InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California amends the California Consumer Privacy Act of 2018
On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:
- The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
- The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
- The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
- The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
- The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
- The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
- The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.
Colorado regulator exempts certain cryptocurrency exchanges from money transmitter licensing requirements
On September 20, the Colorado Department of Regulatory Agencies Division of Banking (Division) issued interim guidance exempting certain types of cryptocurrency exchanges from the state’s money transmitter licensing requirements. Under the interim guidance—which outlines the Division’s interpretation of Colorado’s existing Money Transmitters Act (the Act)— the Division determined that the Act regulates the transmission of money, meaning legal tender, and that cryptocurrencies are not legal tender under the Act. As a result, virtual currency exchanges operating in Colorado do not require a license if transmitting only cryptocurrencies without any legal tender issued and backed by a government (fiat currency) involved in the transaction. However, if fiat currency is present in a transaction, then a virtual currency exchange may require a license. Additionally, a virtual currency exchange must obtain a license when it performs all of the following: (i) it engages in the business of selling and buying cryptocurrencies for fiat currency; (ii) it allows a Colorado customer to transfer cryptocurrency to another customer within the exchange; and (iii) it allows the transfer of fiat currency through the medium of cryptocurrency within the exchange. If a virtual currency exchange offers the ability to transfer fiat currency through the medium of cryptocurrency, the Division encourages the exchange to contact the Division to determine whether it must obtain a license.
Court sends class action TCPA suit against global ride-sharing company to arbitration
On September 20, the U.S. District Court for the Northern District of Illinois granted a global ride-sharing company’s motion for summary judgment, ruling that a user had consented to arbitrate any disputes when he signed up for an account with the company. Specifically, the named plaintiff of the proposed class action brought the suit against the company for allegedly violating the TCPA when he received a single text message he claims he did not consent to after signing up for the company’s app, and that he claimed he received after he deleted the app. The company moved to compel arbitration, which initially was denied in 2017, when the court held that the company had not shown enough evidence that users were aware of the arbitration agreement and ordered the parties to engage in expedited discovery limited to the arbitration agreement formation. However, following both parties’ cross-motions for summary judgment, the court determined that the plaintiff “failed to raise a genuine dispute as to whether he entered into an enforceable agreement to arbitrate,” and that the app presented a statement that creating an account meant that users agreed to the terms of service and privacy policy, which was presented to users “in an easy-to-read font on an uncluttered screen” and required no scrolling.
According to the court, “the manner in which this statement and the Terms of Service were presented placed a reasonable person on notice that there were terms incorporated with creating an . . . account and that, by creating an account, he or she was agreeing to those terms.” Concerning the plaintiff’s argument that his TCPA claim does not fall under the arbitration agreement’s purview, the court stated that the question of what falls within the scope of the arbitration agreement is itself subject to arbitration, and also stated that the Terms of Service specifically permitted the texting of promotional offers to customers, arguably requiring the TCPA claim to be arbitrated. The court dismissed without prejudice the plaintiff’s claims against the company and stayed the case until arbitration proceedings are resolved.
California law requires credit reporting agencies to address security vulnerabilities
On September 19, the California governor signed AB 1859, which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement available software updates to address security vulnerabilities. Specifically, a credit reporting agency, or applicable third party that knows, or reasonably should know, that a system maintaining personal information is subject to a security vulnerability must, within three days, begin testing for implementation of an available software update, and complete the update no later than 90 days after becoming aware of the vulnerability. The law requires the credit reporting agency to employ “reasonable compensating controls” to reduce the risk of breach until the software update is complete. Additionally, whether or not a software update is available, the law requires the credit reporting agency to keep with industry best practices, including by (i) identifying, prioritizing, and addressing the highest risk security vulnerabilities most quickly; (ii) testing and evaluating compensating controls and how they affect security vulnerabilities; and (iii) requiring, by contract, that third parties implement and maintain appropriate security measures for personal information. The legislation is expected to take effect January 1, 2019.
District Court holds hotel calling system is not an autodialer under TCPA
On September 24, the U.S. District Court for the Middle District of Florida held that a hotel calling system, which required human intervention before a call was placed, does not qualify as an automatic telephone dialing system (autodialer) under the TCPA. The plaintiff filed the putative class action complaint alleging the hotel chain used an autodialer to call her cell phone without her consent. The hotel moved for summary judgment, arguing that the system did not qualify as an autodialer under the TCPA because it required a hotel agent to click “Make Call” before the system dialed the number. The court agreed, concluding that the defining characteristic of an autodialer is “the capacity to dial numbers without human intervention,” which the court noted remains unchanged even in light of the D.C. Circuit decision in ACA International v. FCC (covered by a Buckley Special Alert here). Because the calling system would not initiate an outbound call without an agent clicking the “Make Call” button, the court determined the plaintiff’s TCPA claim failed and granted summary judgment for the hotel chain.
New York Attorney General sues nine student debt relief companies
On September 20, the New York Attorney General announced a lawsuit against nine student loan debt relief companies, along with their financing company, and two individuals (collectively, “defendants”), alleging that the defendants fraudulently, deceptively, and illegally marketed, sold, and financed student debt relief services to consumers nationwide. Among other things, the complaint alleges that the defendants (i) sent direct mail solicitations to consumers that deceptively appeared to be from a governmental agency or an entity affiliated with a government agency; (ii) misrepresented that they would apply fees paid by borrowers to student loan balances; (iii) charged consumers over $1,000 for services that were available for free; (iv) requested upfront payments in violation of federal and state credit repair and debt relief laws; (v) charged usurious interest rates; and (vi) provided consumers with “incomplete and harmful advice,” such as counseling borrowers to consolidate federal student loans without explaining that in certain circumstances borrowers could “lose months or years of loan payments they had already made that would qualify toward forgiveness of their loans under the Public Service Loan Forgiveness Program.” The New York Attorney General maintains that these practices violated several federal and state consumer protection statutes, including the Telemarketing Sales Rule, New York General Business Law, the state’s usury cap on interest rates as covered by New York Banking Law and New York General Obligations Law, disclosure requirements under the Truth in Lending Act, and the Federal Credit Repair Organization Act.
3rd Circuit says IRS reporting language may violate FDCPA
On September 24, the U.S. Court of Appeals for the 3rd Circuit reversed the district court’s dismissal of a putative class action alleging a debt collector violated the FDCPA by including a statement noting that debt forgiveness may be reported to the IRS. The case was centered on the plaintiffs’ claim that letters sent to collect on debts that were less than $600, which contained the language “[w]e are not obligated to renew this offer. We will report forgiveness of debt as required by IRS regulations. Reporting is not required every time a debt is canceled or settled, and might not be required in your case,” were “false, deceptive and misleading” under the FDCPA because only discharged debts over $600 are required to be reported to the IRS. The district court dismissed the action, concluding the letters were not deceptive and the least sophisticated consumer would interpret the statement to mean in certain circumstances some discharges are reportable but not all are reportable.
Upon appeal, the 3rd Circuit disagreed with the district court, finding “the least sophisticated debtor could be left with the impression that reporting could occur,” notwithstanding the letter’s qualifying statement that reporting is not required every time a debt is canceled or settled, and therefore, the language could signal a potential FDCPA violation. Recognizing the industry’s regular use of form letters, the appeals court noted, “we must reinforce that convenience does not excuse a potential violation of the FDCPA.”
9th Circuit ruling broadens the definition of automatic telephone dialing system under TCPA
On September 20, the U.S. Court of Appeals for the 9th Circuit vacated the district court’s order granting summary judgment in a TCPA action, in light of the recent D.C. Circuit opinion in ACA International v. FCC (covered by a Buckley Sandler Special Alert). The case arises from a plaintiff’s allegations that a California gym violated the TCPA by sending three text messages to the plaintiff’s cell phone. In October 2014, the district court granted summary judgment for the gym, holding that the automatic text messaging system used by the gym was not an “automatic telephone dialing system” (autodialer) under the TCPA because it lacked the capacity “to store or produce telephone numbers to be called, using a random or sequential number generator.” In 2016, the 9th Circuit stayed the appeal of the district court’s ruling pending the ACA International decision, which was issued in March of this year. In ACA International, the D.C. Circuit struck down the FCC’s definition of an autodialer, reasoning that the FCC’s definition “unreasonably, and impermissibly” included all smartphones while inadequately describing the functions that made a device an autodialer.
Because the ACA International decision set aside the FCC’s definition, the 9th Circuit performed its own review of the statutory definition of an autodialer in the TCPA. Through this review, the court concluded that the TCPA defined an autodialer as “equipment which has the capacity—(i) to store numbers to be called, or (ii) to produce numbers to be called, using a random or sequential number generator—and to dial such numbers automatically (even if the system must be turned on or triggered by a person).” Because the text system used by the gym stores numbers and dials them automatically to send the messages to the stored list of phone numbers, the 9th Circuit held there is a genuine issue of material fact as to whether the system qualified as an “autodialer” and remanded the case to district court for further proceedings.
FTC announces settlements with website operators over the sale of fake documents allegedly used for fraud and identity theft
On September 18, the FTC announced three proposed settlements with the operators of websites who allegedly violated the FTC Act’s prohibition against unfair practices by selling fake financial documents used to facilitate identity theft and other frauds, including loan and tax fraud. As previously covered in InfoBytes, identity theft was the second largest category of consumer complaints reported in 2017 according to the FTC. The FTC brought charges against the first defendant, alleging the defendant engaged in the sale of fake pay stubs, bank statements, and profit-and-loss statements, as well as providing a product that allowed customers to edit existing (and authentic) bank statements. The second defendant’s charges include the alleged sale of fake pay stubs, auto insurance cards, and utility and cable bills, while the allegations against the third defendant also include the sale of fake tax forms, bank statements, and verifications of employment. While the defendants’ websites claimed that the fake documents were sold for “‘novelty’ and ‘entertainment’ purposes,” the FTC asserts that the defendants “failed to clearly and prominently mark such documents as being for such purposes and did not state on the documents themselves that they were fake.”
Under the terms of the proposed settlement agreements (see here, here, and here), monetary judgments are imposed against the defendants, who also are permanently prohibited from advertising, marketing, or selling similar fake documents.
Federal Reserve seeks to repeal SAFE Act regulations to reflect CFPB authority
On September 21, the Federal Reserve Board (Board) issued a notice of proposed rulemaking seeking comment on the repeal of certain provisions of regulations that incorporate the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act), which the Board states are intended to reflect the transfer of rulemaking authority to the CFPB by the Dodd-Frank Act. Specifically, the Board proposes amending Regulation H (Membership of State Banking Institutions in the Federal Reserve System) and Regulation K (International Banking Operations) to repeal the provisions that incorporate the SAFE Act because of the change in rulemaking authority and because the CFPB finalized a rule that is substantially identical to the Board's regulations. Comments on the proposal are due within 60 days after publication in the Federal Register.