InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
State AGs support congressional disapproval of 2019 Borrower Defense Rule
On January 14, a coalition of attorneys general from 19 states and the District of Columbia sent a letter to Congress in support of H.J. Res. 76, which was passed by the House of Representatives on January 16, and provides for congressional disapproval of the Department of Education’s 2019 Borrower Defense Rule (covered by InfoBytes here). The Department’s 2019 Borrower Defense Rule, published last September and set to take effect July 1, revises protections for student borrowers that were significantly misled or defrauded by their higher education institution and establishes standards for loan forgiveness applicable for “adjudicating borrower defenses to repayment claims for Federal student loans first disbursed on or after July 1, 2020.”
The AGs claim, however, that the 2019 Borrower Defense Rule “provides no realistic prospect for borrowers to discharge their loans when they have been defrauded by predatory for-profit schools, and . . . eliminates financial responsibility requirements for those same institutions.” The AGs further argue that the new provisions require “student borrowers to prove intentional or reckless misconduct on the part of their schools,” which they claim is “an extraordinarily demanding standard not consistent with state laws governing liability for unfair and deceptive conduct.” Other standards, such as requiring student borrowers to “prove financial harm beyond the intrinsic harm caused by incurring federal student loan debt as a result of fraud” and establishing a three-year time bar on borrower defense claims, would further reduce protections for student borrowers. Citing to several state enforcement actions taken against for-profit schools for alleged deceptive and unlawful tactics, the AGs stress the need for a “robust and fair borrower defense rule.”
Washington state introduces comprehensive privacy bill
On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281, the Washington Privacy Act, include the following:
- Applicability. SB 6281 will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 50 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers. Exempt from SB 6281, among others, are state and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records.
- Consumer rights. Consumers will be able to exercise the following concerning their personal data: access; correction; deletion; data portability; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
- Controller responsibilities. Controllers required to comply with SB 6281 will be responsible for (i) transparency; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.”
- State attorney general. SB 6821 does not create a private right of action for individuals to sue if there is an alleged violation. However, the AG will be permitted to bring actions and impose penalties of no more than $7,500 per violation. The AG will also be required to submit a report evaluating the liability and enforcement provisions of SB 6281 by 2022 along with any recommendations for change.
- Information sharing. SB 6281 will allow the state governor to enter into agreements with British Columbia, California, and Oregon, which will allow personal data to be shared for joint research initiatives.
- Facial Recognition. SB 6281 will establish limits on the commercial use of facial recognition services. Among other things, the bill will require third-party testing on all services prior to deployment for accuracy and unfair performance, conspicuous notice when a service is deployed in a public space, and will require companies to receive consumer consent prior to enrolling an image in a service used in a public space.
The second bill, SB 6280, will more specifically govern the use of facial recognition services by state and local government agencies, and, among other things, outlines provisions for the use of facial recognition services when identifying victims of crime, stipulates restrictions concerning ongoing surveillance, and requires agencies to produce an annual report containing a compliance assessment.
As previously covered by InfoBytes, last year, New York introduced proposed legislation (see S 5642) that seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state. Provisions included in the measures introduced by New York and Washington state differ from those contained in the California Consumer Privacy Act (CCPA), which took effect January 1. (Previous InfoBytes coverage on the CCPA is available here.)
CFPB denies petitioner’s request to postpone CID pending Seila decision
On December 26, the CFPB denied a petition by a student loan relief company to modify or set aside a civil investigative demand (CID) issued by the Bureau last October. According to the company’s petition, the CID requested information as part of an investigation into the company’s promotion of student loan debt relief programs. As previously covered by InfoBytes, stipulated orders were entered against the company by the FTC and the Minnesota attorney general for violations of TILA and the assisting and facilitating provision of the Telemarketing Sales Rule, which resulted in the company being permanently banned from engaging in transactions involving debt relief products and services or making misrepresentations regarding financial products and services. In its petition, the company argued that the CFPB’s requests were duplicative of the FTC’s earlier investigation. The company also argued that the documents and materials sought in the CID were overly burdensome and the time frame to respond was too short. Furthermore, the company stated that until the U.S. Supreme Court issues a decision in Seila Law v. CFPB on whether the Bureau’s structure violates the Constitution’s separation of powers under Article II, the CID should either be withdrawn or stayed because of the uncertainty surrounding the Bureau’s ability to proceed with enforcement actions.
The Bureau denied the petition, arguing that “the administrative CID petition process is not the proper forum for raising and deciding constitutional challenges to provisions of the Bureau’s statute.” The Bureau also noted that the company failed to show that it engaged with Bureau staff on ways to alleviate undue burden, such as proposing modifications to the substance of the requests, and that even though the Bureau proposed an extension to the CID deadline, the company did not seek such an extension.
CFPB and Utah AG to hold joint office hours in Salt Lake City
On January 9, the CFPB and the Utah attorney general’s office announced that the first of the American Consumer Financial Innovation Network’s (ACFIN) joint office hours will be held in Salt Lake City, Utah on January 30. The CFPB’s announcement states that the office hours are intended to “provide innovators with the opportunity to discuss issues such as financial technology, innovative products or services, regulatory sandboxes, no action letters, and other matters related to financial innovation with officials from the CFPB and state partners.” As previously covered by InfoBytes, the CFPB, along with a number of state regulators, established ACFIN in September with the aim of reducing “regulatory burdens” and increasing “regulatory certainty for innovative financial products and services.” Members of ACFIN currently include state AGs from Alabama, Alaska, Arizona, Colorado, Georgia, Indiana, South Carolina, Tennessee, and Utah; and state financial regulators from Florida, Georgia, Missouri, and Tennessee. ACFIN membership is open to any state and federal partners interested in joining.
ISP pays $15 million to settle with two more states on hidden fees and false advertising
On January 9, the Minnesota attorney general announced that an internet service provider (ISP) agreed to pay nearly $9 million in order to resolve allegations that it overcharged customers for phone, internet and cable services. In a separate action, on December 10, the Washington attorney general’s office announced that it entered into a $6.1 million consent decree with the same ISP to resolve similar claims of deceptive acts and practices. As previously covered by InfoBytes, the ISP entered into settlements over the same alleged actions with the states of Colorado on December 19, and Oregon on December 31.
California outlines new data privacy rights
On January 6, the California attorney general issued an advisory explaining consumers’ rights under the California Consumer Privacy Act (CCPA), which took effect January 1. (See previous InfoBytes coverage on the CCPA here.) These rights include (i) the right to request from businesses what personal information they collect, use, share, or sell; (ii) the right to request that businesses and their service providers delete one’s personal information; (iii) the right to opt out of businesses’ disclosure of one’s personal information via “Do Not Sell” links on businesses’ websites and mobile apps; (iv) the right of children younger than 16 to have businesses disclose their personal information only after receiving the child’s opt-in consent (though parents or guardians may consent for children under 13); and (v) the right to non-discrimination should a consumer exercise his or her privacy rights under the CCPA.
In addition to enumerating these consumer rights, the advisory specifies the types of businesses subject to the CCPA, provides information on the state’s data broker registry, and describes consumers’ private right of action in the event of a data breach.
Missouri AG alleges housing nonprofit trust deceived members
On January 2, the Missouri attorney general filed a petition for preliminary and permanent injunction in Missouri Circuit Court against a nonprofit trust and its registered agent (the defendants) alleging the defendants deceived thousands of state residents by marketing memberships in the trust with the promise that the pooled resources would fund “to-be-completed homes.” The AG alleges that the defendants solicited consumers to attend meetings, purchase memberships, and pay monthly dues, and also asked members to provide additional funds to go towards appliances and other fixtures for the homes. However, the agent defendant allegedly admitted that none of the promised homes were constructed or otherwise provided to the members.
The AG further contends that “none of the solicited funds were ever used or invested towards providing a home to any of the members,” and were instead used to cover the trust’s operating expenses. According to the AG, the defendants’ actions violate state law and constitute false promises, omissions of material fact, and deception. The AG seeks injunctive relief “up to and including prohibiting and enjoining [d]efendants . . . from owning or operating organizations that sell or manage real estate that solicit upfront payments for goods or services, or that solicit charitable contributions.” The AG also seeks restitution for member losses, a fine equal to 10 percent of the restitution amount, a $1,000 fine per violation, and compensation for the state’s costs in pursuing the case.
District Court settles payday lending suit against investment firm in rent-a-tribe scheme
On December 31, the U.S. District Court for the Eastern District of Pennsylvania entered an order signing off on a settlement agreement between the state attorney general and an investment firm and its affiliates (the defendants) connected to a lender accused of using Native American tribes to circumvent the state’s usury laws. (See previous InfoBytes coverage here and here.) According to the court’s opinion, the defendants allegedly became involved in the “rent-a-bank” and “rent-a-tribe” schemes when they made “‘an initial commitment of at least $90 million to be used in funding [the] loans’ in exchange for a fixed 20 percent return on investment” guaranteed by the lender.
In the settlement agreement, the defendants agreed not to provide capital to any third-parties offering Pennsylvania consumers loans that carry an interest rate in excess of the state’s six percent limit on unsecured consumer loans under $50,000. The defendants also agreed to perform regulatory reviews and due diligence “at least once per full calendar year during the term of [a] transaction” involving consumer credit products or services offered to Pennsylvania consumers. While the defendants expressly deny any liability or wrongdoing, the parties agreed to enter into the agreement to “avoid the cost, expense and effort associated with continuing the dispute.” The AG states that the settlement agreement does not constitute an approval by the AG’s office of any of the defendants’ “products, marketing, business practices or website content, acts and/or practices.”Internet provider and states agree to nearly $12.5 million for false advertising, hidden fees
On December 19, the Colorado attorney general announced that an internet service provider (ISP) agreed to pay nearly $8.5 million in order to resolve allegations that it “unfairly and deceptively charg[ed] hidden fees, falsely advertis[ed] guaranteed locked prices, and fail[ed] to provide discounts and refunds it promised” to Colorado consumers in violation of the Colorado Consumer Protection Act. According to the announcement, in 2017 the AG’s office investigated the ISP and compiled information that the ISP had “systematically and deceptively overcharged consumers for services” since 2014 (see the complaint filed by the AG here). In the settlement, the ISP agreed to an order that requires it, among other things, to (i) refrain from making false and misleading statements to consumers in the marketing, advertising and sale of its products and services; (ii) accurately communicate monthly base charges as well as one-time fees, taxes, and other fees and surcharges to consumers; (iii) disclose any “internet cost recovery fee” or “broadband recovery fee” to consumers being charged the fees and allow the affected consumers to switch to different services if they wish to avoid the fees; (iv) refrain from charging an “internet or broadband cost recovery fee” on new orders; and (v) provide refunds to customers who were overcharged for services and to those customers who did not previously receive discounts that the ISP promised.
In a separate action, on December 31, the Oregon attorney general’s office announced that it entered into a $4 million Assurance of Voluntary Compliance with the same ISP to resolve similar claims of deceptive acts and practices in the advertising, sale, and billing of the ISP’s internet, telephone and cable services in violation of the Oregon Unlawful Trade Practices Act. According to the announcement, the Oregon DOJ started an investigation of the ISP in 2014 for allegedly “misrepresenting the price of services, failing to inform consumers of terms and conditions that could affect the price, and billing consumers for services they never received.” The ISP agreed to requirements that are very similar to those in the Colorado settlement. The announcement notes that the “Oregon DOJ will continue to lead a separate securities class action lawsuit arising from the same conduct.”
Pennsylvania reaches settlement with travel websites over data breach
On December 13, the Pennsylvania attorney general announced a settlement with two travel websites resolving allegations that a 2018 data breach may have exposed consumer data for more than 20,000 state customers, including 880,000 affected payment cards globally. According to the state’s investigation, a hacker bypassed security detection and built malware that targeted payment cards on one of the company’s platforms. The company was also notified by a business partner of potentially fraudulent point of purchase transactions related to the data breach. Under the terms of the Assurance of Voluntary Compliance—which alleges the company violated the state’s Unfair Trade Practices and Consumer Protection Law by misrepresenting safeguards for customer data in its privacy policy and failing to fully implement data security policies—the companies have agreed to pay $110,000, including a $80,000 civil penalty and $30,000 towards future public protection and education purposes. The company must also implement a number of security requirements, such as (i) implementing a comprehensive information security program on their travel website; (ii) conducting annual risk assessments; (iii) developing a program for implementing and operating safeguards; and (iv) complying with Payment Card Industry Data Security Standards.