InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Michigan Supreme Court limits applicability of “usury savings clauses”
On June 23, the Michigan Supreme Court reversed a circuit court’s decision on a case involving Michigan’s “longstanding prohibition on excessive interest rates for certain loans.” The case involved a “usury savings clause,” which is a term sometimes used in notes, which requires the borrower to pay the maximum legal interest rate if the contractual terms impose an illegal rate. In the case, a nonbank investment group (plaintiff) lent a realty service company (defendant) $1 million to flip tax-foreclosed homes. Plaintiff sued for breach of contract and fraud after defendant discontinued payments after paying more than $140,000 in interest on the loan. Defendant argued that plaintiff violated the criminal usury statute by, “knowingly charging an effective interest rate exceeding 25%,” which it alleged barred plaintiff from recovering on the loan under the wrongful-conduct rule.
The circuit court determined that the fees and charges associated with the loan constituted disguised interest, making the total interest the plaintiff was seeking above the legal 25% limit and “criminally usurious.” However, the court agreed with the defendant that the usury savings clause was enforceable and the note was not facially usurious. Nevertheless, “the court agreed that the appropriate remedy is to relieve [defendant] of its obligation to pay the interest on the loan but not its obligation to repay the principal.”
The Michigan Supreme Court held that in determining whether a loan agreement imposes illegal rates of interest, a usury savings clause is ineffective if the loan agreement requires a borrower to pay an illegal interest rate, even if the interest is labeled as a “fee” or something else. Further, the court held that enforcing usury savings clauses would undermine the state’s usury laws because it would nullify the statutory remedies for usury, which would relieve lenders of their obligation to ensure that their loans have a legal interest rate. The court also held that a lender is not criminally liable for seeking to collect on an unlawful interest rate in a lawsuit. The court reasoned that seeking relief through the court of law is generally encouraged over extrajudicial means. According to the opinion, the court held that “[t]he appropriate remedy for a lender’s abusive lawsuit is success for the borrower in that lawsuit and appropriate civil sanctions, not a criminal conviction for usury.”
Feds, states launch “Operation Stop Scam Calls”
On July 18, the FTC, along with over 100 federal and state law enforcement partners nationwide, including the DOJ, FCC, and attorneys general from all 50 states and the District of Columbia, announced a new initiative to combat illegal telemarketing calls, including robocalls. The joint initiative, “Operation Stop Scam Calls,” targets telemarketers and the companies that hire them, lead generators that provide consumers’ telephone numbers to robocallers and others who falsely represent that consumers consented to receive the calls. The initiative also targets Voice over Internet Protocol (VoIP) service providers that facilitate illegal robocalls, many of which originate overseas.
In connection with Operation Stop Scam Calls, the FTC has initiated five new cases against companies and individuals allegedly responsible for distributing or assisting in the distribution of illegal telemarketing calls to consumers across the country. According to the announcement, the actions reiterate the FTC’s position “that third-party lead generation for robocalls is illegal under the Telemarketing Sales Rule (TSR) and that the FTC and its partners are committed to stopping illegal calls by targeting anyone in the telemarketing ecosystem that assists and facilitates these calls, including VoIP service providers.” The announcement also states that more than 180 enforcement actions and other initiatives have been taken by 48 federal and 54 state agencies as part of Operation Stop Scam Calls.
Among the new actions announced a part of Operation Stop Scam Calls is a complaint filed against a “consent farm” lead generator, which allegedly uses “dark patterns” to collect consumers’ broad agreement to provide their personal information and receive robocalls and other marketing solicitations through a single click of a button or checkbox via its websites. Under the terms of the proposed order, the defendant would be required to pay a $2.5 million civil penalty and would be banned from engaging in, assisting, or facilitating robocalls. The defendant would also be required to implement measures to limit its lead generation practices, establish systems for monitoring its own advertising and that of its affiliates, comply with comprehensive disclosure requirements concerning the collection of consumers’ consent to the sale of their information, and delete all previously collected consumer information.
Other actions were taken against a California-based telemarketing lead generator, a telemarketing company that provides soundboard calling services to clients who use robocalls to sell a range of products and services, a New Jersey-based telemarketing outfit that placed tens of millions of calls to consumers whose numbers are listed on the National Do Not Call Registry, and Florida-based defendants accused of assisting and facilitating the transmission of roughly 37.8 million illegal robocalls by providing VoIP services to over 11 foreign telemarketers.
Illinois Supreme Court declines to reconsider BIPA accrual ruling
On July 18, the Illinois Supreme Court declined to reconsider its February ruling, which held that under the state’s Biometric Information Privacy Act (BIPA or the Act), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Three justices, however, dissented from the denial of rehearing, writing that the ruling leaves “a staggering degree of uncertainty” by offering courts and defendants little guidance on how to determine damages. The putative class action stemmed from allegations that the defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting plaintiff’s biometric data and disclosing the data to a third-party vendor without first obtaining her consent. While the defendant challenged the timeliness of the action, the plaintiff asserted that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.”
In February, a split Illinois Supreme Court held that claims accrue under BIPA each time biometric identifiers or biometric information (such as fingerprints) are scanned or transmitted, rather than simply the first time. (Covered by InfoBytes here.) The dissenting judges wrote that they would have granted rehearing because the majority’s determination that BIPA claims accrue with every transmission “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns.” The dissenting judges further maintained that the majority’s February decision is confusing and lacks guidance for courts when determining damages awards. While the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” it also said that it continues “to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature,” and that it “respectfully suggest[s] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
Oregon is 11th state to enact comprehensive privacy legislation
On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures. Last month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
Highlights of the Act include:
- Applicability. The Act applies to persons conducting business or producing products or services intentionally directed at Oregon residents that either control or process personal data of more than 100,000 consumers per calendar year (“other than personal data controlled or processed solely for the purpose of completing a payment transaction”) or earn 25 percent or more of their gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more. Additionally, the Act provides several exemptions, including financial institutions and their affiliates, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, and protected health information processed by a covered entity in compliance with the Health Insurance Portability and Accountability Act, among others. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
- Consumer rights. Under the Act, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance.” Data controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. Additionally, the Act requires opt-in consent for using the personal data of a youth 13 to 15 years old for targeted advertising or profiling. The Act makes clear that consent means “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” This does not include the use of an interface “that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.” Controllers that receive a consent revocation from a consumer must process the revocation within 15 days.
- Controller responsibilities. Among the Act’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose and securing personal data from unauthorized access; (v) conducting and retaining data protection assessments where there is a heightened risk of harm and ensuring deidentified data cannot be associated with a consumer; and (vi) avoiding unlawful discrimination.
- Data processing agreements. The Act stipulates that processors must follow a controller’s instructions and help meet the controller’s obligations concerning the processing of personal data. The Act also sets forth obligations relating to contracts between a controller and a processor. Processors that engage a subcontractor must ensure the subcontractor meets the processor’s obligations with respect to personal data under the processor’s contract with the controller.
- Private right of action and state attorney general enforcement. The Act does not provide a private right of action to consumers. Instead, the Oregon attorney general may investigate violations and seek civil penalties of no more than $7,500 per violation. Before initiating such action, the attorney general may grant the controller 30 days to cure the violation.
The Act takes effect July 1, 2024.
Washington releases FAQs for My Health My Data Act
On June 20, the Washington attorney general published a series of Frequently Asked Questions (FAQs) related to the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data (covered by InfoBytes here). The FAQs include information on the law’s effective dates and applicability. According to the AG, “all persons, as defined in the Act, must comply with section 10 beginning July 23, 2023. Regulated entities that are not small businesses must comply with sections 4 through 9 beginning March 31, 2024. Small businesses, as defined in the Act, must comply with sections 4 through 9 beginning June 30, 2024. For sections 4 through 9, the effective dates apply to the entirety of the section and are not limited to the subsections in which the effective dates appear.” Additionally, the FAQs clarify that a business that is covered by the Act must provide a link to its consumer health data privacy policy on its homepage.
The FAQs also address a potential conflict between Sections 6 and 9 of the Act regarding the right to delete and consumers’ authorizations to sell data, respectively. Section 9 mandates that any person, not just regulated entities, must obtain consumer authorization before selling or offering to sell their data. Both the seller and purchaser are required to retain a copy of the authorization, which may contain consumer health data for six years. However, Section 6 stipulates that consumer health data should be deleted from a regulated entity’s network upon the consumer’s request. The FAQs advise that in cases where a consumer requests deletion under Section 6, any authorizations stored under Section 9 must be redacted to eliminate any information related to the data that was sold.
California probes employers’ CCPA compliance
On July 14, the California attorney general announced it recently sent inquiries to several large employers as part of an investigation into companies’ compliance with their legal obligations under the California Consumer Protection Act (CCPA). The investigation centers on how companies handle the personal information of employees and job applicants. As previously covered by InfoBytes, temporary exemptions related to human resource and business-to-business data provided by the CCPA and the California Privacy Rights Act expired on January 1 of this year. Amendments were introduced last legislative session that would have extended the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role . . . [in] that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” However, the amendments were not adopted, and the exemptions expired.
The AG said they are sending the inquiry letters “to learn how employers are complying with their legal obligations.” Covered businesses subject to the CCPA are required to comply with the statute’s privacy protections as they relate to employee data, including providing notice of privacy practices and honoring consumer requests to exercise their rights to access, delete, and opt out of the sale and sharing of their personal information.
11th Circuit orders reexamination of breach class boundaries
On July 11, a split U.S. Court of Appeals for the Eleventh Circuit partially vacated the greenlighting of two data breach class actions, holding that a district court must re-analyze the boundaries of the classes. Both the nationwide and California classes are individuals who sued a restaurant chain after their card data and personally identifiable information were compromised in a cyberattack. Plaintiffs claimed that information for roughly 4.5 million cards could be accessed on an online marketplace for stolen payment information. Two of the three named plaintiffs also said they experienced unauthorized charges on their accounts. Plaintiffs moved to certify two classes seeking both injunctive and monetary relief—a nationwide (or alternatively a statewide) class for negligence and a California class for claims based on the state’s unfair business practices laws. The district court certified a nationwide class and a separate California-only class. The restaurant chain’s parent company appealed, arguing that the certification violates court precedent on Article III standing for class actions, that the classes do not meet the commonality requirements for certification, and that the district court erred by finding that a common damages methodology existed for the class.
On appeal, the majority found that at the class certification stage, plaintiffs only had to show that a reliable damages methodology existed. The majority also determined that the district court correctly found that plaintiffs’ expert presented a sufficient methodology for calculating damages and that “it would be a ‘matter for the jury’ to decide actual damages at trial.” However, the majority remanded the case with instructions for the district court to clarify what it meant when it certified classes of individuals who had their “data accessed by cybercriminals.” According to the opinion, the district court meant for this term to encompass individuals who experienced fraudulent charges or whose credit card information was posted on the dark web. The majority expressed concerns that the phrase “accessed by cybercriminals” is broader than the two delineated categories provided by the district court and could include individuals who had their data taken but were otherwise uninjured. The majority also vacated the California class certification after determining that two of the three named plaintiffs lacked standing because they dined at the restaurant outside of the “at-risk” timeframe. The district court’s damages calculation methodology, however, was left undisturbed by the appellate court.
Partially dissenting, one of the judges wrote that while she agreed that one of the named plaintiffs had standing to sue, she disagreed with the majority’s concrete injury analysis. The judge also argued that the district court erred in its damage calculations by “impermissibly permit[ting] plaintiffs to receive an award based on damages that they did not suffer.”
Missouri will regulate lender-placed insurance
On July 7, the Missouri governor signed SB 101 (the “Act”) into law, amending several provisions relating to property and casualty insurance, including requirements for lender-placed insurance. The Act defines “lender-placed insurance” as insurance secured by the lender/servicer when the mortgagor does not have valid or sufficient insurance on a mortgaged real property, and will include “insurance purchased unilaterally by the lender or servicer, who is the named insured, subsequent to the date of the credit transaction, providing coverage against loss, expense, or damage to collateralized property as a result of fire, theft, collision, or other risks of loss” that impairs such lender/servicer’s interest or adversely impacts the collateral, where such purchase is a result of a mortgagor’s failure to obtain required insurance under a mortgage agreement. Among other things, the Act stipulates that lender-placed insurance is not effective until the date a mortgaged real property is not insured, and that individual lender-placed insurance terminates on the earliest date out of listed periods. Also specified is that mortgagors cannot be charged for the policies outside of the scheduled term of the lender-placed insurance. The Act further states that the calculation of the lender-placed insurance premium “should be based upon the replacement cost value of the property,” and outlines how the premium should be determined. All insurers shall have separate rates for lender-placed insurance and voluntary insurance obtained by a mortgage servicer on real estate owned property, as defined in the Act.
Further regarding lender-placed insurance, the Act prohibits: (i) “insurers and insurance producers from issuing lender-placed insurance if they or one of their affiliates owns, performs servicing for, or owns the servicing right to, the mortgaged property;” (ii) “insurers and insurance producers from compensating lenders, insurers, investors, or servicers for lender-placed insurance policies issued by the insurer, and from sharing premiums or risk with the lender, investor, or servicer;” (iii) “payments dependent on profitability or loss ratios from being made in connection with lender-placed insurance;” (iv) [insurers from] provid[ing] free or below-cost services or outsourc[ing] its own functions at an above-cost basis”; and (v) [insurers from] mak[ing] any payments for the purpose of securing lender-placed insurance business or related services.
The Act requires lender-placed insurance policy forms and certificates to be mailed and filed with the Missouri Department of Commerce and Insurance and stipulates the requirements for insurers who must report information to the department as well. Lastly, the Act specifies potential penalties for violations of the Act, including monetary penalties and suspension or revocation of an insurer’s license. The Act becomes effective on August 28.
CFPB, Maine say loan purpose determines whether TILA applies
On July 12, the CFPB and the State of Maine filed an amicus brief in the Maine Supreme Judicial Court arguing that determining whether a loan is covered by TILA requires an assessment of the borrower’s primary purpose in entering into the transaction. The action involves a couple who obtained a loan from the bank to purchase land for the construction of a home. Due to the 2008 financial crisis, the value of the property depreciated, resulting in insufficient proceeds from the sale of the home to fully pay off the loan. To cover the shortfall, the couple acquired a new loan from the bank and used a cabin they owned as collateral. When the loan’s term ended, the couple defaulted after being unable to make the required balloon payment. The bank sued, seeking to take possession of the cabin. At trial, the couple attempted to present evidence that the bank had not provided them with certain necessary disclosures mandated by TILA and did not assess their ability to repay the loan. The couple maintained “that the bank’s liability under TILA fully offset the amount they owed to the bank under the loan.” The court determined, however, that since the loan documents indicated a commercial purpose, TILA did not apply.
The couple attempted to introduce extrinsic evidence to show that even though the loan was labeled “commercial,” it was actually used for personal, family, or household purposes and therefore was a covered consumer loan. The court relied on a case (Bordetsky v. JAK Realty Trust) holding that, for purposes of determining the applicability of Maine’s notice of default statute for residential real estate foreclosures, “courts should not look to extrinsic evidence to determine whether the loan had a commercial or consumer purpose if the loan document states on its face that the loan has a commercial purpose.”
The brief explained that TILA generally applies to consumer loans (i.e., loans that are primarily for a personal, family, or household purpose) but not to loans made for a commercial purpose, and that the Maine Consumer Credit Code fully incorporates TILA. The brief argued that the borrower’s primary purpose for obtaining the loan should determine whether TILA and the Maine Consumer Credit Code apply, and presented three arguments as to why the trial court erred in concluding that TILA is not applicable on the sole basis that the loan is labeled as a “commercial loan.” First, statutory text provides that a loan is generally covered by TILA if a borrower obtained the loan primarily for a family, personal or household purpose. TILA “requires a substantive and fact-intensive inquiry into the reasons why the borrower entered into the transaction,” the brief explained. Second, judicial precedent has established that “determining whether a loan has a covered purpose requires looking beyond the four corners of the contract.” The trial court erred in relying on Bordetsky because it pertains to a different Maine statute and does not address the judicial precedent or administrative guidance that govern TILA coverage, the brief said. Finally, permitting creditors to evade TILA by labeling a loan as “commercial” is at odds with TILA’s remedial purpose, the brief maintained.
“Why the consumer borrowed the money—not the label that the company sticks on the loan—determines whether the loan is covered by the law,” Seth Frotman, general counsel and senior advisor to the CFPB director, said in a blog post.
CFPB, states sue company over deceptive student lending and collection
On July 13, the CFPB joined state attorneys general from Washington, Oregon, Delaware, Minnesota, Illinois, Wisconsin, Massachusetts, North Carolina, South Carolina, and Virginia in taking action against an education firm accused of engaging in deceptive marketing and unfair debt collection practices. California’s Department of Financial Protection and Innovation is participating in the action as well. Prior to filing for bankruptcy, the Delaware-based defendant operated a private, for-profit vocational training program for software sales representatives. The joint complaint, filed as an adversary proceeding in the firm’s bankruptcy case, alleges that the defendant charged consumers up to $30,000 for its programs. The complaint further alleges that the defendant encouraged consumers who could not pay upfront to enter into income share agreements, which required minimum payments equal to between 12.5 and 16 percent of their gross income for 4 to 8 years or until they had paid a total of $30,000, whichever came first.
The complaint asserts that the defendant engaged in deceptive practices by misrepresenting its income share agreement as not a loan and not debt, and mislead borrowers into believing that no payments would need to be made until they received a job offer from a technology company with a minimum annual income of $60,000. The defendant is also accused of failing to disclose important financing terms, such as the amount financed, finance charges, and annual percentage rates, as required by TILA and Regulation Z. The complaint also claims that the defendant hired two debt collection companies to pursue collection activities on defaulted income share loans. One of the defendant debt collectors is accused of engaging in unfair practices by filing debt collection lawsuits in remote jurisdictions where consumers neither resided nor were physically present when the financing agreements were executed. The complaint further alleges the two defendant debt collectors violated the FDCPA and the CFPA by deceptively inducing consumers into settlement agreements and falsely claiming they owed more than they did.
According to the Bureau and the states, after the Delaware Department of Justice and Delaware courts began scrutinizing the debt collection lawsuits, the defendant unilaterally changed the terms of its contracts with consumers to force them into arbitration even though none of them had agreed to arbitrate their claims. Additionally, the complaint contends that settlement agreements marketed as being “beneficial” to consumers actually released consumers’ claims against the defendant and converted income share loans into revised “settlement agreements” that obligated them to make recurring monthly payments for several years and contained burdensome dispute resolution and collection terms.
The complaint seeks permanent injunctive relief, monetary relief, consumer redress, and civil money penalties. The CFPB and states are also seeking to void the income share loans.