InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California again modifies CCPA regs; appoints privacy agency’s board
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, 2020. According to the announcement, the newly-approved amendments strengthen the language of CCPA regulations approved by OAL last August (covered by InfoBytes here). Specifically, the new amendments:
- Require businesses selling personal information collected in the course of interacting with consumers offline to provide consumers about their right to opt out via offline communications. Consumers must also be provided instructions on how to submit opt-out requests.
- Provide an opt-out icon for businesses to use in addition to posting a notice of right to opt-out. The amendments note that the opt-out icon may not be used in lieu of requirements to post opt-out notices or “do not sell my personal information” links.
- Require companies to use opt-out methods that are “easy” for consumers to execute and that require “minimal” steps to opt-out. Specifically, a “business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.” Additionally, except as otherwise permitted by the regulations, companies are prohibited from requiring consumers to provide unnecessary personal information to implement an opt-out request, and may not require consumers to click through or listen to reasons as to why they should not submit an opt-out request. The amendments also state that businesses cannot require consumers “to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.”
The AG’s press release also notes that the California Privacy Rights Act (CPRA), which was approved by voters last November and sought to amend the CCPA, will transfer some of the AG’s responsibilities to the California Privacy Protection Agency (CPPA), covered by InfoBytes here; however, the AG will retain the authority to go to court to enforce the law. Enforcement of the CPRA will begin in 2023.
Additionally, on March 17, the California governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
FTC permanently bans debt collectors
On March 15, the FTC announced that defendants in two cases will be permanently banned from the debt collection industry. As previously covered by InfoBytes, the FTC filed complaints against the defendants last year alleging the defendants used deceptive tactics to threaten false legal action through the use of robocalls to collect debts consumers did not owe or the operation did not have the right to collect. The actions were taken as part of the FTC’s “Operation Corrupt Collector”—a nationwide enforcement and outreach effort established by the FTC, CFPB, and more than 50 federal and state law enforcement partners to target illegal debt collection practices (covered by InfoBytes here).
Under the terms of the settlements (see here, here, and here), in addition to being permanently banned from participating in debt collection and debt brokering activities, the defendants are also prohibited from making misrepresentations to consumers, including (i) whether consumers are legally obligated to pay defendants; (ii) whether defendants are attorneys or affiliated with a law firm; (iii) the terms of any refund policy; and (iv) any material facts concerning products or services. The settlements also include monetary judgments of approximately $16.4 million and $11.2 million, which are both partially suspended due to the defendants’ inability to pay.
CFPB declines to stay $51 million order for online payday lender
On March 9, the CFPB denied a request made by a Delaware online payday lender and its CEO (collectively, “respondents”) to stay a January 2021 final decision and order requiring the payment of approximately $51 million in restitution and civil money penalties, pending appellate review. As previously covered by InfoBytes, in 2015, the Bureau filed a notice of charges alleging the respondents (i) continued to debit borrowers’ accounts using remotely created checks after consumers revoked the lender’s authorization to do so; (ii) required consumers to repay loans via pre-authorized electronic fund transfers; and (iii) deceived consumers about the cost of short-term loans by providing them with contracts that contained disclosures based on repaying the loan in one payment, while the default terms called for multiple rollovers and additional finance charges. Former Director Kathy Kraninger issued the final decision and order in January, affirming an administrative law judge’s recommendation that the respondents’ actions violated TILA, EFTA, and the CFPA’s prohibition on unfair or deceptive acts or practices by, among other things, deceiving consumers about the costs of their online short-term loans.
The Bureau’s March 9 administrative order determined that respondents (i) failed to show they have a substantial case on the merits with respect to their argument regarding ratification as an appropriate remedy for the respondents’ alleged constitutional violation; (ii) failed to show they “suffered irreparable harm” because the Bureau’s final decision does not infringe on the respondents’ constitutional rights and merely requires them to pay money into an escrow account; and (iii) failed to demonstrate that staying the final decision would not harm other parties and the public interest because the respondents might “dissipate assets during the pendency of further proceedings,” potentially impacting future consumer redress. The administrative order, however, granted a 30-day stay to allow respondents to seek a stay from the U.S. Court of Appeals for the Tenth Circuit.
FDIC announces Louisiana disaster relief
On March 15, the FDIC issued FIL-18-2021 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Louisiana affected by winter storms. The FDIC acknowledged the unusual circumstances faced by institutions affected by the winter storms and suggested that institutions work with impacted borrowers to, among other things, (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery,” and that the FDIC will consider institutional relief from certain filing and publishing requirements.
CFPB asks industry to aid consumers in getting stimulus funds
On March 17, CFPB acting Director Dave Uejio issued a statement encouraging financial institutions and debt collectors to allow Economic Impact Payment (EIP) funds to reach consumers. Uejio expressed concerns that EIP funds—distributed through the recently enacted American Rescue Plan Act of 2021 (covered by InfoBytes here)—may be intercepted to cover consumers’ overdraft fees, past-due debts, or other financial liabilities. Uejio applauded proactive measures taken by industry members to ensure consumers have the ability to access the full value of their EIP funds, noting that “many financial institutions have pledged to promptly restore the funds to the people who should receive them.”
D.C. enacts law extending obligations for debt collection, credit reporting, mortgage servicing, and evictions
On March 17, the mayor of D.C. signed the Coronavirus Support Emergency Amendment Act of 2021. The act extends the most provisions of D.C.’s prior Covid-19 relief act (previously covered here and here) through June 15. Among other things, the act includes consumer protection provisions, including provisions regarding debt collection and credit reporting. It also provides housing and tenant protections, including in the areas of mortgage payment and late fee relief, and restrictions on evictions and foreclosures.
States reach data breach settlement with debt collector
On March 11, a coalition of 41 state attorneys general, led by the New York attorney general, announced a settlement with a bankrupt debt collection agency to resolve a multistate investigation into a 2019 data breach that allegedly exposed the personal information of more than 21 million individuals, including Social Security numbers, payment card information, and in certain instances, medical test names and diagnostic codes. According to the proposed consent order, an unauthorized user accessed the company’s internal system and accessed consumers’ personal information. The AGs claimed that “[d]espite numerous warnings from banks that processed its payments about a potential breach, [the company] failed to detect the intrusion.” Under the terms of the settlement, the company has agreed to implement data security practices to strengthen its information security program and safeguard consumers’ personal information. These measures include: (i) creating and implementing an information security program that includes an incident response plan; (ii) employing a chief information security officer to oversee data safety practices; and (iii) hiring a third-party assessor to conduct an information security assessment. Additionally, should the company fail to honor the injunctive terms of the settlement it may be liable for as much as $21 million.
7th Circuit: “Stress and confusion” not an injury under the FDCPA
On March 11, the U.S. Court of Appeals for the Seventh Circuit held that a consumer’s alleged “stress and confusion” did not constitute a concrete and particularized injury under the FDCPA. The plaintiff alleged that the defendant debt collector violated the FDCPA when it directly communicated with her by sending a dunning letter related to unpaid debt even though she had previously notified the original lender that she was represented by counsel and requested that all debt communications cease. The district court granted the defendant’s summary judgment motion on the grounds that the debt collector could not have violated the FDCPA “without having actual knowledge of [the consumer’s] cease-communication request.”
On appeal, the 7th Circuit concluded that the complaint should be dismissed for lack of subject-matter jurisdiction because the plaintiff lacked standing. The 7th Circuit held that the consumer’s allegations—that the dunning letter caused her “stress and confusion” and “made her think that ‘her demand had been futile’”—did not amount to a concrete and particularized “injury in fact” necessary to establish Article III standing under the FDCPA. The court further noted that “the state of confusion is not itself an injury”—rather, for the alleged confusion to be concrete, “a plaintiff must have acted ‘to her detriment, on that confusion.’” Here, the consumer pointed only to a statutory violation and “failed to show that receiving [the debt collector’s] dunning letter led her to change her course of action or put her in harm’s way.” Additionally, the appellate court found the consumer’s argument that the dunning letter also “invaded her privacy,” raised for the first time on appeal, unpersuasive because she did not allege that injury in the complaint.
FHA removes LIBOR benchmark for adjustable-rate HECMs
On March 11, FHA issued Mortgagee Letter (ML) 2021-08 announcing changes for adjustable interest rate home equity conversion mortgages (HECMs) as the market transitions away from LIBOR. Among other things, ML 2021-08 (i) removes approval for using the LIBOR index for adjustable interest rate HECMs; and (ii) approves the use of the Secured Overnight Financing Rate (SOFR) index, permitting “mortgagees to commingle index types for newly originated annual adjustable interest rate HECMs when establishing the expected average mortgage interest rate using the U.S. Constant Maturity Treasury” and SOFR index. ML 2021-08 also states that LIBOR-based HECMs must close on or before May 3 to be eligible for FHA insurance.
Find continuing InfoBytes coverage on LIBOR here.
Agencies propose new flood insurance Q&As
On March 11, the FDIC, OCC, Federal Reserve Board, NCUA, and the Farm Credit Administration issued a notice and request for public comment on 24 proposed interagency questions and answers regarding the 2019 private flood insurance rule (covered by InfoBytes here). The new Q&As supplement interagency questions and answers proposed last year (covered by InfoBytes here), which were intended to reduce compliance burdens for lenders related to flood insurance laws. The new Q&As are designed to help lenders comply with private flood insurance provisions found in the Biggert-Waters Flood Insurance Reform Act of 2012, and address mandatory and discretionary acceptance of private flood insurance policies by lenders if such insurance is required. Comments on the proposed additions to the interagency Q&As are due 60 days after publication in the Federal Register.