InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
9th Circuit partially reverses FDCPA dismissal
On July 14, the U.S. Court of Appeals for the Ninth Circuit partially affirmed and partially reversed a district court’s dismissal of an FDCPA suit. The district court reviewed plaintiff’s claims under the FDCPA, which alleged that defendants violated the bankruptcy court’s order discharging his debt and knowingly filed a baseless debt collection lawsuit. The district court determined that the claims should be dismissed because (i) debtors do not have a private right of action for violations of the Bankruptcy Code; and (ii) the claim was time-barred due to the FDCPA’s one-year statute of limitations. On appeal, the 9th Circuit affirmed the dismissal of the plaintiff’s claims based on a violation of his bankruptcy discharge order but reversed the dismissal of the plaintiff’s baseless lawsuit claim, holding that it was not barred by the FDCPA’s statute of limitations.
The 9th Circuit reasoned that the plaintiff “correctly asserts that some litigation acts can constitute independent FDCPA violations and that each such violation triggers its own one-year statute of limitations under the FDCPA.” In making its decision “to determine whether a litigation act constitutes an independent violation of the FDCPA and thus has its own statute of limitations,” the appellate court derived a test, stating: “Under this test, if a debt collector decides to take a certain action during litigation, courts must assess whether that act was the debt collector’s ‘last opportunity to comply’ with the FDCPA.” Because the appellate court determined that service and filing are separate FDCPA violations and plaintiff brought suit within one year of defendants’ state law claim, the 9th Circuit held that plaintiff’s action was timely.
Feds, states launch “Operation Stop Scam Calls”
On July 18, the FTC, along with over 100 federal and state law enforcement partners nationwide, including the DOJ, FCC, and attorneys general from all 50 states and the District of Columbia, announced a new initiative to combat illegal telemarketing calls, including robocalls. The joint initiative, “Operation Stop Scam Calls,” targets telemarketers and the companies that hire them, lead generators that provide consumers’ telephone numbers to robocallers and others who falsely represent that consumers consented to receive the calls. The initiative also targets Voice over Internet Protocol (VoIP) service providers that facilitate illegal robocalls, many of which originate overseas.
In connection with Operation Stop Scam Calls, the FTC has initiated five new cases against companies and individuals allegedly responsible for distributing or assisting in the distribution of illegal telemarketing calls to consumers across the country. According to the announcement, the actions reiterate the FTC’s position “that third-party lead generation for robocalls is illegal under the Telemarketing Sales Rule (TSR) and that the FTC and its partners are committed to stopping illegal calls by targeting anyone in the telemarketing ecosystem that assists and facilitates these calls, including VoIP service providers.” The announcement also states that more than 180 enforcement actions and other initiatives have been taken by 48 federal and 54 state agencies as part of Operation Stop Scam Calls.
Among the new actions announced a part of Operation Stop Scam Calls is a complaint filed against a “consent farm” lead generator, which allegedly uses “dark patterns” to collect consumers’ broad agreement to provide their personal information and receive robocalls and other marketing solicitations through a single click of a button or checkbox via its websites. Under the terms of the proposed order, the defendant would be required to pay a $2.5 million civil penalty and would be banned from engaging in, assisting, or facilitating robocalls. The defendant would also be required to implement measures to limit its lead generation practices, establish systems for monitoring its own advertising and that of its affiliates, comply with comprehensive disclosure requirements concerning the collection of consumers’ consent to the sale of their information, and delete all previously collected consumer information.
Other actions were taken against a California-based telemarketing lead generator, a telemarketing company that provides soundboard calling services to clients who use robocalls to sell a range of products and services, a New Jersey-based telemarketing outfit that placed tens of millions of calls to consumers whose numbers are listed on the National Do Not Call Registry, and Florida-based defendants accused of assisting and facilitating the transmission of roughly 37.8 million illegal robocalls by providing VoIP services to over 11 foreign telemarketers.
Illinois Supreme Court declines to reconsider BIPA accrual ruling
On July 18, the Illinois Supreme Court declined to reconsider its February ruling, which held that under the state’s Biometric Information Privacy Act (BIPA or the Act), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Three justices, however, dissented from the denial of rehearing, writing that the ruling leaves “a staggering degree of uncertainty” by offering courts and defendants little guidance on how to determine damages. The putative class action stemmed from allegations that the defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting plaintiff’s biometric data and disclosing the data to a third-party vendor without first obtaining her consent. While the defendant challenged the timeliness of the action, the plaintiff asserted that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.”
In February, a split Illinois Supreme Court held that claims accrue under BIPA each time biometric identifiers or biometric information (such as fingerprints) are scanned or transmitted, rather than simply the first time. (Covered by InfoBytes here.) The dissenting judges wrote that they would have granted rehearing because the majority’s determination that BIPA claims accrue with every transmission “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns.” The dissenting judges further maintained that the majority’s February decision is confusing and lacks guidance for courts when determining damages awards. While the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” it also said that it continues “to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature,” and that it “respectfully suggest[s] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
9th Circuit denies en banc hearing on COPPA preemption question
On July 13, a panel of the U.S. Court of Appeals for the Ninth Circuit entered an order amending an opinion filed on December 28, 2022 and denied a petition for rehearing en banc in a putative class action accusing a multinational technology company and search engine and its affiliated video-sharing platform of collecting children’s data and tracking their online behavior surreptitiously without parental consent in violation of state law and the Children’s Online Privacy Protection Act (COPPA). The panel unanimously voted against defendant’s en banc rehearing request, commenting that no other 9th Circuit judge has requested a vote on whether to consider the matter en banc.
Claiming the defendant used “persistent identifiers” — which the FTC’s regulations define as information “that can be used to recognize a user over time and across different Web sites or online services” — class members alleged state law claims arising under the constitutional, statutory, and common laws of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee. Last December, the three-judge panel reversed and remanded the district court’s dismissal of the suit, disagreeing that the allegations were squarely covered, and preempted, by COPPA (covered by InfoBytes here.) On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. The panel determined that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The panel further noted that the U.S. Supreme Court and others have long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted.”
The panel, however, amended its prior opinion to note that the FTC supports its conclusion that COPPA does not preempt the asserted state law privacy claims on the basis of either express preemption or conflict preemption. At the end of May, at the 9th Circuit’s request, the FTC filed an amicus brief (covered by InfoBytes here) arguing that COPPA does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The panel concluded that neither express preemption nor conflict preemption bar the plaintiffs’ claims.
11th Circuit orders reexamination of breach class boundaries
On July 11, a split U.S. Court of Appeals for the Eleventh Circuit partially vacated the greenlighting of two data breach class actions, holding that a district court must re-analyze the boundaries of the classes. Both the nationwide and California classes are individuals who sued a restaurant chain after their card data and personally identifiable information were compromised in a cyberattack. Plaintiffs claimed that information for roughly 4.5 million cards could be accessed on an online marketplace for stolen payment information. Two of the three named plaintiffs also said they experienced unauthorized charges on their accounts. Plaintiffs moved to certify two classes seeking both injunctive and monetary relief—a nationwide (or alternatively a statewide) class for negligence and a California class for claims based on the state’s unfair business practices laws. The district court certified a nationwide class and a separate California-only class. The restaurant chain’s parent company appealed, arguing that the certification violates court precedent on Article III standing for class actions, that the classes do not meet the commonality requirements for certification, and that the district court erred by finding that a common damages methodology existed for the class.
On appeal, the majority found that at the class certification stage, plaintiffs only had to show that a reliable damages methodology existed. The majority also determined that the district court correctly found that plaintiffs’ expert presented a sufficient methodology for calculating damages and that “it would be a ‘matter for the jury’ to decide actual damages at trial.” However, the majority remanded the case with instructions for the district court to clarify what it meant when it certified classes of individuals who had their “data accessed by cybercriminals.” According to the opinion, the district court meant for this term to encompass individuals who experienced fraudulent charges or whose credit card information was posted on the dark web. The majority expressed concerns that the phrase “accessed by cybercriminals” is broader than the two delineated categories provided by the district court and could include individuals who had their data taken but were otherwise uninjured. The majority also vacated the California class certification after determining that two of the three named plaintiffs lacked standing because they dined at the restaurant outside of the “at-risk” timeframe. The district court’s damages calculation methodology, however, was left undisturbed by the appellate court.
Partially dissenting, one of the judges wrote that while she agreed that one of the named plaintiffs had standing to sue, she disagreed with the majority’s concrete injury analysis. The judge also argued that the district court erred in its damage calculations by “impermissibly permit[ting] plaintiffs to receive an award based on damages that they did not suffer.”
CFPB, Maine say loan purpose determines whether TILA applies
On July 12, the CFPB and the State of Maine filed an amicus brief in the Maine Supreme Judicial Court arguing that determining whether a loan is covered by TILA requires an assessment of the borrower’s primary purpose in entering into the transaction. The action involves a couple who obtained a loan from the bank to purchase land for the construction of a home. Due to the 2008 financial crisis, the value of the property depreciated, resulting in insufficient proceeds from the sale of the home to fully pay off the loan. To cover the shortfall, the couple acquired a new loan from the bank and used a cabin they owned as collateral. When the loan’s term ended, the couple defaulted after being unable to make the required balloon payment. The bank sued, seeking to take possession of the cabin. At trial, the couple attempted to present evidence that the bank had not provided them with certain necessary disclosures mandated by TILA and did not assess their ability to repay the loan. The couple maintained “that the bank’s liability under TILA fully offset the amount they owed to the bank under the loan.” The court determined, however, that since the loan documents indicated a commercial purpose, TILA did not apply.
The couple attempted to introduce extrinsic evidence to show that even though the loan was labeled “commercial,” it was actually used for personal, family, or household purposes and therefore was a covered consumer loan. The court relied on a case (Bordetsky v. JAK Realty Trust) holding that, for purposes of determining the applicability of Maine’s notice of default statute for residential real estate foreclosures, “courts should not look to extrinsic evidence to determine whether the loan had a commercial or consumer purpose if the loan document states on its face that the loan has a commercial purpose.”
The brief explained that TILA generally applies to consumer loans (i.e., loans that are primarily for a personal, family, or household purpose) but not to loans made for a commercial purpose, and that the Maine Consumer Credit Code fully incorporates TILA. The brief argued that the borrower’s primary purpose for obtaining the loan should determine whether TILA and the Maine Consumer Credit Code apply, and presented three arguments as to why the trial court erred in concluding that TILA is not applicable on the sole basis that the loan is labeled as a “commercial loan.” First, statutory text provides that a loan is generally covered by TILA if a borrower obtained the loan primarily for a family, personal or household purpose. TILA “requires a substantive and fact-intensive inquiry into the reasons why the borrower entered into the transaction,” the brief explained. Second, judicial precedent has established that “determining whether a loan has a covered purpose requires looking beyond the four corners of the contract.” The trial court erred in relying on Bordetsky because it pertains to a different Maine statute and does not address the judicial precedent or administrative guidance that govern TILA coverage, the brief said. Finally, permitting creditors to evade TILA by labeling a loan as “commercial” is at odds with TILA’s remedial purpose, the brief maintained.
“Why the consumer borrowed the money—not the label that the company sticks on the loan—determines whether the loan is covered by the law,” Seth Frotman, general counsel and senior advisor to the CFPB director, said in a blog post.
CFPB, states sue company over deceptive student lending and collection
On July 13, the CFPB joined state attorneys general from Washington, Oregon, Delaware, Minnesota, Illinois, Wisconsin, Massachusetts, North Carolina, South Carolina, and Virginia in taking action against an education firm accused of engaging in deceptive marketing and unfair debt collection practices. California’s Department of Financial Protection and Innovation is participating in the action as well. Prior to filing for bankruptcy, the Delaware-based defendant operated a private, for-profit vocational training program for software sales representatives. The joint complaint, filed as an adversary proceeding in the firm’s bankruptcy case, alleges that the defendant charged consumers up to $30,000 for its programs. The complaint further alleges that the defendant encouraged consumers who could not pay upfront to enter into income share agreements, which required minimum payments equal to between 12.5 and 16 percent of their gross income for 4 to 8 years or until they had paid a total of $30,000, whichever came first.
The complaint asserts that the defendant engaged in deceptive practices by misrepresenting its income share agreement as not a loan and not debt, and mislead borrowers into believing that no payments would need to be made until they received a job offer from a technology company with a minimum annual income of $60,000. The defendant is also accused of failing to disclose important financing terms, such as the amount financed, finance charges, and annual percentage rates, as required by TILA and Regulation Z. The complaint also claims that the defendant hired two debt collection companies to pursue collection activities on defaulted income share loans. One of the defendant debt collectors is accused of engaging in unfair practices by filing debt collection lawsuits in remote jurisdictions where consumers neither resided nor were physically present when the financing agreements were executed. The complaint further alleges the two defendant debt collectors violated the FDCPA and the CFPA by deceptively inducing consumers into settlement agreements and falsely claiming they owed more than they did.
According to the Bureau and the states, after the Delaware Department of Justice and Delaware courts began scrutinizing the debt collection lawsuits, the defendant unilaterally changed the terms of its contracts with consumers to force them into arbitration even though none of them had agreed to arbitrate their claims. Additionally, the complaint contends that settlement agreements marketed as being “beneficial” to consumers actually released consumers’ claims against the defendant and converted income share loans into revised “settlement agreements” that obligated them to make recurring monthly payments for several years and contained burdensome dispute resolution and collection terms.
The complaint seeks permanent injunctive relief, monetary relief, consumer redress, and civil money penalties. The CFPB and states are also seeking to void the income share loans.
States urge Supreme Court to find CFPB funding unconstitutional
On July 10, the West Virginia attorney general, along with 26 other states, filed an amicus brief in support of respondents in Consumer Financial Protection Bureau v. Community Financial Services Association of America, arguing that the CFPB’s funding structure violates the Constitution and that by operating outside the ordinary appropriations process states are often left “out in the cold.” In their brief, the states urged the U.S. Supreme Court to uphold the U.S. Court of Appeals for the Fifth Circuit’s decision in which it found that the Bureau’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here and a firm article here). The 5th Circuit’s decision also vacated the agency’s Payday Lending Rule on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding.
Arguing that the Bureau is operating beyond the boundaries established by the Constitution, the states maintained that the current funding mechanism limits Congress’s ability to oversee the agency. “Even if the CFPB has done some good—and some would even dispute that premise—it wouldn't matter,” the states said, warning that “sidelining Congress can greenlight an agency to wreak havoc,” especially if the “agency wields broad regulatory and enforcement powers over the entire U.S. financial system, acts under the control of a single powerful figure, and lacks other protections from meaningful oversight.”
The appropriations process plays a crucial role in enabling states to influence agency actions indirectly, the states maintained, explaining that when an agency initiates a new enforcement initiative or significant rulemaking endeavor, it is required to publicly outline its projected work in order to secure the necessary funding to carry it out. “Disclosure on the front end of the appropriations process can empower affected parties—including the [s]tates—to take quick, responsive actions beyond lobbying their representatives (up to suing to stop illegal action, if need be).” In contrast, the Bureau’s insulation from this process has allowed it to hide its actions from public view, the states wrote. As an example, the Bureau has repeatedly declined to interpret or provide further clarity on how the provisions governing unfair, deceptive, or abusive acts or practices work.
The brief also highlighted examples of when Congress used funding cuts through the appropriations process to curtail agencies’ powers. Additionally, unlike the challenges of amending authorizing statutes, appropriations bills must be passed by Congress each year to avoid a government shutdown, which can be “a painful pill to swallow for the sake of standing up for an agency’s policy choice,” the states noted, adding that “[b]ecause appropriations involves both oversight committees and appropriations committees, agencies may have ‘less flexibility to ally themselves with executive branch officials or interest groups.’”
The states also urged the Court to “ignore doomsaying” about the consequences of finding the funding structure unconstitutional. Should the Court agree to invalidate the funding structure, Congress can pass a proper appropriations bill for the Bureau, the states explained, adding that “a rebuke from this Court would no doubt grease the sticky wheels of the legislative process and move them a bit faster.” Moreover, states could also fill any gaps should Congress somehow pare back the CFPB’s funding, the brief stressed.
Several amicus briefs were also filed this week in support of CFSA, including an amici curiae brief filed by the U.S. Chamber of Commerce and several banking associations and an amici curiae brief filed by 132 members of Congress, including 99 representatives and 33 senators, which urged the Court to uphold the 5th Circuit’s decision.
7th Circuit affirms dismissal of FCRA claims against subservicer
On July 5, the U.S. Court of Appeals for the Seventh Circuit affirmed summary judgment in favor of a defendant data furnisher in an FCRA case, holding that the plaintiff failed to establish that the defendant provided “patently incorrect or materially misleading information” to a credit reporting agency (CRA). Defendant was the subservicer for plaintiff’s mortgage and was responsible for accepting and tracking payments and providing payment data to the CRAs. After plaintiff failed to make her monthly payments, she resolved the delinquency through a short sale of her home. Several years later, plaintiff noticed that the closed mortgage account appeared on her credit reports as delinquent. She disputed the information to several CRAs. To confirm the accuracy of its records on plaintiff’s mortgage, one of the CRAs sent the defendant data furnisher four automated consumer dispute verification (ACDV) forms. In the ACDV responses, the defendant amended or verified several contested data points, including the pay rate and account history. The CRA reported this amended data to indicate on plaintiff’s credit report that she was currently delinquent on the mortgage with missed payments in the months following the short sale. After plaintiff applied for and was denied a new mortgage based on the credit report, plaintiff sued the defendant data furnisher for alleged violations of the FCRA, alleging that the defendant failed to conduct a reasonable investigation of the disputed data and provided false and misleading information to CRAs. The district court granted summary judgment in favor of the defendant, finding that plaintiff failed to make a threshold showing that the defendant’s data was incomplete or inaccurate.
On appeal, the 7th Circuit disagreed with plaintiff that “completeness or accuracy” under the FCRA “must be judged based, not on the ACDV response the data furnisher provided, but on the credit report generated from it.” The court reasoned that the text of the statute “says nothing about a credit report, let alone a duty of a data furnisher with respect to credit reports produced using its amended data. To the contrary, the statute sets out the data furnisher’s duties to investigate disputes, correct incomplete or inaccurate information, and report results from an investigation” to the CRA. Holding that “context can play a large role in determining completeness or accuracy” in this situation, the appellate court agreed with the district court that the data provided by the defendant to the CRA was “not materially misleading” and that “no reasonable jury could find” that the data meant that plaintiff was currently delinquent on her debt, particularly because of strong “contextual evidence”—specifically, that the disputed data appeared directly beside a status code showing that the account was closed. The appeals court affirmed summary judgment for the data furnisher.
1st Circuit confirms standing for data breach victims
On June 30, the U.S. Court of Appeals for the First Circuit overruled a district court’s dismissal of a putative class action against a home delivery pharmacy service for allegedly failing to prevent a 2021 data breach that exposed the personally identifiable information (PII) of over 75,000 patients. The class action complaint alleged state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, and sought damages and injunctive relief. The putative class was comprised of U.S. residents whose PII was compromised in the data breach. The two named plaintiffs were former or current patients whose PII were compromised in the data breach, and one of the two named plaintiffs had her stolen PII used to file a fraudulent tax return. The district court dismissed the lawsuit for lack of Article III standing.
Affirming in part and reversing in part, the 1st Circuit held that the complaint “plausibly demonstrates” the plaintiffs’ standing to seek damages, applying the principles articulated by the Supreme Court in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here).
First, the court concluded that, with respect to the named plaintiff whose PII was used to file a fraudulent tax return, the complaint’s “plausible allegations of actual misuse” of the stolen PII constituted a “concrete injury in fact” for purposes of Article III standing. According to the 1st Circuit, there existed “an “obvious temporal connection” between the timing of the data breach and the filed return, among other facts. The appellate court also found that the fraudulent tax return could make it probable that more of the named plaintiff’s information could be further misused—changing the risk of future misuse from speculative to “imminent and substantial.”
Second, with respect to the named plaintiff for whom there was no allegation of actual misuse of PII, the court reasoned that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of [plaintiff’s] PII and a concrete harm caused by exposure to this risk.” The appellate court also found that, because the data here was compromised in a “targeted attack,” then “it stands to reason that [such data] is more likely to be misused…and the risk of future misuse is heightened when the compromised data is particularly sensitive.”
Third, the court concluded that the complaint plausibly alleged a “separate concrete, present harm” caused by exposure to the risk of future harm, “based on the allegations of the plaintiffs’ lost time spent taking protective measures [against further identity theft] that would otherwise have been put to some productive use.” “The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury,” the appellate court wrote, adding that it joins other circuits in holding that time spent responding to a data breach is sufficient to establish standing.
Finally, the court held that plaintiffs lacked standing to pursue injunctive relief “because their desired injunctions would not likely redress their alleged injuries” as any such relief would only safeguard against future breaches and would not protect “plaintiffs from future misuse of their PII by the individuals they allege now possess it.”