InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York expands access to PSLF program
On September 15, the New York governor signed S.8389-C/A. 9523-B , which amends the Public Service Loan Forgiveness (PSFL) program statewide. Among other things, the legislation: (i) adds clarifying legal definitions, such as “certifying employment,” “employee,” “full-time,” “public service employer,” “public service loan forgiveness form,” and “public service loan forgiveness program”; (ii) establishes a standard hourly threshold for full-time employment at thirty hours per week for the purposes of accessing PSLF; and (iii) permits public service employers to certify employment on behalf of individuals or groups of employees directly with the U.S. Department of Education. The legislation is effective immediately.
California amends GAP disclosure legislation
On September 13, the California governor signed AB 2311, which amends provisions regarding vehicle finance disclosures. The bill establishes provisions to govern the offer, sale, provision, or administration, in connection with a conditional sale contract, of a guaranteed asset protection waiver (GAP waiver). Specifically, the bill requires creditors to automatically refund the unearned portion of a GAP waiver if a consumer pays off or otherwise terminates their auto loan early. The bill prohibits: (i) conditioning the extension of credit, the term of credit, or the terms of a conditional sale contract upon the purchase of a GAP waiver; and (ii) the sale of a GAP waiver pursuant to certain provisions where the loan-to-value ratio exceeds the maximum loan-to-value ratio of the GAP waiver. The bill, among other things, authorizes the buyer to recover three times the amount of any GAP charges paid. The bill is effective January 1, 2023.
California adopts “first-in-nation” act to safeguard children’s online data and privacy
On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services that are “likely to be accessed by children” under 18 years of age based on certain factors. These factors include whether the feature is: (i) “directed to children,” as defined by the Children’s Online Privacy Protection Act (COPPA); (ii) “determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children”; (iii) advertised to children; (iv) is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children; (v) designed to appeal to children; or (vi) determined to be, based on internal company research, significantly accessed by children. Notably, in contrast to COPPA, the Act more broadly defines “child” as a consumer who is under the age of 18 (COPPA defines “child” as an individual under 13 years of age).
The Act also outlines specific requirements for covered businesses, including:
- Businesses must configure all default privacy settings offered by the online service, product, or feature to one that offers a high level of privacy, “unless the business can demonstrate a compelling reason that a different setting is in the best interests of children”;
- Businesses must “concisely” and “prominently” provide clear privacy information, terms of service, policies, and community standards suited to the age of the children likely to access the online service, product, or feature;
- Prior to offering any new online services, products, or features that are likely to be accessed by children before July 1, 2024, businesses must complete a Data Protection Impact Assessment (DPIA) on or before the same date. Businesses must also document any “risk of material detriment to children” that arises from the DPIA, create a mitigation plan, and, upon written request, provide the DPIA to the state attorney general;
- Businesses must “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers”;
- Should an online service, product, or feature allow a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, businesses must provide an obvious signal to the child when the child is being monitored or tracked;
- Businesses must “[e]nforce published terms, policies and community standards established by the business, including, but not limited to, privacy policies and those concerning children”; and
- Businesses must provide prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns.
Additionally, covered businesses are prohibited from using a child’s personal information (i) in a way that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being; or (ii) for any reason other than a reason for which the personal information was collected, unless a business can show a compelling reason that using the personal information is in the “best interests of children.” The Act also places restrictions on profiling, collecting, selling, or sharing children’s geolocation data, or using dark patterns to encourage children to provide personal information beyond what is reasonably expected.
The Act also establishes the California Children’s Data Protection Working Group, which will study and report to the legislature best practices for implementing the Act, and will also, among other things, evaluate ways to leverage the expertise of the California Privacy Protection Agency in the long-term development of data privacy policies that affect the privacy, rights, and safety of children online. The state attorney general is tasked with enforcing the Act and may seek an injunction or civil penalty against any business that violates its provisions. Violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and up to $7,500 per affected child for each intentional violation; however, businesses may be provided a 90-day cure period if they have achieved “substantial compliance” with the Act’s assessment and mitigation requirements.
The Act takes effect July 1, 2024.
Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023
The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.
According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.
As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.
California broadens DFPI commissioner’s enforcement authority
On August 26, the California governor signed AB 2433, which broadens DFPI’s unlawful practices oversight and enforcement power over any person currently engaging in or having engaged in the past, in unlicensed activity. Among other things, the bill amends the DFPI commissioner’s enforcement of various laws, such as the California Commodity Law, Escrow Law, California Financing Law (CFL), Property Assessed Clean Energy (PACE), Student Loan Servicing Act, and California Residential Mortgage Lending Act. The bill establishes that the commissioner may act “upon having reasonable grounds to believe that a broker-dealer or investment advisor has conducted business in an unsafe or injurious manner.” The bill also permits the DFPI to “act upon having cause to believe that a licensee or other person has violated the CFL.” The CFL provides for the licensure and regulation of finance lenders, brokers, and specified program administrators by the Commissioner of Financial Protection and Innovation to issue a citation to the licensee or person and to assess an administrative fine, as specified, among other things. The CFL also regulates certain persons acting under the PACE program, including PACE solicitors and PACE solicitor agents. The new bill establishes that “if the commissioner, upon inspection, examination, or investigation, has cause to believe that a PACE solicitor or PACE solicitor agent is violating any provision of that law, or rule or order thereunder, the commissioner or their designee is required to exhaust a specified procedure before bringing an action.” Additionally, bill specifies that certain “procedures apply when the commissioner has cause to believe that a PACE solicitor or solicitor agent has violated any provision of that law or rule or order thereunder.” The bill also mentions the Student Loan Servicing Act, which “provides for the licensure, regulation, and oversight of student loan servicers by the commissioner,” and establishes that the commissioner is required, upon having reasonable grounds after investigation to believe that a licensee is conducting business in an unsafe or injurious manner, to direct, by written order, the discontinuance of the unsafe or injurious practices. This bill specifies “that these procedures also apply if, after investigation, the commissioner has reasonable grounds to believe that a licensee has conducted business in an unsafe or injurious manner.” The bill is effective immediately.
California issues remote work guidance to CFL licensees
On August 26, the California governor signed AB 2001, which amends the California Financing Law (CFL) regarding remote work. According to the bill, a licensee would be authorized “under the CFL to designate an employee, when acting within the scope of employment, to perform work on the licensee’s behalf at a remote location, as defined, if the licensee takes certain actions, including that the licensee prohibits a consumer’s personal information from being physically stored at a remote location except for storage on an encrypted device or encrypted media.” Currently, the CFL provides that a licensee cannot engage in loan business or administer a PACE program in any office, room, or place of business that any other business is solicited or engaged in, or in association or conjunction therewith, under certain circumstances. Additionally, “a finance lender, broker, mortgage loan originator, or program administrator licensee shall not transact the business licensed or make any loan or administer any PACE program provided for by this division under any other name or at any other place of business than that named in the license except pursuant to a currently effective written order of the commissioner authorizing the other name or other place of business.”
California requires consumer credit contract notices to be provided in multiple languages
On August 15, the California governor signed SB 633, which expands the obligation of creditors who obtain more than one person’s signature on a consumer credit contract when providing cosigners a notice regarding their obligation if the borrower does not pay the debt. Under existing law, these notices had to be provided in English and in Spanish. A creditor who provides a consumer a contract in a foreign language will now have to provide the cosigner notice in the language in which the contract is written. In addition to expanding the languages the notice must be provided in, the required cosigner notice must be provided even if the individuals are married to each other. SB 633 also requires the California Department of Financial Protection and Innovation to provide translations of these notices on its website by January 1, 2023, along with any translations of languages later added to state law. Additionally, notice must be provided only on a separate sheet preceding the contract.
NYDFS to study overdraft fees
On July 15, New York’s governor signed S9348, directing the superintendent of NYDFS to conduct a study of overdraft fees in the state. (See also NYDFS press release here.) The study will examine, among other things: (i) the total amount of overdraft fees paid in the state; (ii) the geographical distribution of these fees; (iii) whether certain communities have higher rates of overdraft fees than others and the possible reason for such high rates; (iv) “the percentage of overdraft fees reduced through direct or indirect negotiation”; and (v) the enumeration of consumer rights related to overdraft fee negotiations. The results of the study are to be delivered within one year to the governor, the temporary president of the senate, and the speaker of the assembly. The act is effective immediately.
Louisiana lets financial institutions, trust companies provide virtual currency custody
Recently, the Louisiana governor signed HB 802, which permits financial institutions or trust companies to provide customers with virtual custody services so long as there are “adequate protocols in place to effectively manage risks and comply with applicable laws.” A “trust company” is defined as “a corporation or a limited liability trust company organized in accordance with this Title, the laws of another state, or pursuant to the laws of the United States, including a trust company organized pursuant to the laws of this state before June 27, 2003, or an entity chartered to act as a fiduciary that is neither a depository institution nor a foreign bank.”
Before offering virtual currency custody services, a financial institution or trust company must conduct a “methodical self-assessment” to examine the risks involved in offering such services. Should it decide to offer such services, the financial institution or trust company must: (i) “[i]mplement effective risk management systems and controls to measure, monitor, and control relevant risks associated with custody of digital assets such as virtual currency”; (ii) confirm adequate insurance coverage for such services is in place; and (iii) “[m]aintain a service provider oversight program to address risks to service provider relationships as a result of engaging in virtual currency custody services.” A financial institution or trust company may provide virtual currency custody services in either a fiduciary or non-fiduciary capacity, consistent with its charter. If such services are provided in a nonfiduciary capacity, the financial institution or trust company will “take possession of the customer’s asset for safekeeping while legal title remains with the customer” (i.e., “the customer shall retain direct control over the keys associated with his virtual currency”). Should services be provided in a fiduciary capacity, a financial institution or trust company must “require customers to transfer their virtual currencies to the control of the financial institution or trust company by creating new private keys to be held by the financial institution or trust company.” In its fiduciary capacity, a financial institution or trust company has the “authority to manage virtual currency assets as it would any other type of asset held in such capacity.” Additionally, a financial institution or trust company may also provide virtual currency custody services through third-party service providers. HB 802 takes effect August 1.
Louisiana enacts student loan servicer provisions, establishes requirements for private education lenders
On June 18, the Louisiana governor signed HB 610, which defines terms and outlines provisions related to student loan servicers. Among other things, the act prohibits servicers from misleading student loan borrowers or engaging in any unfair, abusive, or deceptive trade practice. Servicers are also prohibited from making misrepresentations or omitting information related to fees, payments, repayment options, loan terms and conditions, or borrower obligations. Moreover, servicers may not “[a]llocate a nonconforming payment in a manner other than as directed by the student loan borrower” under certain circumstances. The act also outlines duties related the furnishing of information to consumer reporting agencies, providing that a servicer may not (i) submit inaccurate information to a consumer reporting agency; (ii) refuse to correct inaccurately furnished information; (iii) fail to report a borrower’s favorable payment history at least once a year; (iv) refuse to communicate with a borrower’s authorized representative; and (v) make false statements or omit material facts connected to a state or local agency investigation. Additionally, the act specifies responsibilities related to responding to written inquires and complaints from consumers.
The same day, the governor also signed HB 789, which establishes a private student loan registry and outlines provisions related to private education lenders. The act stipulates that all private education lenders operating in the state must register with the commissioner, which may include the payment of fees and registration through the Nationwide Multistate Licensing System and Registry. However, the act allows the commissioner to prescribe an alternative registration process and fee structure for postsecondary education providers. These registration requirements are not applicable to banks, savings banks, savings and loan associations, or credit unions operating pursuant to authority granted by the commissioner. Private education lenders will also be required to comply with certain reporting requirements, including providing information related to the schools where the lender has made loans to students residing in the state, the total number and dollar amount of loans made annually, interest rate ranges, borrower default rates, copies of promissory notes and contracts, and cosigner loan statistics, among others.
Both acts take effect August 1.