InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Digital Advertising Group Revises Code of Conduct for Interest-Based Advertising
On May 16, the Network Advertising Initiative (NAI), a self-regulatory body governing over 90 third-party digital advertising companies, released a revised Code of Conduct designed to (i) ensure that NAI member companies continue to implement, honor, and maintain strong standards with respect to the collection and use of data for online advertising, (ii) adapt the code to accommodate all companies in the advertising technology field, and (iii) incorporate changes in the regulatory and self-regulatory landscape, including principles of the FTC's Self Regulatory Principles for Online Behavioral Advertising, the FTC's final privacy report, and the White House privacy report.
FTC Sends COPPA Update Educational Letters
On May 15, the FTC announced that it sent letters to businesses to help them comply with new requirements under the revised Children’s Online Privacy Protection Act (COPPA) rule. The letters went to 90 businesses whose online services or mobile applications appear to collect personal information from children under 13, as defined by the revised rule. The letters differ depending on whether the business is domestic or foreign, and whether the business collects images or sounds of children, or collects persistent identifiers.
CFPB Issues Revised Remittance Transfer Rule
On April 30, the CFPB issued a revised final rule to amend regulations applicable to consumer remittance transfers of over fifteen dollars originating in the United States and sent internationally. Generally, the rule requires remittance transfer providers to (i) provide written pre-payment disclosures of the exchange rates and fees associated with a transfer of funds, as well as the amount of funds the recipient will receive, and (ii) investigate consumer disputes and remedy errors. The revised rule makes optional the original requirement to disclose (i) recipient institution fees for transfers to an account, except where the recipient institution is acting as an agent of the provider and (ii) taxes imposed by a person other than the remittance transfer provider. Instead, the revised rule requires providers to include a disclaimer on disclosures that the recipient may receive less than the disclosed total value due to these two categories of fees and taxes. The revised rule exempts from certain error resolution requirements two additional errors: (i) providing an incorrect account number or (ii) providing an incorrect recipient institution identifier. For the exception to apply, a remittance transfer provider must (i) notify the sender prior to the transfer that the transfer amount could be lost, (ii) implement reasonable measures to verify the accuracy of a recipient institution identifier, and (iii) make reasonable efforts to retrieve misdirected funds. In addition, the revised rule provides institutions more time to comply with the new remittance transfer standards. The final regulations, as revised by this rule, take effect on October 28, 2013.
CFPB Amends Credit Card Ability-to-Pay Rule
On April 29, the CFPB amended Regulation Z to make it easier for spouses or partners who do not work outside of the home to qualify for credit cards. Regulation Z generally requires that credit card issuers consider an applicant’s independent ability to pay regardless of age. A Federal Reserve Board rule adopted to implement the Credit CARD Act, which took effect on October 1, 2011, required card issuers to consider only an individual card applicant’s independent income or assets. The rule received criticism from members of Congress and other stakeholders who argued the rule limited access to credit for stay-at-home spouses and partners. The CFPB’s revised rule allows credit card issuers to consider third-party income for a consumer who is 21 or older, if the applicant has a reasonable expectation of access to such income. The CFPB rule does not change the independent ability to pay requirement for individuals under 21 years old. The rule is effective as of May 3, 2013 and compliance with the rule is required by November 4, 2013. Card issuers may, at their option, comply with the rule prior to that date.
North Dakota Amends UCC to Require Electronic Recording
On April 30, North Dakota enacted HB 1136, which compels the Secretary of State to provide an electronic means for filing any record required to be filed under the state Uniform Commercial Code. The bill also, among other things, directs the Secretary to establish an electronic system and requires electronic filing to obtain or amend certain liens, including repairman’s liens and other non-mortgage liens. The changes become effective August 1, 2015. If the Secretary makes a report to the legislative management and to the information technology committee certifying that the electronic filing system is ready for implementation, these changes will become effective ninety days following the completion of the certificate requirement.
California Federal Court Holds Online Purchase Transactions for Shipped Merchandise Not Covered by Song-Beverly Credit Card Act
On April 30, the U.S. District Court for the Central District of California held that Section 1747.08 of the Song-Beverly Credit Card Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions, does not apply to online purchase transactions in which the merchandise is shipped or delivered to the customer. Ambers v. Buy.com, No. 13-196, slip op. (C.D. Cal. Apr. 30, 2013). The ruling extends a recent holding by the California Supreme Court in Apple Inc. v. Sup. Ct. Los Angeles, which held that the Song-Beverly provisions do not apply when the item purchased is downloaded via the Internet. In this case, the customer claimed on behalf of a putative class whose claims could total $500 million that Apple created a standard that applies the Song-Beverly protections whenever the retailer has “some mechanism” to verify the customer’s identity. The plaintiff argued that the retailer’s request as part of the purchase transaction for a phone number in addition to the shipping address violated the statutory privacy protection. The court reasoned that as explained in Apple, the state legislature intended to allow retailers to verify that a person making a card purchase is authorized to do so, and stated that the shipping address alone would not work as an anti-fraud mechanism because a person who buys merchandise online may direct shipments to addresses not related to the credit card billing address. As such, the court held that Song-Beverly privacy protection does not apply to online purchases where the merchandise is being shipped or delivered, and granted the retailer’s motion to dismiss.
CFPB, FTC Announce Roundtable on Data Integrity in Debt Collection
On May 1, the FTC and the CFPB announced a roundtable to “examine the flow of consumer data throughout the debt collection process” and discuss (i) the amount of documentation and other information currently available to different types of collectors and at different points in the debt collection process, (ii) the information needed to verify and substantiate debts, (iii) the costs and benefits of providing consumers with additional disclosures about their debts and debt-related rights, and (iv) information issues relating to pleading and judgment in debt collection litigation. The event will be held on June 6, 2013 in Washington, DC and is open to the public.
NIST Revamps Core Computer Security Guide
On April 30, the National Institute of Standards and Technology (NIST) published a substantially revised version of its Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” the government’s core computer security guide. Although developed for use by federal agencies, the NIST Special Publication is widely used in the private sector. The revisions are the most extensive since the document first was published in 2005 and is meant to address evolving and emerging cyber security threats. For example, the new guide incorporates issues specific to (i) mobile and cloud computing, (ii) insider threats, (iii) applications security, (iv) supply chain risks, (v) advanced persistent threats, and (vi) trustworthiness, assurance, and resilience of information systems. It is sector-specific to allow organizations greater flexibility in building information security systems, and also provides for the first time a privacy controls catalog.
CFPB Issues Final Preemption Determination for Maine, Tennessee Unclaimed Gift Card Laws
On April 19, the CFPB issued a final preemption determination regarding whether the Electronic Fund Transfer Act (EFTA) and Regulation E preempt certain unclaimed gift card laws in Maine and Tennessee. The EFTA, as implemented by Regulation E, generally prohibits any person from issuing a gift certificate, store gift card, or general-use prepaid card with an expiration date, though under certain conditions, the card may have an expiration date so long as it is at least five years after the date of issuance (or five years after the date that funds were last loaded). The CFPB determined that the Maine law does not interfere with a consumer’s ability to use a gift cards at point-of-sale for at least as long as guaranteed by the EFTA and Regulation E because it requires the issuer to honor the gift card on presentation indefinitely even if the unused value has been transferred to the state. For Tennessee, the CFPB reached the opposite conclusion because the Tennessee provision permits issuers to decline to honor gift cards as soon as two years after issuance. According to the CFPB, the Tennessee law is inconsistent with federal law because, in effect, the provision allows funds to expire sooner than is permitted under EFTA and Regulation E.
FTC Updates COPPA FAQs
On April 25, the FTC issued updated FAQs on the recently amended Children’s Online Privacy Protection Act Rule. The FAQs provide supplemental guidance designed to help website operators, mobile application developers, plug-ins and advertising networks operating on child-directed websites and online services prepare for the amended regulations, which take effect on July 1, 2013.