Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.
Federal District Court Allows Discovery in Class Action Concerning Internet Company’s Collection of Biometric Data
In a Memorandum Opinion and Order handed down on February 27,a District Court in the Northern District of Illinois declined to dismiss a putative class action alleging that a cloud-based photographic storage service offered by an Internet company (the Company) violated the Illinois Biometric Information Privacy Act (BIPA) by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. Specifically, the Court rejected the Company’s argument that application of BIPA to facial geometry scanning by by an internet service located outside of Illinois is an improper extraterritorial application of Illinois law.
The Plaintiffs alleged that the Company failed to both (i) obtain the necessary authorization or consent to the creation and subsequent storing of “faceprints” by the photo storage service, or (ii) make publicly available a data retention and destruction schedule as required under the BIPA. In responding to these claims, the Company argued that the term “biometric identifier,” as defined in the BIPA, does not extend to “in-person scans of facial geometry” and does not cover photographs or information derived from photographs. The Company also sought to dismiss the case on jurisdictional grounds, arguing that under principles of federalism, pre-emption, and the extra-jurisdictional application of state law, the BIPA cannot properly regulate activity – such as the storage of data on the Company’s servers – that does not occur “primarily and substantially” within the state of Illinois.
In analyzing the Company’s argument, the Court looked to the following two definitions set forth in the Illinois law:
- “Biometric identifier,” which is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and explicitly “do[es] not include writing samples, written signatures, photographs. . . .”; and
- “Biometric information,” which is defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual,” and explicitly “does not include information derived from items or procedures excluded under the definition of biometric identifiers.”
Ultimately, the Court disagreed with the Company’s reading of “biometric data” because, among other reasons, “nothing in the text of [the BIPA] directly supports this interpretation.” The Court deferred deciding on the Company’s arguments that the claims would require extraterritorial application of the statute and/or would violate the Dormant Commerce Clause by reaching beyond state boundaries, because, among other reasons, “[d]iscovery is needed to determine whether there are legitimate extraterritoriality concerns.”
On March 9, the Company filed a motion seeking permission to file an interlocutory appeal to the Seventh Circuit, with a request for a stay of further proceedings pending the appellate court’s decision on the request for an appeal.
Amendment to Utah Law Clarifies “Deferred-Deposit” Lender Registration Process; Adds Criminal Background Check
On March 17, Utah Governor Gary Herbert signed an amendment to HB. 40, Utah’s Check Cashing and Deferred Deposit Lending Registration Act, which modifies registration requirements relating to the disclosure of criminal conviction information for individuals engaged in the business of cashing checks or deferred deposit lending. The amendment requires that the registration or renewal statement shall disclose whether there has been a criminal conviction involving an “an act of fraud, dishonesty, breach of trust, or money laundering” regarding any officer, director, manager, operator, principal, or employee. This information must be obtained through either a Utah Bureau of Criminal Identification report or by conducting an acceptable background check similar to the aforementioned report.
The amendment also addresses operational requirements for deferred deposit loans. Interest and fee schedules are required to be conspicuously posted, as should contact information for filing complaints and listings of states where the deferred deposit lender is authorized to offer loans. The amendment also provides clarification on rescinding loans, partial payment allowances, and restrictions on loan extensions.
Governor’s Proposed NY State Executive Budget Includes More Online Lending Supervision; State Assembly Budget “Rejects” Proposed Change
Article 7 of the New York State Constitution requires the Governor to submit an executive budget each year, which contains, among other things, recommendations as to proposed legislation. On February 16, New York Governor Andrew Cuomo released a proposed 2017-18 Executive Budget that includes a proposed amendment to the New York Banking Law that would provide the New York Department of Financial Services (“NYDFS” or “DFS”) expanded licensing authority over online and marketplace lenders. (See Part EE (at pages 243-44) of the Transportation, Economic Development and Environmental Conservation Bill portion of the Executive Budget).
According to a Memorandum in Support of the Governor’s Budget, the proposed amendment would (i) address “[g]aps in the State’s current regulatory authority [that] create opportunities for predatory online lending,” and (ii) “ensure that all types of online lenders are appropriately regulated,” by (a) “increase[ing] DFS’ enforcement capabilities,” and (b) “expand[ing] the definition of ‘making loans’ in New York to not only apply to online lenders who solicit loans, but also online lenders who arrange or otherwise facilitate funding of loans, and making, acquisition or facilitation of the loan to individuals in New York.” If enacted, the NYDFS’s new authority would, under the Governor’s current proposal, become effective January 1, 2018.
This proposal in the Governor’s Executive Budget has, however, been challenged by the New York State Legislature. On March 13, after several hearings on the Governor’s proposed budget, the New York State Assembly released its own 2017-18 Assembly Budget Proposal (“Assembly Budget”), which, among other things, expressly rejected the aforementioned proposed amendment to the banking law found in “Part EE.” The Senate is now expected to release its own budget proposal shortly. And, once it is released, the two house of the State Legislature will reconcile the two bills in committees and pass legislation that stakes out the House’s position on the Governor’s proposals. From there, negotiations will begin in earnest between the Legislature and the Executive, with the goal of reaching a budget agreement on or before March 31, 2017.
 See also N.Y. Banking Law § 340; N.Y. Gen. Oblig. Law § 5-501(1); N.Y. Banking Law § 14-a(1); N.Y. Gen. Oblig. Law § 5-521(3); N.Y. Ltd. Liab. Co. Law § 1104(a).
On March 7, the Pennsylvania Department of Banking and Securities announced it has published a new brochure to help consumers better understand what information should be included in their credit report and what steps to take if there is an issue.
In a Decision released on February 16, 2017, the New York Industrial Board of Appeals struck down the portions of a New York Department of Labor regulation (12 NYCRR § 192), set to go into effect on March 7, that would have restricted a New York employers’ ability to pay its employees via payroll debit card. Specifically, the board ruled that the Department had exceeded its authority under New York labor law and encroached upon the jurisdiction of banking regulators when imposing fee limits and other restrictions on the cards.
The new rule – which was adopted by the Department of Labor in September 2016, and codified at section 192 of the New York Labor Law – set forth numerous regulations clarifying and/or specifying the acceptable methods by which employers in New York State may pay wages to certain employees. Among other things, the regulation required that an employer provide written notice to the employee and obtain written consent from the employee at least seven business days prior to taking action to issue the payment of wages by payroll debit card. The new rule would also have prohibited many fees, including charges for monthly maintenance, account inactivity and overdrafts, and for checking a card’s balance and contacting customer service.
At issue before the Industrial Board of Appeals was a petition submitted by a single payroll debit card vendor challenging the Department of Labor’s authority to regulate payroll debit cards. Ultimately, the Board agreed with the vendor, finding that the Department sought to improperly regulate banking services provided by financial institutions – an area subject to the exclusive jurisdiction of the New York Department of Financial Services. In reaching this holding, the Board noted that that the Department of Financial Services already regulates and has issued guidance concerning the fees that financial institutions may charge for banking services, including those related to checking accounts and licensed check cashers. The Board also noted that, should the Department of Labor wish to challenge the Decision, it may bring an Article 78 proceeding in New York Supreme Court, or, alternatively, it may choose to revise the Prepaid Card-related provisions identified in the Decision.
On March 6, 2017, New York Attorney General Eric T. Schneiderman released the state’s 2016 top ten list of consumer fraud complaints. For the past 11 years, Internet-related complaints concerning service providers, data privacy and security, and consumer fraud topped the list, closely followed by complaints about automobile sales, service, financing, and repairs. Credit complaints about debt collection, billing, debt settlement, payday loads, credit repair and reporting agencies, and identity theft were sixth. Complaints related to mortgages were ninth. Not on the top ten list but highlighted by the Attorney General’s office were complaints involving scam student debt relief companies as well as two common schemes known as the IRS scam and the Grandparent scam. Also provided were tips consumers should use to protect themselves and their families.
On February 24, the New Mexico Attorney General, along with 27 other states and the District of Columbia, announced that his office had joined in an amicus brief filed with the Supreme Court supporting the plaintiff in Henson v. Santander. As previously covered in Infobytes, the defendant argued below—and the Fourth Circuit agreed—that the FDCPA did not apply to a consumer finance company that purchased and then sought to collect a debt in default on its own behalf because it was not a debt collector as defined in the statute. In their amicus brief, the attorneys general oppose the Fourth Circuit holding and argue that any “company that regularly attempts to collect defaulted debt that it has purchased is a ‘debt collector’ as the FDCPA defines [the] term,” and therefore, the obligations and restrictions of the FDCPA should apply. The Supreme Court set oral arguments for April 18 of this year.
On December 28 of last year, the Colorado Attorney General’s Office, through the Administrator of the Uniform Consumer Credit Code (UCCC), issued an advisory for entities filing sales finance notifications. The advisory strongly recommends that purchasers and assignees of consumer credit transactions subject to the UCCC develop and implement a due diligence process to confirm that the retail credit sellers originating those contracts have filed the proper notice under UCCC Section 5-6-203(4). As explained in the advisory, if notice is not properly filed, consumers “may not have an obligation to pay the finance charge due on those consumer credit transactions.” The list of retail credit sellers who currently file notifications with the department can be accessed here.
On February 16, New York Governor Andrew Cuomo announced that with the New York Department of Financial Services’ (NYDFS) publication of a Final Regulation, New York’s “First-in-the-Nation Cybersecurity Regulation” is set to take effect on March 1. As discussed previously in InfoBytes, the regulation—which requires banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data—imposes broad and, in some cases proscriptive, data security and cybersecurity requirements on Covered Entities that venture into new territory for both state and federal financial regulators. Indeed, as described by Governor Cuomo, the regulation reflects New York’s efforts to “lead the nation” through “decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Moreover, as detailed in a follow-up InfoBytes Special Alert, NYDFS issued a updated proposed regulation on December 28 in response to over 150 comments and testimony presented at a hearing before New York State lawmakers. Though the updated proposed regulation did not differ drastically from the original, the revised proposed regulation provided for somewhat greater flexibility in how covered entities could go about implementing the requirements. Among other things, the December 28 revisions provided for: (i) longer timeframes for compliance with its requirements; (ii) more flexibility for compliance with certain requirements and acknowledgement that some requirements may not be applicable to all financial institutions; and (iii) clarifications to certain key definitions.
The newly released Final Regulation retains the revisions incorporated in the December 28 revision, but also contains the following notable revisions:
- Record retention requirements for audit trail materials relating to Cybersecurity Events were reduced from five years to three years.
- Clarification that Covered Entities’ policies and procedures for reporting by Third Party Service Providers of Cybersecurity Events only apply to the Covered Entity’s Nonpublic Information.
- The limited exemption for small businesses to certain requirements of the rule has been narrowed by including a Covered Entity’s New York affiliates when calculating its number of employees and annual revenue.
- Further clarification on the exemptions for companies regulated under New York’s Insurance Law.
With the expiration of the 30-day comment period and the publication of the Final Rule, New York’s Cybersecurity regulation is officially cleared to become effective upon publication in the New York State Register on March 1.
InfoBytes will continue to monitor the rollout of this pioneering regulation as it progresses.
On February 17, the California Department of Business Oversight (DBO) announced a settlement with a national mortgage servicer, resolving allegations that the company committed numerous violations of state and federal laws and regulations. The allegations arose from examinations of the company’s servicing practices by a third-party auditor. The examinations were conducted pursuant to a January 23, 2015 consent order entered into by the DBO and the company, and covered the period of January 1, 2012 through June 30, 2015. The 2017 consent order requires the company to pay $20 million in borrower restitution, mandates that the company provide borrowers with $198 million of debt forgiveness through loan modifications over three years, and imposes $5 million in penalties, attorney’s fees, and costs. However, the terms of the order also restore the company’s ability to service new California mortgages.