contractual provision is one which pledges general adherence to applicable law.” The court disagreed, stating that under the plaintiff’s theory “any claim for breach of contract, which also violated a federal or state law, would be vaulted to a privileged hybrid status. Such claims would enjoy an unlimited private right of action (regardless of whether the underlying statute created one) and. . .would be unbounded by any of the provisions or conditions precedent detailed in the contract itself.” The court also ruled that the plaintiff’s escrow statements, which “correctly reflected that her account was not accruing interest,” are themselves “not rendered deceptive by the mere fact that Plaintiff believes such interest is owed.”
District Court says bank must face reopened accounts allegations
On September 27, the U.S. District Court for the District of New Jersey granted in part and denied in part a national bank’s motion to dismiss a putative class action concerning allegations that the bank opened and reopened accounts without notifying customers. The plaintiffs alleged that they discovered the bank reopened closed accounts after receiving tax refunds and a one-off refund from a retailer. According to the plaintiffs, the bank accepted deposits into the reopened accounts and then allegedly collected funds from the accounts, resulting in unanticipated fees.
The court issued an opinion, calling it an issue of first impression within the Third Circuit, finding that “account numbers, whether new or old, which identified or provided access to the disputed accounts opened in Plaintiffs’ names each qualified as a ‘card, code, or other means of access’ to those accounts” under [EFTA] § 1693i(a).” Since the opening of an account “necessarily must be accompanied with an account number associated with that account,” the court found that the plaintiffs sufficiently stated a claim that the bank violated § 1693i(a). Among other things, the court disagreed with the bank’s argument that it could not “have been unjustly enriched by assessing [the plaintiff] fees in exchange for her acceptance of the services [the bank] provides,” stating that the bank’s argument “either misunderstands or purposefully misconstrues the basis” for the plaintiff’s claim, which was that the bank “opened the account in her name without her permission, and therefore did not have a contractual basis for assessing such fees associated with maintaining that account[.]” The court also allowed the plaintiffs’ unjust enrichment claim and Massachusetts Consumer Protection Act claim to proceed. While the court provided the plaintiffs the opportunity to file an amended complaint to revive their dismissed breach of contract claims, their FCRA allegations were dismissed with prejudice.
6th Circuit: TCPA robocall claims not invalidated by severance of 2015 amendment in AAPC
On September 9, the U.S. Court of Appeals for the Sixth Circuit determined that the U.S. Supreme Court’s decision in Barr v. American Association of Political Consultants Inc. (AAPC) (covered by InfoBytes here, which held that the government-debt exception in Section 227(b)(1)(A)(iii) of the TCPA is an unconstitutional content-based speech restriction and severed the provision from the statute) does not invalidate a plaintiff’s TCPA claims concerning robocalls he received prior to the Court issuing its decision. In the current matter, the plaintiff filed a proposed class action alleging violations of the TCPA’s robocall restriction after he received two robocalls from the defendant in late 2019 and early 2020 advertising its electricity services. Following the Court’s decision in AAPC, the district court granted the defendant’s motion to dismiss, ruling that because severance of the exception in AAPC only operates prospectively, “the robocall restriction was unconstitutional and therefore ‘void’ for the period the exception was on the books.” As such, the district court concluded that because the robocall restriction was void, it could not provide a basis for federal-question jurisdiction for alleged TCPA robocall violations arising before the Court severed the exception.
On appeal, the 6th Circuit conducted a severability analysis, holding that the district court erred in concluding that the court, in AAPC, offered “‘a remedy in the form of eliminating the content-based restriction' from the TCPA.” Rather, the appellate court pointed out that “the Court recognized only that the Constitution had ‘automatically displace[d]’ the government-debt-collector exception from the start, then interpreted what the statute has always meant in its absence,” adding that the legal determination in AAPC applied retroactively and did not render the entire TCPA robocall restriction void until the exception was severed by the court. A First Amendment defense presented by the defendant premised on the argument that “government-debt collectors have a due-process defense to liability because they did not have fair notice of their actions’ unlawfulness” for robocalls placed before AAPC was also rejected. The 6th Circuit opinion emphasized that “[w]hether a debt collector had fair notice that it faced punishment for making robocalls turns on whether it reasonably believed that the statute expressly permitted its conduct. That, in turn, will likely depend in part on whether the debt collector used robocalls to collect government debt or non-government debt. But applying the speech-neutral fair-notice defense in the speech context does not transform it into a speech restriction.”
District Court: Arbitration provision is severable from a voided loan contract
On September 16, the U.S. District Court for the Southern District of Alabama granted a defendant tribal payday lender’s motion to dismiss and compel arbitration, ruling that an arbitration agreement in a loan contract is still valid even if an arbitration panel found the contracts were void. The plaintiff initiated an arbitration proceeding against the defendant alleging that payday loan contracts carrying interest rates between 200 and 830 percent were void because the defendant was not licensed under the Alabama Small Loans Act to extend such loans. An American Arbitration Association panel determined, among other things, that the defendant had waived any tribal sovereign immunity, “the transactions involved off-reservation commercial activities to which sovereign immunity does not apply,” and that the loans were entirely void because each of the loans was extended without a license. The plaintiff filed suit in state court to confirm the arbitration award and pursue a class action on the premise that the loans are usurious and should be declared void. The defendant removed the case to federal court and asked the court to dismiss the proposed class action and compel arbitration. The district court agreed with the defendant that the arbitration agreement in the voided loan contract remained binding despite the arbitrator’s earlier determination in the plaintiff’s favor. Specifically, the court disagreed with the plaintiff’s argument that the arbitrator’s determination meant that “no aspect of the contact survives,” stating that the plaintiff “overlooks a central tenet in binding precedential arbitration law: severability.” According to the court, “‘[a]s a matter of substantive federal arbitration law, an arbitration provision is severable from the remainder of the contract.’”