InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC says COPPA does not preempt state privacy claims
The FTC recently filed an amicus brief in a case on appeal before the U.S. Court of Appeals for the Ninth Circuit, arguing that the Children’s Online Privacy Protection Act (COPPA) does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The full 9th Circuit is currently reviewing a case brought against a multinational technology company accused of using persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of COPPA and various state laws.
As previously covered by InfoBytes, last December the 9th Circuit reversed and remanded a district court’s decision to dismiss the suit after reviewing whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulation. At the time, the 9th Circuit examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The opinion further stated that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The defendant asked the full 9th Circuit to review the ruling. The appellate court in turn asked the FTC for its views on the COPPA preemption issue, specifically with respect to “whether the [COPPA] preemption clause preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA.”
In agreeing with the 9th Circuit that plaintiffs’ claims are not preempted in this case, the FTC argued that nothing in COPPA’s text, purpose, or legislative history supports the sweeping preemption that the defendant claimed. According to the defendant, plaintiffs’ state law claims are inconsistent with COPPA and are therefore preempted “because the claims were brought by plaintiffs who were not authorized to directly enforce COPPA, and would result in monetary remedies under state law that COPPA did not make available through direct enforcement.” Moreover, all state law claims relating to children’s online privacy are inconsistent with COPPA’s framework, including those brought by state enforcers, the defendant maintained. The FTC disagreed, writing that the 9th Circuit properly rejected defendant’s interpretation, which would preempt a wide swath of traditional state laws. Moreover, COPPA’s preemption clause only applies to state laws that are “inconsistent” with COPPA so as not to create “field preemption,” the FTC said, adding that plaintiffs’ claims in this case are consistent with the statute.
Fintech fined over interest charges billed as tips and donations
A California-based fintech company recently entered separate consent orders with California, Connecticut, and the District of Columbia to resolve allegations claiming it disguised interest charges as tips and donations connected to loans offered through its platform. The company agreed to (i) pay a $100,000 fine in Connecticut and reimburse Connecticut borrowers for all loan-related tips, donations, and fees paid; (ii) pay a $30,000 fine in the District of Columbia, including restitution; and (iii) pay a $50,000 fine in California, plus refunds of all donations received from borrowers in the state. The company did not admit to any violations of law or wrongdoing.
The Connecticut banking commissioner’s consent order found that the company engaged in deceptive practices, acted as a consumer collection agency, and offered, solicited, and brokered small loans for prospective borrowers without the required licensing. The company agreed that it would cease operations in the state until it changed its business model and practices and was properly licensed. Going forward, the company agreed to allow consumers to pay tips only after fully repaying their loans. The consent order follows a temporary cease and desist order issued in 2022.
A consent judgment and order reached with the D.C. attorney general claimed the company engaged in deceptive practices by misrepresenting the cost of its loans and by not clearly disclosing the true nature of the tips and donations. The AG maintained that the average APR of these loans violated D.C.’s usury cap. The company agreed to ensure that lenders accessing the platform are unable to see whether a consumer is offering a tip (or the amount of tip) and must take measures to make sure that withholding a tip or donation will not affect loan approval or loan terms. Among other actions, the company is also required to disclose how much lenders can expect to earn through the platform.
In the California consent order, the Department of Financial Protection and Innovation (DFPI) claimed that the majority of consumers paid both a tip and a donation. A pop-up message encouraged borrowers to offer the maximum tip in order to have their loan funded, DFPI said, alleging the pop-up feature could not be disabled without using an unadvertised, buried setting. These tips and/or donations were not included in the formal loan agreement generated in the platform, nor were borrowers able to view the loan agreement before consummation. According to DFPI, this amounted to brokering extensions of credit without a license. Additionally, the interest being charged (after including the tips and donations) exceeded the maximum interest rate permissible under the California Financing Law, DFPI said, adding that by disclosing that the loans had a 0 percent APR with no finance charge, they failed to comply with TILA.
Arizona amends licensing provisions
On May 19, the Arizona governor signed HB 2010 to amend certain sections of the Arizona revised statutes relating to the Department of Insurance and Financial Institutions. Amendments make changes to several licensing provisions, including the length of time a license remains active and licensure renewal requirements. The Act provides that on or before June 30 of each year, a licensee may renew each license without investigation by paying prescribed fees. Other revisions amend accounting practices and record retention requirements for mortgage brokers, mortgage bankers, and commercial mortgage bankers, among others. HB 2010 is effective 90 days after enactment.
DFPI examines whether some payment services are exempt from MTA
The California Department of Financial Protection and Innovation (DFPI) recently released a new opinion letter covering aspects of the California Money Transmission Act (MTA) relating to whether certain payment services are exempt or subject to licensure. The redacted opinion letter examines three payment services provided by the inquiring company. DFPI first analyzed and determined that payments received by a law firm collection agent from a different entity’s collection attorneys and remitted to said entity are exempt pursuant to MTA Financial Code section 2011. DFPI next considered whether the MTA’s agent of payee exemption applies to certain tax payment transactions wherein a customer’s payment obligation to the company is extinguished once the customer has submitted a payment through a particular contractor. According to DFPI, transactions conducted pursuant to a contract between the company and the contractor (appointed as a limited agent for the sole purpose of receiving payments on the company’s behalf from taxpayers) are exempt from the MTA under the agent of payee exemption. Finally, DFPI considered whether the agent of payee exemption applies to certain payments to government entities. DFPI explained, among other things, that the language contained within the contracts with each government entity “establishes that the government entity has appointed [the company] to act as its agent and that payment to [the company] extinguishes the payor’s payment obligation to the government entity.” As such, DFPI determined that “transactions conducted pursuant to contracts containing such language are exempt from the MTA under the agent of payee exemption.”
Iowa modernizes money transmission provisions
The Iowa governor recently signed HF 675 to revise certain provisions of the Uniform Money Transmission Modernization Act. The Act is designed to eliminate unnecessary regulatory burden and harmonize the licensing and regulation of money transmitters with other states. Among other things, the Act defines terms for when a state money services business (MSB) license is required and adds a process for joint multistate examination and supervision of MSB licensees. The Act also outlines several exemptions, including federally insured depository institutions and certain persons appointed as an agent of a payee who collect and process payments from a payor to the payee for goods or services (other than money transmission itself).
With respect to licensing provisions, the Act states that a person shall not engage in the business of money transmission unless they are licensed. New provisions modify the licensing process, including by requiring that applications be approved 121 days after completion, unless denied or approved earlier by the superintendent. The license will take effect the first business day after expiration of the 120-day period (although the superintendent may for good cause extend the application period). The Act also outlines licensing application renewal procedures, requirements for maintaining licensure, processes for person(s) seeking to acquire control of a licensee or seeking to change key individuals, authorized delegate provisions, net worth and surety bond criteria, permissible investments, and reporting and financial condition requirements, among other criteria. The Act further specifies that a person who engages in the business of money transmission on behalf of a person not licensed under the chapter “provides money transmission to the same extent as if the person were a licensee, and shall be jointly and severally liable with the unlicensed or nonexempt person.” The Act takes effect July 1.
Pennsylvania reaches $11 million settlement with rent-to-own company
On May 15, the Pennsylvania attorney general announced a $11.4 million settlement with a rent-to-own lender and its subsidiaries accused of engaging in predatory practices targeting low-income borrowers and employing deceptive collection practices. According to the AG, the lender disguised one-year rent-to-own agreements as “100-Day Cash Payoffs” and then concealed the balances owed. The AG maintained that consumers were locked into binding 12-month agreements that included high leasing fees (equal to 152 percent APR interest). The AG explained that consumers entitled to restitution and relief “had already satisfied the cash price, the sales tax on the cash price, and the processing fees associated with their purchase – yet still owed [the lender] a balance.” Additionally, the AG accused the lender of using a web-based portal for creating and signing contracts, which made it easy for persons other than the consumer to sign the agreements.
The order requires the lender to pay $7.3 million in restitution that will be distributed to affected consumers, $200,000 in civil penalties, and $750,000 in costs to be paid to the AG to be used for public protection and education purposes. Additionally, the lender is required to reduce the balances of delinquent lease-to-own accounts for certain rental purchase agreements, resulting in a $3.15 million aggregate reduction in balances. The lender has also agreed to, among other things, not represent or imply that failure to pay a debt owed or alleged to be owed “will result in the seizure, attachment or sale of any property that is the subject of the debt unless such action is lawful” or that the lender’s subsidiary intends to take such actions. The lender is also prohibited from collecting any amount, including interest, fees, charges, or expenses incidental to the principal obligation, unless the amount is expressly authorized by the agreement creating the obligation or permitted by law. Furthermore, the lender’s subsidiaries must clearly and conspicuously disclose customer balances during servicing calls and through a customer portal.
Montana becomes the ninth state to enact comprehensive privacy legislation
On May 19, the Montana governor signed SB 384 to enact the Consumer Data Privacy Act (CDPA) and establish a framework for controlling and processing consumer personal data in the state. Montana is now the ninth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, and Tennessee. The CDPA applies to any person that conducts business in the state or produces products or services targeted to state residents and, during a calendar year, (i) controls or processes personal data of at least 50,000 consumers (“excluding personal data controlled or processed solely for the purpose of completing a payment transaction”), or (ii) controls or processes personal data of at least 25,000 consumers and derives 25 percent of gross revenue from the sale of personal data. The CDPA provides several exemptions, including nonprofit organizations, registered securities associations, financial institutions, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, and covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of the CDPA include:
- Consumers’ rights. Under the CDPA, consumers will be able to access their personal data; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the sale of their data. A consumer may also designate an authorized agent to act on the consumer’s behalf to opt out of the processing of their personal data.
- Data controllers’ responsibilities. Data controllers under the CDPA will be responsible for, among other things, (i) responding to consumer requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, one for each consumer during a 12-month period; (ii) establishing a process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) establishing clear and conspicuous opt-out methods on a website that require consumers to affirmatively and freely choose to opt out of any processing of their personal data (and allowing for a mechanism that lets consumers revoke consent that is at least as easy as the mechanism used to provide consent); (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) processing data in compliance with state and federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) providing clear and meaningful privacy notices; and (ix) conducting data protection assessments and ensuring deidentified data cannot be associated with a consumer. The CDPA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action but enforcement by state attorney general. The CDPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the CDPA, the attorney general must give the data controller notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit. The cure provision expires April 1, 2026.
The CDPA takes effect October 1, 2024.
Georgia enacts commercial financing disclosure requirements
On May 1, the Georgia governor signed SB 90 to, among other things, require disclosures in connection with commercial financing transactions of $500,000 or less. The amendments modify the existing state Fair Business Practices Act and apply to “commercial loans” and “commercial open-end credit plans.” The amendments define a “provider” as “a person who consummates more than five commercial financing transactions in this state during any calendar year and includes, but is not limited to, a person who, under a written agreement with a depository institution, offers one or more commercial financing products provided by the depository institution via an online platform that the person administers.” The amendments also establish parameters for qualifying commercial transactions and outline numerous exemptions. Specifically, prior to consummating a commercial financing transaction, a provider must (i) disclose the terms of the transaction as specified within the amendments, and (ii) include a description of the methodology used to calculate any variable payment amount and the circumstances that may cause a payment amount to vary. The provisions apply to any commercial financing transaction consummated on or after January 1, 2024. The amendments also address unfair or deceptive practices relating to brokerage engagements and is effective January 1, 2024.
Crypto company settles NY AG’s hidden-fee claims
On May 18, the New York attorney general announced a settlement with a Brooklyn-based cryptocurrency company to resolve claims that it charged investors “exorbitant and undisclosed fees” to store cryptocurrency in an account that was advertised as being free on its website. The fees charged to investors to use its wallet storage were allegedly so high that they completely cleaned out investors’ accounts, the AG said. The company agreed to the AG’s findings that it regularly charged and increased fees without properly notifying investors. According to the AG’s investigation, the company changed the wallet storage fee structure four times without clearly disclosing the fee increase, which led to some investors being charged fees equal to 96 percent of the value of their account holdings. In total, the company took approximately $4.25 million from investors. The AG maintained that the company also failed to register as a commodity broker dealer in the state for a period of time, and that while it was eventually granted a virtual currency license pursuant to 23 NYCRR Part 200, it failed to file a registration statement. Under the terms of the assurance of discontinuance, the company is required to pay $508,910 in restitution to the state and provide full restitution to all investors who were misled. The company is also required to provide monthly refund status updates to the AG, limit the amount of fees charged for using its wallet service to 0.002 percent per cryptocurrency per month for at least five years, and ensure that it adequately discloses all fees to investors.
Default judgment entered against provider of immigration bonds
The U.S. District Court for the Western District of Virginia recently entered default judgment against defendants accused of misrepresenting the cost of immigration bond services and deceiving migrants to keep them paying monthly fees by making false threats of deportation for failure to pay. As previously covered by InfoBytes, the defendants—a group of companies providing immigration bond products or services for non-English speaking U.S. Immigration and Customs Enforcement detainees—were sued by the CFPB and state attorneys general from Massachusetts, New York, and Virginia in 2021 for allegedly engaging in deceptive and abusive acts and practices in violation of the Consumer Financial Protection Act (CFPA). The defendants argued that the court lacked subject matter jurisdiction because the Bureau did not have authority to enforce the CFPA since the defendants are regulated by state insurance regulators and are merchants, retailors, or sellers of nonfinancial goods or services. However, the court disagreed, explaining that “limitations on the CFPB’s regulatory authority do not equate to limitations on this court’s jurisdiction.” (Covered by InfoBytes here.)
As explained in the court’s opinion, last year the plaintiffs filed a motion for sanctions and for an order to show cause why the court should not hold the defendants in contempt for actions relating to several ongoing discovery disputes. The court determined that the defendants failed to demonstrate that “factors other than obduracy and willfulness” led to their failure to comply with multiple discovery orders and that the defendants engaged in a “pattern of knowing noncompliance with numerous orders of the court.” These delays, the court said, have significantly harmed the plaintiffs in their ability to prepare their case. Finding each defendant in civil contempt of court, the court also entered a default judgment against the defendants, citing them for discovery violations in other cases. The court set June deadlines for briefs on remedies and damages.