InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Colorado establishes medical debt collection requirements
On May 4, the Colorado governor signed SB 23-093 to cap the interest rate on medical debt at three percent per year. The Act outlines numerous provisions, including that entities collecting on a medical debt must provide a consumer with a written copy of a payment plan within seven days for medical debt that is payable in four or more installments. The Act also outlines requirements for accelerating or declaring a payment plan longer operative, and lays out prohibited actions (such as collecting on a debt or reporting a debt to a consumer reporting agency within a certain timeframe) relating to medical debt that an entity knows, or reasonably should know, is under review or being appealed. An entity that files a legal action to collect a medical debt must provide to a consumer (upon written request) an itemized statement concerning the debt and must allow a consumer to dispute the debt’s validity after receiving the statement. Entities are prohibited from engaging in collection activities until the itemized statement is delivered. The Act outlines self-pay requirements and estimates, and further provides that it is a deceptive trade practice to violate outlined provisions relating to billing practices, surprise billing, and balance billing laws. The Act takes effect immediately and applies to contracts entered into after the effective date.
Oklahoma ties maximum interest on loans to fed funds rate
The Oklahoma governor recently signed SB 794, which increases the maximum loan finance charge for certain loans (i.e., supervised loans under applicable Oklahoma law) by additionally including the federal funds rate published by the Federal Reserve Board. Specifically, a loan finance charge may not exceed the equivalent of the greater of either of the following: the total of (i) 32 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which is $7,000 or less; (ii) 23 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which greater than $7,000 but less than $11,000; and (iii) 20 percent plus the federal funds rate per year on the part of the unpaid balances of the principal which exceeds $11,000; or 25 percent plus the federal funds rate per year on the unpaid balances of the principal. The federal funds rate is defined as the rate published by the Fed that is “in effect as of the first day of each month immediately preceding the month during which the loan is consummated.” Supervised lenders may contract for and receive a loan finance charge not exceeding what is allowed by the Act. The Act is effective November 1.
Indiana becomes seventh state to enact comprehensive privacy legislation
On May 1, the Indiana governor signed SB 5 to establish a framework for controlling and processing consumers’ personal data in the state. Indiana is now the seventh state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, and Iowa (covered by Special Alerts here and here and InfoBytes here, here, here, and here). The Act applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Indiana residents or (ii) controls or processes personal data of at least 25,000 Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data. The Act outlines exemptions, including financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as covered entities governed by the Health Insurance Portability and Accountability Act.
Indiana consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The Act outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities created on or generated after December 31, 2025, that present a heightened risk of harm to consumers. Under the Act, controllers may not process consumers’ personal data without first obtaining consent, or in the case of a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act. Additionally, the Act sets forth obligations relating to contracts between a controller and a processor.
While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The attorney general may seek injunctive relief and civil penalties not to exceed $7,500 for each violation.
The Act takes effect January 1, 2026.
House committee continues federal privacy legislation discussions
On April 27, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Addressing America’s Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans’ Personal Information” to continue discussions on the need for comprehensive federal privacy legislation. Subcommittee Chair Gus Bilirakis (R-FL) delivered opening remarks, commenting that the Committee has examined in depth how a federal privacy law is needed to protect Americans and balance the needs of business, government and civil society, what happens when malicious actors exploit access to data, where the FTC’s jurisdictional lines and authority lay and how that interplays with a comprehensive federal privacy law, and the role of data brokers and the lack of protections given to consumers to manage their data.
During the hearing, subcommittee members commented that one of the big debates about the American Data Privacy and Protection Act (ADPPA) as it came out of committee last year was the degree to which it should preempt state laws. There was push back on the bill from former Speaker Nancy Pelosi who was against the proposed preemption measures, as well as from the California attorney general and the California Privacy Protection Agency who expressed similar concerns and asked Congress to “allow states to provide additional protections in response to changing technology and data privacy protection practices.” The ADPPA was advanced through the committee last July by a vote of 53-2 (covered by InfoBytes here) and was sent to the House floor during the last Congressional session but never came up for a full chamber vote. The bill has not been reintroduced yet.
Subcommittee members said that while drafting a comprehensive national data privacy law is a priority, there are a lot of concerns over preemption of state laws. Certain Republican members also commented that it is very important for Congress to create a single national standard before the FTC proposes data privacy rules from its commercial surveillance rulemaking efforts. As previously covered by InfoBytes, FTC Chair Lina M. Khan and Commissioners Rebecca Slaughter and Alvaro Bedoya testified before the same committee in April, during which time they said they are currently reviewing comments on the proposed rulemaking but support federal privacy legislation.
While the ADPPA has not yet been reintroduced, House Financial Services Committee Chairman Patrick McHenry (R-NC) introduced the Data Privacy Act of 2023 (see H.R. 1165) earlier this year, which would, among other things, modernize the Gramm-Leach-Bliley Act to better align the statute with the evolving technological landscape and ensure consumers understand how their data is being collected and used and grant consumers power to opt-out of the collection of their data and request that their data be deleted at any time.
Washington State passes new health data privacy measures
On April 27, the Washington State governor signed HB 1155 to enact the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data. The Act is intended to cover health data not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as any legal entity that conducts business in the state of Washington or engages with Washington residents that (alone or jointly with others) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Government agencies, tribal nations, and contracted service providers that process such data on behalf of a government agency are exempt. The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain consent from consumers prior to collecting, sharing, and selling their health data; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific privacy disclosures. Consumers are also empowered with the right to have their health data deleted. The Act outlines numerous compliance elements relating to access restrictions, replying to consumers, and processor requirements. The Act also specifies the types of information and documents for which the Act is not applicable. In addition, the Act provides a private right of action to consumers and grants the state attorney general enforcement authority as well.
The Act is effective July 23. Regulated entities must comply by March 31, 2024, except for certain provisions applicable to small businesses that have until June 30, 2024 to comply.
FTC, Pennsylvania ban debt collection operation
On April 26, the FTC and the Commonwealth of Pennsylvania announced that the U.S. District Court for the Eastern District of Pennsylvania recently entered an order permanently banning a debt collection firm and two associated individuals from the industry. The FTC and Pennsylvania sued the defendants in 2020 for their involvement in a telemarketing operation that allegedly misrepresented “no obligation” trial offers to organizations and then enrolled recipients in subscriptions for several hundred dollars without their consent (covered by InfoBytes here). The complaint charged the defendants with violating the FTC Act by, among other things, illegally threatening the organizations if they did not pay for the unordered subscriptions and claimed the debt collection firm handled collections nationwide despite not having a valid corporate registration in any state and only being licensed to collect debt in Washington State. In addition to permanently enjoining the defendants from participating in the debt collection industry (whether directly or through an intermediary), the court order requires the defendants’ continued cooperation as the case proceeds against the other defendants.
Washington enacts robocall measures
On April 20, the Washington governor signed HB 1051 to expand existing provisions regulating robocalls and telephone solicitations and prohibit abusive telephone communications that mislead or harm state residents. In doing so, the Act extends liability to “persons who provide substantial assistance or support in the origination and transmission of robocalls” that violate state law, and prohibits the initiation of unwanted calls to phone numbers listed on the National Do Not Call Registry pursuant to the Telemarketing Sales Rule. Among other things, practices that violate the Act’s provisions will be considered an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the state’s consumer protection act. Injured persons may bring a civil action in Washington superior court to prevent further violations and “shall recover actual damages or $1,000 per violation of this section, whichever is greater.” The Act is effective July 23.
Washington enacts credit repair regulation
On April 20, the Washington governor signed HB 1311 to enact provisions relating to credit repair services performed by a credit services organization. Among other things, the Act outlines new requirements, including that a credit services organization must provide consumers with a monthly statement that details the services performed, as well as “an accounting of any funds paid by a consumer and held or disbursed on the consumer’s behalf and copies of any letters sent by the credit services organization on the consumer’s behalf,” if applicable. Additionally, a credit services organization is prohibited from sending any communications to a consumer reporting agency, creditor, collection agency, or regulatory entity unless the consumer has provided prior written authorization. Credit services organizations must also comply with specified written communication requirements and provide disclosures addressing consumers’ rights to review their files. Modifications to certain provisions relating to notices of cancellation have also been made. The Act is effective July 23.
Kansas enacts financial institutions information security act
On April 20, the Kansas governor signed SB 44 to enact the Kansas financial institutions information security act. The Act establishes information security standards for covered entities, and applies to credit service organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions. A covered entity will be required to develop, implement, and maintain a cybersecurity system to protect consumer information, and must ensure its information security program is maintained as part of its books and records in compliance with established record retention requirements. Additionally, the state bank commissioner is granted the authority to adopt “all rules and regulations necessary to govern and administer the [Act’s] provisions.” The commissioner is also given an assortment of enforcement tools to administer the Act, including: conducting routine examinations; investigating a covered entity’s operations; issuing subpoenas; assessing fines and civil penalties not to exceed $5,000 per violation, as well as investigation and enforcement costs; censuring registered or licensed covered entities; entering into memorandums of understanding or consent orders; revoking, suspending, or refusing to renew the registration or license of covered entities; issuing cease-and-desist orders; filing for injunctions; or issuing emergency orders to prevent harm to consumers. The Act takes effect July 1.
House subcommittee holds hearing on stablecoin regulation
The House Financial Services Subcommittee on Digital Assets, Financial Technology and Inclusion recently held a hearing to examine stablecoins’ role in the payment system and to discuss proposed legislation for creating a federal framework for issuing stablecoins. A subcommittee memorandum identified different types of stablecoins (the most popular being pegged to the U.S. dollar to diminish volatility) and presented an overview of the market, which currently consists of more than 200 different types of stablecoins, collectively worth more than $132 billion. The subcommittee referred to a 2021 report issued by the President’s Working Group on Financial Markets, along with the FDIC and OCC (covered by InfoBytes here), in which it was recommended that Congress pass legislation requiring stablecoins to be issued only by insured depository institutions to ensure that payment stablecoins are subject to a federal prudential regulatory framework. The subcommittee discussed draft legislation that would define a payment stablecoin issuer and establish a regulatory framework for payment stablecoin issuers, including enforcement requirements and interoperability standards.
Subcommittee Chairman, French Hill (R-AR), delivered opening remarks, in which he commented that the proposed legislation would require stablecoin issuers to comply with redemption requirements, monthly attestation and disclosures, and risk management standards. Recognizing the significant amount of work yet to be done in this space, Hill said he believes that “innovation is fostered through choice and competition,” and that “one way to do that is through multiple pathways to become a stablecoin issuer, though with appropriate protections [to] prevent regulatory arbitrage and a race to the bottom.” He cited reports that digital asset developers are leaving the U.S. for countries that currently provide a more established regulatory framework for digital assets, and warned that this will stymie innovation, jobs, and consumer/investor protection. He also criticized ”the ongoing turf war between the SEC and CFTC” with respect to digital assets, and warned that “[w]hen you have two agencies contradicting each other in court about whether one of the most utilized stablecoins in the market is a security or a commodity, what you end up with is uncertainty.”
Witness NYDFS Superintendent Adrienne A. Harris discussed the framework that is currently in place in New York and highlighted requirements for payment stablecoin issuers operating in the state. In a prepared statement, Harris said many domestic and foreign regulators call the Department’s regulatory and supervisory oversight of virtual currency the “gold standard,” in which virtual currency entities are “subject to custody and capital requirements designed to industry-specific risks necessary for sound, prudential regulation.” Harris explained that NYDFS established “additional regulations, guidance, and company-specific supervisory agreements to tailor [its] oversight” over financial products, including stablecoins, and said the Department is the first agency to provide regulatory clarity for these types of products. She highlighted guidance released last June, which established criteria for regulated entities seeking to issue USD-backed stablecoins in the state (covered by InfoBytes here), and encouraged a collaborative framework that mirrors the regulatory system for more traditional financial institutions and takes advantage of the comparative strengths offered by federal and state regulators. Federal regulators will be able to comprehensively address “macroprudential considerations” and implement foundational consumer and market protections, while states can “leverage their more immediate understanding of consumer needs” and more quickly modernize regulations in response to industry developments and innovation, Harris said.