InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Illinois state appellate court applies different limitation periods under BIPA
On September 17, the First District Appellate Court of Illinois held that different limitation periods should be applied to the Biometric Information Privacy Act (BIPA), concluding that while Section 15 imposes various duties that all concern privacy, “each duty is separate and distinct.” Specifically, the panel stated that claims related to “[a]ctions for slander, libel or for publication of matter violating the right of privacy” have a one-year limitation period, while “all civil actions not otherwise provided for” carry a five-year limit. Plaintiffs filed a class action complaint alleging violations of BIPA Sections 15(a), 15(b), and 15(d), claiming the defendant collected, stored, used, and disseminated individuals’ biometric data obtained through fingerprint scans without, among other things, (i) informing plaintiffs of the purpose and length of the storage and use of their data; (ii) receiving written release from plaintiffs; (iii) providing a retention schedule and guidelines for destroying the data; or (iv) obtaining consent from plaintiffs and other employees to disseminate their data to third parties. The defendant moved to dismiss, arguing that the claims were filed outside the limitation period, noting that while BIPA itself has no limitation provision, “the one-year limitation period for privacy actions under Code section 13-201 applies to causes of action under [BIPA] because [BIPA’s] purpose is privacy protection.” A state trial court denied the defendant’s motion to dismiss, ruling that the plaintiffs’ claims were subject to Illinois’ “catchall” five-year limitation provision rather than the state’s one-year privacy claim limitation period, since the plaintiffs were alleging specific BIPA violations rather than a general privacy invasion.
On appeal, the appellate court considered the limitations question and determined, among other things, that since Illinois’ one-year statute of limitations applies only to published privacy violations, it can only govern BIPA claims filed under section 15(c)’s profit restrictions and section 15(d)’s disclosure/dissemination prohibitions. As such, plaintiffs suing under BIPA’s section 15(a)’s retention requirements, section 15(b) informed consent, and section 15(e) data safeguarding requirements have five years to bring such claims since these duties “have absolutely no element of publication or dissemination.”
District Court denies company’s bid to arbitrate in class action
On September 15, the U.S. District Court for the Southern District of California denied a defendant tech company’s motion to compel arbitration, dismiss or stay a class action lawsuit alleging that it violated the California Invasion of Privacy Act, among other things, by monitoring certain contract employees’ social media activity. The complaint alleges that the named plaintiff, a contract delivery driver for the company, and other contract employees, utilized an online platform to “discuss ‘a myriad of issues surrounding their employment,’ including strikes, protests, pay, benefits, deliveries, working conditions, and unionizing efforts.” The plaintiff alleged that the company was secretly monitoring and wiretapping the employees’ social media groups and created a team “to ‘monitor and/or intercept[]’ posts to closed [online] groups ‘in real time . . . using automated monitoring tools,’” without obtaining consent.
With respect to the defendants’ motion to compel arbitration, the company argued that, under the applicable terms of service, the plaintiff was required to arbitrate his claims on an individual basis. The court, however, found that that the plaintiff met his burden to demonstrate that the claims alleged do not fall within the scope of the arbitration provision.
Maryland Court of Appeals rejects distinction between “methods” of debt collection and “amounts” of debt to be collected
On August 27, the Maryland Court of Appeals reversed a circuit court’s dismissal of petitioners’ Maryland Consumer Debt Collection Act (MCDCA) and Consumer Protection Act (MCPA) claims, rejecting a distinction drawn by some courts “between ‘methods’ of debt collection and ‘amounts’ of debts sought to be collected, when assessing a claim under CL § 14-202(8).” At issue is the amount of post-judgment interest charged above the maximum legal rate to individuals who defaulted on their residential leases.
In reversing, the Court of Appeals disagreed with the circuit court that MCDCA claims were restricted to “methods,” holding that § 14-202(8) should be interpreted “broadly to reach any claim, attempt, or threat to enforce a right that a debt collector knows does not exist,” and in this case, petitioners were not “precluded from invoking § 14-202(8) when the amount claimed by the debt collector includes sums that the debt collector, to its knowledge, did not have the right to collect.” However, the Court of Appeals held that, in contrast to the FDCPA, the MCDCA is not a “strict liability statute,” and although “where the law is settled at the time a collector takes a contrary position in claiming a right, the collector’s recklessness in failing to discover the contrary authority is equivalent to ‘aware[ness]’ (i.e., actual knowledge) of the authority,” such knowledge is a question of fact that could, in some cases, require a jury determination. As a result, the case was remanded to the circuit court to allow the petitioners an opportunity to file a new motion for class certification.
District Court notes distinction between definition of “accounts” and “receivables”
On August 25, the U.S. District Court for the District of New Jersey denied a defendant debt collector’s motion to compel arbitration in an FDCPA action, ruling that the defendant never purchased the rights to enforce arbitration. In so holding, the Court stated that the words “accounts” and “receivables” mean different things and that purchasing a receivable does not guarantee all the rights assigned to the account. The court originally denied the defendant’s motion to compel arbitration to allow for limited discovery to determine whether a valid arbitration agreement existed between the parties. The defendant argued that the agreements governing the accounts require that all claims be subject to arbitration on an individual basis and that it is entitled to arbitration since it is an agent of the purchasing creditor and the purchasing creditor purchased the rights to enforce arbitration from the original creditor. The plaintiffs countered that the right to compel arbitration was not transferred because the purchase agreements only transferred the rights under the “receivables” and not the “accounts.” The court agreed, noting that under the plain meaning of the purchase agreements, the purchasing creditor did not purchase, and was not assigned, the right to compel arbitration.
District Court denies bank’s motion to dismiss class action regarding overdrafts
On August 23, the U.S. District Court for the District of Connecticut denied a motion to dismiss a putative class action case, in which the plaintiff alleged that a national bank’s (defendant) overdraft opt-in notice failed to satisfy Regulation E of the Electronic Funds Transfer Act (EFTA), and that the bank’s assessment of overdraft fees in light of such failure violated the Connecticut Unfair Trade Practices Act (CUFTA). The plaintiff alleged that she and other members of the putative class “opted into [the defendant’s] overdraft program for debit card and ATM transactions,” and were charged overdraft fees on an “available” balance policy multiple times. However, the defendant’s opt-in disclosure agreement states that an overdraft only happens “when you do not have enough money in your account to cover a transaction, but we pay it anyway,” which is a description of the “actual” balance of an account. Accordingly, the defendant “charge[d] overdraft fees even at times when there [was] a sufficient amount of money in a consumer’s account.” The plaintiff alleged that the defendant continued this system with knowledge of EFTA’s requirements and “that its opt-in agreement did not provide an accurate, clear, and easily understandable definition of an overdraft.”
In its motion to dismiss, the defendant argued that the plaintiff failed to state a claim alleging violations of the EFTA because, among other things: (i) when the opt-in agreement is considered together with other documents provided to the customer upon opening an account, the policies are clearly explained; and (ii) the defendant is shielded from liability under the safe harbor provisions of the EFTA, because the opt-in language utilized is identical to the CFPB’s model form. The defendant also argued that it complied with Regulation E, “because the opt-in notice it used, when read together with an ‘Account Agreement’ and ‘Overdraft Disclosure’ it says were provided to [the plaintiff] when she opened her account, made clear that it would charge overdraft fees when her ‘available balance’ fell below zero.”
The court found that the defendant’s argument regarding compliance with Regulation E “relies on documents that are not attached to, incorporated in, or otherwise ‘integral’ to the complaint” and that Regulation E requires that the notice itself be a “segregated” document, which utilizes “clear and readily understandable” language. The court also ruled that though the defendant utilized language from the CFPB model form, the plaintiff plausibly alleges that use of the form was not “an appropriate model” since the language did not disclose the defendants overdraft program in a “clear and readily understandable” manner.
District Court approves RESPA class action settlement
On August 19, the U.S. District Court for the District of Maryland granted preliminary approval of a proposed class action settlement claiming a mortgage company engaged in an allegedly illegal kickback scheme with a title company. According to the memorandum in support of the plaintiffs’ motion for preliminary approval, the title company paid, and the mortgage company received and accepted, kickbacks in exchange for the mortgage company’s “assignment and referral of residential mortgage loans, refinances, and reverse mortgages to [the title company] for title and settlement services.” This conduct, the plaintiffs contended, violated RESPA and RICO. While the mortgage company denied all substantive allegations and liability, the parties reached a proposed settlement, in which class members (defined as borrowers with federal mortgage loans originated by the mortgage company for which the title company provided settlement services) will each receive approximately $3,200 from a $990,000 settlement fund. The preliminarily approved settlement also provides for class counsel fees and expenses and class representative service awards for a total not to exceed roughly $1.27 million.
District Court preliminarily approves $12 million class action settlement over automated mortgage errors
On August 17, the U.S. District Court for the Southern District of Ohio granted preliminary approval of a proposed settlement in a class action that claimed a national bank’s automated mortgage loan modification tools failed to approve borrowers due to technical issues. Class members (defined as borrowers who qualified during a specified time period for a home loan modification or repayment plan pursuant to the requirements of government-sponsored enterprises, FHA, or the Department of Treasury’s Home Affordable Modification Program that “were not offered a home loan modification or repayment plan by [the bank] because of excessive attorneys’ fees being included in the loan modification decision process” and whose homes were not sold in foreclosure) sued the bank alleging it “failed to detect or ignored multiple systematic errors in it automated decision-making software.” This software, class members claimed, is used to create automated calculations and determine whether consumers in default are eligible for loan modifications. According to class members, the bank allegedly “failed to adequately test, audit, and verify that its software was correctly calculating whether customers met threshold requirements for a mortgage modification” and failed to regularly and properly audit its software for compliance with government requirements, thus allowing errors to remain uncorrected. Class members further claimed that the bank apparently took several years to implement new controls and disclose the error. Under the terms of the preliminarily approved settlement, the bank must pay $12 million in relief to the settlement class.
District Court approves $28 million class action settlement over recorded calls
On August 16, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a call center hired by a national bank and its merchant processing servicer (collectively, “defendants”) violated California’s Invasion of Privacy Act by recording calls without receiving customers’ permission. Class members, comprised of California businesses who did not sign a contract for merchant processing services with the servicer, filed suit against the defendants in 2016 claiming the call center placed sales appointment calls to the businesses without disclosing that the calls were being recorded. The defendants denied any liability or knowledge of the alleged conduct, and continued to maintain “that there was no principal-agent relationship with [the call center] and, even if there were such a relationship, [the call center] acted outside the scope of its authority by illegally recording calls.” The preliminarily approved settlement will require the defendants to pay $28 million, of which up to $5,000 will be paid for each eligible call that a class member received during the class period.
District Court: Cloud computing company must face class action CCPA claims in data breach suit
On August 12, the U.S. District Court for the District of South Carolina issued a ruling in a consolidated putative class action against a cloud software company alleging several state consumer protection and data reporting law violations related to a 2020 data breach. The plaintiffs asserted that the data breach was a result of the company’s “deficient security program” and contended that the company “failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields.” They further claimed, among other things, that the company’s narrow internal investigation did not address the full scope of the ransomware attack (in which it was eventually revealed that Social Security numbers and other sensitive personal data were compromised) and that plaintiffs were not provided timely and adequate notice of the data breach.
The court found that the plaintiffs failed to adequately plead their claims for violations of consumer protection laws in New Jersey, Pennsylvania, and South Carolina, but allowed certain claims to proceed, including plaintiffs’ allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to implement and maintain reasonable security procedures. The CCPA, which became effective January 1, 2020 (covered by a Buckley Special Alert), provides for a limited private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” The company countered, however, that it is not a “business” regulated under the CCPA.
The court disagreed, writing that “the plain text of the statute is instructive” and that the plaintiffs had adequately alleged that the company qualified as a “business” under the statute because it (i) uses consumers’ personal data to provide, develop, improve, and test its services; (ii) “develops software solutions to process its customers’ patrons’ personal information”; (iii) has annual gross revenues of more than $25 million; and (iv) is allegedly registered as a “data broker” in California under a law that “provides that a ‘data broker’ is a ‘business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.’” The court also rejected the company’s contention that because it qualifies as a “service provider” under the CCPA it is not a “business.” The court further allowed claims under New York General Business Law Section 349 to proceed, finding the plaintiffs had sufficiently alleged that the company had misrepresented its security measures and the scope of the breach and had prevented consumers from protecting their data. The court also allowed the plaintiffs to seek declaratory and injunctive relief under Florida’s Deceptive and Unfair Trade Practices Act.
District Court: Online payment processor must face data collection class action claims
On July 28, the U.S. District Court for the Northern District of California granted in part and denied in part an online payment processor’s motion to dismiss class claims concerning several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “secretly track[ed], collect[ed], and stor[ed] the personal data and web activity of visitors to merchants’ website[s],” and created a software code allowing merchants to integrate the company’s payment platform into merchants’ applications. The complaint alleged that most consumers making online purchases were unaware that their transactions were processed by the defendant and instead believed to be communicating directly with the merchants. Specifically, the defendant allegedly (i) obtained or stored consumers’ sensitive information (such as financial information, location, IP addresses, and purchasing information); (ii) correlated all payments consumers made across the defendant’s entire payment processing platform and provided much of it to other merchant clients without informing the consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior across the defendant’s payment network. This allowed merchants to see a consumer’s purchasing history of all transactions processed by the defendant and obtain a transaction-level risk score from the defendant.
The court denied the motion to dismiss as to plaintiffs’ claims of invasion of privacy and intrusion under California’s Constitution and common law, finding that the plaintiffs have sufficiently alleged the plaintiffs did not consent to the defendant’s disclosure of their information to its merchants and customers. The court was precluded from finding that plaintiffs had no reasonable expectation of privacy because the language in the defendant’s privacy policy limited the sharing to information with third parties to assist with the prevention or detection of fraud or for processing services only.
In dismissing the wiretap claims, the court reviewed the “sign-in wrap” agreement presented to consumers at the purchase checkout page, which required plaintiffs to agree to the defendant’s terms of service and privacy policy whenever they placed an order. While the plaintiffs argued that the privacy policy “does not provide sufficient notice that [the defendant] would collect the information that it did,” the court pointed out that the policy contained provisions disclosing that third parties like the defendant “may obtain not only credit card data, but also ‘identifiers, demographic information, commercial information, relevant order information, internet activity, geolocation data, sensory information, and inferences,’” and that partners may also “use various technologies’ to ‘collect information about [consumer] online activity over time and across different websites or online services.’” Among other things, the court reasoned that the disclosures were binding on the consumers, even though they were provided by the defendant and not the merchants.
The court dismissed in part the plaintiffs’ claims under California’s Unfair Competition Law (UCL) and California Consumer Privacy Act (CCPA), in part because the CCPA “has no private right of action” and “consumers may not use the CCPA as a basis for a private right of action under any statute.” The court also dismissed the plaintiffs’ fraud prong of the UCL, but allowed the plaintiffs’ unfair competition prong under the UCL to proceed.