Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Arizona’s fintech sandbox program accepts first participant

    Fintech

    On October 11, the Arizona Attorney General announced the state’s first fintech sandbox participant. The mobile payment platform company will test its product—a centralized wallet infrastructure designed to create “cheaper and faster payment transfers”—for two years by processing guest payments at a Tucson resort. Arizona resident-guests will receive a disclosure agreement outlining the company’s participation in the sandbox, an explanation of the test product, a privacy notice, and the ability to opt out of any information sharing with the resort. As previously covered by InfoBytes, the Arizona governor signed legislation in March creating the first state sandbox program for companies to test innovative financial products or services without certain regulatory requirements. 

    The Attorney General also announced the finalization of a Memorandum of Understanding (MOU) with Taiwan’s financial regulator, the Financial Supervisory Commission, to increase the reach of the state’s sandbox program. The MOU will establish an information sharing agreement “that may result in the opportunity for businesses to develop/test eligible [fintech] products in both markets,” the release stated.

    Fintech State Issues State Attorney General Regulatory Sandbox

    Share page with AddThis
  • Consumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation

    Privacy, Cyber Risk & Data Security

    On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” heard from consumer privacy advocates on lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, and what types of consumer protections should be considered in future federal legislation. Committee Chairman, Senator John Thune, opened the hearing by emphasizing the importance of promoting privacy without stifling innovation. Senator Thune stated that, while understanding the experience of technology and telecommunications companies in this space is important, any new federal privacy law must also incorporate views from affected industry stakeholders and consumer advocates.

    The consumer privacy advocate witnesses agreed there is a need for heightened consumer protections and rights, and that the time is ripe to have a debate on what a consumer data privacy law at the federal level would look like and how it would work with state level laws. However, witnesses cautioned that federal legislation should create a floor and not a ceiling for privacy that will not prevent states from passing their own privacy laws. One of the witnesses who led the effort behind the California ballot initiative that resulted in the CCPA emphasized that federal legislation should contain a robust enforcement mechanism, while a witness from the Center for Democracy & Technology said that (i) lawmakers should give the FTC the ability to fine companies that violate consumers’ privacy and provide the agency with more resources; and (ii) a federal law should cover entities of all sizes and clarify what secondary and third-party uses of data are permissible.

    Among other things, the hearing also discussed topics addressing: (i) GDPR open investigations; (ii) support for state Attorney General enforcement rights; (iii) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; and (iv) consumers’ rights to control their personal data.

    Privacy/Cyber Risk & Data Security Data Breach U.S. Senate GDPR State Attorney General State Legislation Enforcement

    Share page with AddThis
  • Coalition of state Attorneys General encourages FCC to create rules to block illegal robocalls

    State Issues

    On October 8, a collation of 35 state Attorneys General submitted reply comments in response to a public notice seeking ways the FCC could create rules that will enable telephone service providers to block illegal robocalls. In their comments to the FCC, the coalition encourages the FCC to implement rules and additional reforms that go beyond the agency’s 2017 call-blocking order, which allows phone companies to proactively block illegal robocalls originating from certain types of phone numbers. (See previous InfoBytes coverage here.) “Many illegal robocallers, however, simply do not care about the law and have a more insidious agenda — casting a net of illegal robocalls to ensnare vulnerable victims in scams to steal money or sensitive, personal information,” the coalition stated. “[C]riminals are estimated to have stolen 9.5 billion dollars from consumers through phone scams in 2017.” The coalition encourages collaboration between states, federal counterparts, and the domestic and international telecommunications industry, and applauds recent progress on the implementation of frameworks such as the “Secure Telephone Identity Revisited” and “Secure Handling of Asserted information using toKENs” protocols that assist service providers in identifying illegally spoofed calls.

    State Issues State Attorney General FCC Robocalls Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Washington state Attorney General says debt buyers are collection agencies, files lawsuit for operating without a license

    State Issues

    On September 21, the Washington state Attorney General announced that it filed a lawsuit against several collection agencies and their owner (defendants) for allegedly purchasing and suing on charged-off consumer debts in violation of the Washington Collection Agency Act (WCAA) and the Washington Consumer Protection Act (WCPA). The complaint alleges that defendants bought and then obtained judgements on at least 3,500 consumer debts without first obtaining a collection agency license under the WCAA. Under the WCAA, a debt buyer is a collection agency and must therefore “be licensed as a collection agency if it enters into contracts with sellers of debt accounts or takes other affirmative steps to acquire accounts for collection, either directly or through an agent.” Failure to obtain a license as required under the WCAA  amounts to a per se violation of the WCPA. Because defendants bought and sued on consumer debts before obtaining a license in 2013, the Attorney General claimed that they violated the WCAA and the WCPA. The complaint seeks civil money penalties of up to $2,000 per violation for each violation of the WCPA, restitution for affected consumers, and reimbursement of legal costs and fees.

    State Issues State Attorney General Debt Buyer Licensing Consumer Finance

    Share page with AddThis
  • Global ride-sharing company settles with state Attorneys General for $148 million over data breach

    State Issues

    On September 26, the California Attorney General announced that a global ride-sharing company reached a joint settlement with all 50 state Attorneys General and the District of Columbia for $148 million to resolve allegations that the company failed to safeguard user data and to notify authorities after a 2016 data breach. As previously covered by InfoBytes, in November 2017, the company disclosed, via press release, a 2016 data breach that exposed the personal data of 57 million riders and drivers, where hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. During subsequent state investigations, authorities discovered that, after the company discovered the breach, it paid hackers $100,000 to delete the acquired data and to keep silent about the breach.

    According to the California announcement, the $148 million settlement benefits all 50 states and the District of Columbia, with California receiving $26 million. In addition to the penalty, the settlement allegedly requires the company to implement various conduct provisions, including (i) integrating privacy considerations and protections into the development and design of products; (ii) implementing and maintaining robust data security practices and accurately representing them; (iii) developing and maintaining a comprehensive information security program; (iv) reporting data security incidents to states on a quarterly basis for two years; and (v) maintaining a “Corporate Integrity Program.”

    State Issues Privacy/Cyber Risk & Data Security State Attorney General Settlement Data Breach

    Share page with AddThis
  • California amends the California Consumer Privacy Act of 2018

    Privacy, Cyber Risk & Data Security

    On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:

    • The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
    • The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
    • The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
    • The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
    • The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
    • The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
    • The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach State Attorney General

    Share page with AddThis
  • New York Attorney General sues nine student debt relief companies

    State Issues

    On September 20, the New York Attorney General announced a lawsuit against nine student loan debt relief companies, along with their financing company, and two individuals (collectively, “defendants”), alleging that the defendants fraudulently, deceptively, and illegally marketed, sold, and financed student debt relief services to consumers nationwide. Among other things, the complaint alleges that the defendants (i) sent direct mail solicitations to consumers that deceptively appeared to be from a governmental agency or an entity affiliated with a government agency; (ii) misrepresented that they would apply fees paid by borrowers to student loan balances; (iii) charged consumers over $1,000 for services that were available for free; (iv) requested upfront payments in violation of federal and state credit repair and debt relief laws; (v) charged usurious interest rates; and (vi) provided consumers with “incomplete and harmful advice,” such as counseling borrowers to consolidate federal student loans without explaining that in certain circumstances borrowers could “lose months or years of loan payments they had already made that would qualify toward forgiveness of their loans under the Public Service Loan Forgiveness Program.” The New York Attorney General maintains that these practices violated several federal and state consumer protection statutes, including the Telemarketing Sales Rule, New York General Business Law, the state’s usury cap on interest rates as covered by New York Banking Law and New York General Obligations Law, disclosure requirements under the Truth in Lending Act, and the Federal Credit Repair Organization Act.

    State Issues State Attorney General Student Lending Debt Relief Telemarketing Sales Rule TILA Usury

    Share page with AddThis
  • FTC and NYAG settle with debt collectors who falsely threatened consumers

    Federal Issues

    On September 21, the FTC announced settlements with multiple New York debt collection operations and their principals (defendants) for unlawful debt collection practices. The settlements are a result of 2015 joint lawsuits by the FTC and the New York Attorney General, alleging the defendants unlawfully used threats and abusive language, including false threats that consumers would be arrested, to collect more than $45 million in supposed debts (previously covered by InfoBytes here). The settlement orders ban the defendants from the business of debt collection and prohibit the defendants from (i) misrepresenting information related to financial products and services; (ii) disclosing, using, or benefitting from the consumer information obtained through the course of the debt collection activities; and (iii) failing to disclose of such personal information properly. The two orders (located here and here) impose a $22.5 million judgment against one set of defendants, and a judgment of $4.4 million against other defendants. The judgments are suspended as to some of the defendants due to inability to pay.

    Federal Issues FTC Debt Collection Enforcement Settlement State Attorney General State Issues

    Share page with AddThis
  • New York Attorney General issues Virtual Markets Integrity Report, following cryptocurrency integrity initiative

    Fintech

    On September 18, the New York Attorney General’s office announced the results of its Virtual Markets Integrity Initiative, a fact-finding inquiry into the policies and practices of platforms used by consumers to trade virtual or “crypto” currencies. As previously covered in InfoBytes, last April questionnaires were sent to 13 virtual asset trading platforms to solicit information on their operations, policies, internal controls, and safeguards to protect consumer assets. The resulting Virtual Markets Integrity Report finds that virtual asset trading platforms vary significantly in the comprehensiveness of their response to the risks facing the virtual markets, and presents three broad areas of concern: (i) the potential for conflicts of interest due to platforms engaging in various overlapping business lines that are not restricted or monitored in the same way as traditional trading environments; (ii) a lack of protection from abusive trading platforms and practices; and (iii) limited protections for customer funds, such as the insufficient availability of insurance for virtual asset losses and platforms that do not conduct any type of independent auditing of virtual assets. According to the report, the Attorney General’s office also referred three platforms to the New York Department of Financial Services for potential violations of the state’s virtual currency regulations.

    Fintech State Issues State Attorney General Virtual Currency Cryptocurrency NYDFS

    Share page with AddThis
  • New Mexico Attorney General sues technology companies over COPPA violations regarding the collection of children’s personal data

    Privacy, Cyber Risk & Data Security

    On September 12, the New Mexico Attorney General announced the filing of a lawsuit against a group of technology companies for allegedly designing and marketing mobile gaming applications (apps) targeted towards children that contain illegal tracking software. The complaint asserts that the defendants’ practices violate both the Children’s Online Privacy Protection Act (COPPA) and New Mexico’s Unfair Practices Act, and pose the risk of data breaches and third-party access. Among other things, the complaint alleges the defendants’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. The complaint seeks injunctive relief and nominal and punitive damages.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General COPPA

    Share page with AddThis

Pages