Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Consumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” heard from consumer privacy advocates on lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, and what types of consumer protections should be considered in future federal legislation. Committee Chairman, Senator John Thune, opened the hearing by emphasizing the importance of promoting privacy without stifling innovation. Senator Thune stated that, while understanding the experience of technology and telecommunications companies in this space is important, any new federal privacy law must also incorporate views from affected industry stakeholders and consumer advocates.
The consumer privacy advocate witnesses agreed there is a need for heightened consumer protections and rights, and that the time is ripe to have a debate on what a consumer data privacy law at the federal level would look like and how it would work with state level laws. However, witnesses cautioned that federal legislation should create a floor and not a ceiling for privacy that will not prevent states from passing their own privacy laws. One of the witnesses who led the effort behind the California ballot initiative that resulted in the CCPA emphasized that federal legislation should contain a robust enforcement mechanism, while a witness from the Center for Democracy & Technology said that (i) lawmakers should give the FTC the ability to fine companies that violate consumers’ privacy and provide the agency with more resources; and (ii) a federal law should cover entities of all sizes and clarify what secondary and third-party uses of data are permissible.
Among other things, the hearing also discussed topics addressing: (i) GDPR open investigations; (ii) support for state Attorney General enforcement rights; (iii) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; and (iv) consumers’ rights to control their personal data.
On October 2, the New York governor signed SB 2484, which prohibits auto lenders from remotely disabling a vehicle without first providing notice of the disabling to the debtor. The act amends the state’s uniform commercial code and the general business law, in significant part, by: (i) defining a “payment assurance device” (“any device installed in a vehicle that can be used to remotely disable the vehicle”); (ii) requiring written notice of the possible remote disabling of a vehicle “in the method and timetable” agreed in the initial contract between the parties; (iii) identifying permissible methods of notice transmittal; and, (iv) specifying the permitted period between the postmarking of the notice and the date on which the auto lender or its agent obtains the right to disable the vehicle. The act takes effect immediately.
On September 28, the California governor signed AB 2658, which requires the Secretary of the Government Operations Agency to appoint a blockchain working group by July 1, 2019. (The act defines blockchain as “a mathematically secured, chronological, and decentralized ledger or database.”) The working group is charged with evaluating, among other things, (i) the risks and benefits associated with the use of blockchain by state government and California-based businesses; (ii) the legal implications of the use of blockchain; and (iv) best practices for enabling blockchain technology to benefit the state and its businesses and residents. The act, which has a sunset date of January 1, 2022, requires the working group to provide a report to the legislature by July 1, 2020.
On September 30, the California governor signed AB 237, which establishes a pilot program under the California Financing Law with the stated purpose of encouraging lenders to provide affordable small dollar loans to consumers. Significant features of the program include: (i) an increase to the upper limit of a permissible loan, from $2,500 to $7,500; and (ii) the authorized imposition of specified alternative interest rates and charges on unsecured loans of at least $300 and less than $2,500.
Under California’s Pilot Program for Increased Access to Responsible Small Dollar Loans (Pilot Program), licensees who choose to participate in the Pilot Program will be required to apply and pay a specified fee to the Commissioner of Business Oversight (Commissioner). Participating licensees will also be required, among other things, to (i) determine a borrower’s ability to repay the loan, factoring in all verifiable outstanding credit and capping total monthly debt service payments at 50 percent of the borrower’s gross monthly income for loans of $2,500 or less and 36 percent for loans greater than $2,500; (ii) establish terms of 180 days or more for loans with principal balances of at least $1,500, but less than $2,500, upon origination; (iii) establish terms of no less than one year and no more than five years for loans with principal balances exceeding $2,500; (iv) implement policies and procedures for the purpose of answering borrower questions and performing reasonable background checks on any finders associated with the licensee’s participation in the Pilot Program (AB 237 permits approved licensees to use the services or one more finders); and (v) reduce the interest rate of each subsequent loan made to the same borrower by a minimum of one percentage point under certain conditions. In addition, AB 237 allows the Commissioner to charge a licensee certain fees associated with the use of a finder, stipulates examinations requirements for licensees and finders, and establishes deadlines and requirements for the Commissioner when submitting required findings from the Pilot Program. The Pilot Program will run through January 1, 2023.
Governor Brown issued a message in conjunction with his signing AB 237 expressing his concern, among others, that increasing the cap on small dollar loans without also providing stricter regulatory oversight may lead to “unintended consequences.” Governor Brown requested that the state’s Department of Business Oversight “increase their vigilance and more carefully oversee both lenders and finders to ensure their actions comply with existing law.”
On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:
- The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
- The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
- The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
- The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
- The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
- The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
- The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.
On September 19, the California governor signed AB 1859, which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement available software updates to address security vulnerabilities. Specifically, a credit reporting agency, or applicable third party that knows, or reasonably should know, that a system maintaining personal information is subject to a security vulnerability must, within three days, begin testing for implementation of an available software update, and complete the update no later than 90 days after becoming aware of the vulnerability. The law requires the credit reporting agency to employ “reasonable compensating controls” to reduce the risk of breach until the software update is complete. Additionally, whether or not a software update is available, the law requires the credit reporting agency to keep with industry best practices, including by (i) identifying, prioritizing, and addressing the highest risk security vulnerabilities most quickly; (ii) testing and evaluating compensating controls and how they affect security vulnerabilities; and (iii) requiring, by contract, that third parties implement and maintain appropriate security measures for personal information. The legislation is expected to take effect January 1, 2019.
On September 14, the California governor signed SB 818, which permanently reinstates and amends certain provisions of California’s Homeowner Bill of Rights (HBOR), which expired on January 1, 2018. The revised and restored provisions of the HBOR, among other things, require entities that foreclosed on more than 175 first lien mortgages and deeds of trust on owner-occupied residences during the prior reporting year to: (i) stop foreclosure proceedings if a complete loan modification application is submitted and pending, a homeowner is in compliance with a foreclosure prevention alternative, or an appeal of a loan modification denial is pending; (ii) include in the notice of default a specified declaration regarding contact with a borrower; (iii) send a written notice of a loan modification denial, specifying the reasons for the denial and providing foreclosure prevention alternatives; (iv) assign a single point of contact to any borrower who requests foreclosure prevention assistance; (v) not charge fees in conjunction with applications for foreclosure prevention alternatives; and (vi) honor loss mitigation alternatives following servicing transfers. The legislation also adds a legislative intent clause that emphasizes that any amendment, addition, or repeal of an HBOR section will not have the effect to release, extinguish, or change any liability under a previous section that was in effect at the time of an action.
On September 14, the California governor approved AB 38 amending the state’s Student Loan Servicing Act (Act). The Act provides for the licensure, regulation, and oversight of student loan servicers by the California Department of Business Oversight (CDBO). Among other things, the amendments: (i) clarify the circumstances under which the Commissioner of the CDBO may deny a student loan servicer’s application; (ii) remove debt collectors of defaulted student loans from the definition of a “student loan servicer”; (iii) authorize the Commissioner to require license applicants and licensees to submit required filings with, and pay assessments to, the Commissioner through the Nationwide Multistate Licensing System and Registry; (iv) require the Commissioner to report violations of the Act “as well as other enforcement actions and information to the licensing system and registry to the extent that the information is a public record”; and (v) extend to 10 business days the time for a licensee to acknowledge receipt of a qualified written request from a borrower. The amendments also grant the Commissioner the authority to prescribe circumstances under which electronic records, including applications, financial statements, and reports, may be accepted.
On September 11, the California governor approved SB 1201, which amends the state civil code to, among other things, require any supervised financial institution that negotiates a mortgage loan modification with a borrower primarily in Spanish, Chinese, Tagalog, Vietnamese, or Korean and offers the borrower a final loan modification in writing, to deliver to the borrower at the same time, a specified form summarizing the modified terms in the same language as the negotiation. The amendments require the California Department of Business Oversight (CDBO) to make available—using CFPB and Fannie Mae forms as guidance—certain disclosures and forms in those specified languages.
The amendments are generally effective on January 1, 2019, with the amendments relating to the new written disclosures to become operative 90 days following the issuance of forms by the CDBO, but not before January 1, 2019.
California governor signs amendments requiring the furnishing of customer account information associated with certain crime reports
On September 6, the governor of California signed amendments to the California Right to Financial Privacy Act to provide various state and local agencies—including the police, sheriff’s department, or district attorney in the state—the authorization to request information from financial institutions in certain circumstances associated with crime reports involving the alleged fraudulent use of drafts, checks, access cards, or other orders. Specifically, AB 3229 states that banks, credit unions, and savings associations must furnish a statement with the requested customer account information for a period of 30 days prior, and up to 30 days following, the date of the alleged illegal act’s occurrence. AB 3229 further states that financial institutions will be required to furnish account information—subject to the outlined procedures—to a DOJ special agent upon request.
- Tina Tchen to deliver keynote address at the American Bar Association Professional Success Summit
- Jeffrey P. Naimon and Jonice Gray Tucker to discuss "Enforcement and litigation trends" at the American Bankers Association General Counsel Meeting
- Andrea K. Mitchell to discuss "Developments in fair lending law" at the Mortgage Bankers Association Summit on Diversity and Inclusion
- David S. Krakoff to discuss "The DOJ corporate enforcement policy and your disclosure calculus one year in: Are companies benefitting?" at the American Conference Institute International Conference on the Foreign Corrupt Practices Act
- Moorari K. Shah to discuss "Legal & regulatory issues" at the Opal Group Marketplace Lending & Alternative Financing Summit
- Jonice Gray Tucker to discuss "Hot topics in consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "New CDD Rule: Pitfalls in compliance" at the American Bankers Association/American Bar Association Financial Crimes Enforcement Conference
- Daniel P. Stipano to discuss "Anti-money laundering/OFAC compliance" at the Institute of International Bankers U.S. Regulatory/Compliance Orientation Program