InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
8th Circuit reverses debt collection action for lack of standing
On February 24, the U.S. Court of Appeals for the Eighth Circuit vacated and remanded the dismissal of a class action lawsuit concerning a medical collection letter that listed amounts due but did not distinguish between the principal and the interest that the debt collectors were attempting to charge. Plaintiff, who never paid any part of the interest or principal, filed a class action against the defendant debt collectors alleging violations of the FDCPA and the Nebraska Consumer Practices Act (NCPA). The defendants moved for summary judgment, arguing that the plaintiff lacked Article III standing. The district court denied the motion and the jury found for the defendants on all counts except for the NCPA claim, which was not tried before a jury. After trial, the district court determined it had provided improper jury instructions, and sua sponte, entered judgment for the plaintiff as a matter of law on both the NCPA and FDCPA claims. The district court specifically ruled that the NCPA does not allow collection of prejudgment interest by a debt collector without an actual judgment. The defendants appealed.
On appeal, the 8th Circuit focused on whether the plaintiff had standing. The appellate court held that the collection letter did not cause the plaintiff concrete harm, and concluded (quoting TransUnion LLC v. Ramirez, citing Spokeo, Inc. v. Robins) that without a concrete injury in fact, she “is ‘not seeking to remedy any harm to herself but instead is merely seeking to ensure a defendant’s compliance with regulatory law (and, of course, to obtain some money via the statutory damages).’” Without suffering a tangible harm, the appellate court said it could only recognize injuries with “a ‘close relationship’ to harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.” The plaintiff pointed to fraudulent misrepresentation and conversion as analogous to her alleged injury, but the appellate court disagreed and determined that the consumer could not establish injury sufficient to satisfy Article III standing. In vacating and remanding the district court’s ruling, the 8th Circuit pointed out that, absent standing, it lacked jurisdiction to decide any other issues raised on appeal.
Illinois Supreme Court says BIPA claims accrue with every transmission
On February 17, the Illinois Supreme Court issued a split decision holding that under the state’s Biometric Information Privacy Act (BIPA), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” The plaintiff filed a proposed class action alleging a defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting her biometric data and disclosing the data to a third-party vendor without first obtaining her consent. According to the plaintiff, the defendant introduced a biometric-collection system that required employees to scan their fingerprints in order to access pay stubs and computers shortly after she began her employment in 2004. Under BIPA (which became effective in 2008), section 15(b) prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining “a person’s biometric data without first providing notice to and receiving consent from the person,” whereas Section 15(d) provides that private entities “may not ‘disclose, redisclose, or otherwise disseminate’ biometric data without consent.” While the plaintiff asserted that the defendant did not seek her consent until 2018, the defendant argued, among other things, that the action was untimely because the plaintiff’s claim accrued the first time defendant obtained her biometric data. In this case, defendant argued that plaintiff’s claim accrued in 2008 after BIPA’s effective date. Plaintiff challenged that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.” The U.S. District Court for the Northern District of Illinois agreed with the plaintiff but certified its order for immediate interlocutory appeal after “finding that its decision involved a controlling question of law on which there is substantial ground for disagreement.”
The U.S. Court of Appeals for the Seventh Circuit ultimately found that the parties’ competing interpretations of claim accrual were reasonable under Illinois law, and agreed that “the novelty and uncertainty of the claim-accrual question” warranted certification to the Illinois Supreme Court. The question certified to the high court asked whether “section 15(b) and (d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission[.]”
The majority held that the plain language of the statute supports the plaintiff’s interpretation. “With the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub,” the high court said. The majority rejected the defendant’s argument that a BIPA claim is limited to the initial scan or transmission of biometric information since that is when the individual loses the right to control their biometric information “[b]ecause a person cannot keep information secret from another entity that already has it.” This interpretation, the majority wrote, wrongfully assumes that BIPA limits claims under section 15 to the first time a party’s biometric identifier or biometric information is scanned or transmitted. The Illinois Supreme Court further held that “[a]s the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd or unwise.’” However, the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” adding that because “we continue to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature, . . . [w]e respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
The dissenting judges countered that “[i]mposing punitive, crippling liability on businesses could not have been a goal of [BIPA], nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.” “Indeed, the statute’s provision of liquidated damages of between $1000 and $5000 is itself evidence that the legislature did not intend to impose ruinous liability on businesses,” the dissenting judges wrote, cautioning that plaintiffs may be incentivized to delay bringing claims for as long as possible in an effort to increase actionable violations. Under BIPA, individuals have five years to assert violations of section 15—the statute of limitations recently established by a ruling issued by the Illinois Supreme Court earlier this month (covered by InfoBytes here).
District Court approves $1.95 million TCPA settlement
On February 7, the U.S. District Court for the Eastern District of Missouri granted final approval to a $1.95 million settlement in a class action TCPA suit concerning allegations that a defendant debt collection company placed calls to consumers’ cell phones through the use of an artificial or prerecorded voice without first obtaining consumers’ prior express consent. The plaintiff also claimed that the defendant allegedly repeatedly delivered artificial or prerecorded voice messages to wrong or reassigned cell phone numbers that did not belong to the intended recipient. According to the plaintiff, the defendant continued to place calls to his cell phone even after he informed a company representative that it had the wrong number and that he did not know the individual the defendant was attempting to reach. The plaintiff sued alleging violations of Section 227(b)(1)(A)(iii) of the TCPA. While denying all liability alleged in the lawsuit, the defendant agreed to the terms of the settlement agreement, which defines class members as “[a]ll persons in the United States who (a) received a call from [the defendant] between December 16, 2017 and July 7, 2022 on their cellular telephone, (b) with an artificial or prerecorded voice, (c) for which [the defendant’s] records contain a ‘WN’ designation and an ‘MC’ and/or ‘MD’ notation.” The defendant is required to establish a $1.95 million settlement fund, pay $650,00 in attorneys’ fees and $10,477 in costs and expenses, and pay a $10,000 incentive award to the named plaintiff.
Illinois Supreme Court sets five-year SOL for section 15 BIPA violations
On February 2, the Illinois Supreme Court held that under the state’s Biometric Information Privacy Act (BIPA), individuals have five years to assert violations of section 15 of the statute. The plaintiff sued his former employer claiming that by scanning his fingerprints, the company violated section 15(a) of BIPA (which provides for the retention and deletion of biometric data), as well as sections 15(b) and 15(d) (which provide for the consensual collection and disclosure of biometric identifiers and biometric information). According to the plaintiff, the defendant allegedly failed to implement and adhere to a publicly available biometric information retention and destruction policy, failed to obtain his consent to collection his biometric data, and disclosed his data to third parties without his consent. The defendant moved to dismiss the complaint as untimely, arguing that “claims brought under [BIPA] concern violations of privacy, and therefore, the one-year limitations period in section 13-201 of the [Code of Civil Procedure (Code)] should apply to such claims under [BIPA] because section 13-201 governs actions for the ‘publication of matter violating the right of privacy.’”
The circuit court disagreed, stating that the lawsuit was timely filed because the five-year limitations period codified in section 13-205 of the Code applied to violations of BIPA. While the circuit court agreed that BIPA is a privacy statute, it said section 13-201 of the Code applies to privacy claims where “publication” is an element of the complaint. Because the plaintiff’s complaint does not involve the publication of biometric data and does not assert invasions of privacy or defamation, the one-year limitations period should not apply, the circuit court said, further adding that BIPA is not intended “to regulate the publication of biometric data.” The circuit court also concluded that the five-year limitations period applied in this case because BIPA itself does not contain a limitations period.
The defendant amended his complaint and eventually appealed. The appellate court ultimately concluded that the one-year limitations period codified in section 13-201 of the Code applies to claims under section 15(c) and 15(d) of BIPA “where ‘publication or disclosure of biometric data is clearly an element’ of the claim,” and that the five-year limitations period codified in section 13-205 of the Code governs actions brought under section 15(a), 15(b), and 15(e) (which provides data safeguarding requirements) of BIPA “because ‘no element of publication or dissemination’ exists in those claims.” The defendant continued to argue that BIPA is a privacy statute and as such, claims brought under section 15 of BIPA should be governed by the one-year limitations period codified in section 13-201 of the Code.
In affirming in part and reversing in part the judgment of the appellate court, the Illinois Supreme Court applied the state’s “five-year catchall limitations period” to claims brought under BIPA. “[A]pplying two different time limitations periods or time-bar standards to different subsections of section 15 of [BIPA] would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under [BIPA],” the Illinois Supreme Court wrote.
District Court preliminarily approves $2.75 million autodialer TCPA settlement
On January 31, the U.S. District Court for the District of Maryland preliminarily approved a class action settlement in which a cloud computing technology company agreed to pay $2.75 million to resolve alleged violations of the TCPA and the Maryland Telephone Consumer Protection Act. According to the plaintiff, the defendant violated the TCPA by, among other things, placing unsolicited telemarketing calls using an automated dialing system to class members on residential and cell phone numbers. Under the terms of the proposed settlement agreement, the defendant must establish a non-reversionary fund of $2.75 million to go to class members to whom the defendant (or a third party acting on its behalf) made (i) one or more phone calls to their cell phones; (ii) two or more calls while their numbers were on the National Do Not Call Registry; or (iii) one or more calls after the recipients asked the defendant or the third party to stop calling. “Plaintiff has also shown that a class action litigation is superior to other available methods for adjudicating this controversy,” the court wrote. “Plaintiff's counsel estimate that the average settlement payment to each Class Member would be approximately $30.00 to $60.00. Given this, the individual claims of each Class Member would be too small to justify individual lawsuits.” The court also approved proposed attorneys’ fees (not to exceed a third of the total settlement fund), as well as up to $60,000 for plaintiff’s out-of-pocket expenses and a $10,000 service fee award.
District Court denies certification and defendants’ motion for summary judgment in FDCPA class action
On January 26, the U.S. District Court for the Western District of Washington denied a plaintiff’s motion for class certification and denied motions for summary judgment from defendants in an FDCPA case stemming from a consent order between one of the defendants and the CFPB. As previously covered by InfoBytes, in September 2017, the CFPB announced it had filed a complaint in the U.S. District Court for the District of Delaware against a collection of 15 Delaware statutory trusts and their debt collector for, among other things, allegedly filing lawsuits against consumers for private student loan debt that they could not prove was owed or that was outside the applicable statute of limitations. According to the consent judgment, the trusts were required to pay at least $3.5 million in restitution to more than 2,000 consumers who made payments resulting from the improper collection suits, to pay $7.8 million in disgorgement to the Treasury Department, and to pay an additional $7.8 million civil money penalty to the CFPB. In addition, the trusts were required to: (i) hire an independent auditor, subject to the Bureau’s approval, to audit all 800,000 student loans in the portfolio to determine if collection efforts must be stopped on additional accounts; (ii) cease collection attempts on loans that lack proper documentation or that are time-barred; and (iii) ensure false or misleading documents are not filed and that documents requiring notarization are handled properly. A separate consent order issued against the debt collector orders the company to pay a $2.5 million civil money penalty to the CFPB.
According to the district court’s order, the plaintiffs, who were sued by the defendants for failing to pay their student loans, alleged that the defendants filed fraudulent, deceptive, and misleading affidavits in order to obtain default judgments. The plaintiffs sought to include a class of those residing in Washington for which the defendants sought to collect a debt allegedly owned by one of the trusts. The district court, however, was “unconvinced” that any of the questions would generate common answers on a class-wide basis. For example, the question of whether the defendants’ employees filed false or misleading affidavits “cannot be resolved in one stroke,” the district court said, because the plaintiffs “cannot show by a preponderance of the evidence that the documents Defendants used in every debt collection action suffered from the same alleged deficiencies.” With respect to the defendants’ summary judgment motion, the district court determined there were genuine issues of material fact regarding the alleged violations of the FDCPA and state law in Washington. The district court denied the defendants’ motion for summary judgment, noting noted that “[a]ttempts to collect debts with false affidavits and without the necessary documentation to prove the claims is unfair or unconscionable and involves false, deceptive, and/or misleading representations in violation of the FDCPA.”
4th Circuit affirms certification of class action in tribal lending case
On January 24, the U.S. Court of Appeals for the Fourth Circuit concluded that a district court did not abuse its discretion when certifying a class action. The lawsuit alleges an individual who orchestrated an online payday lending scheme violated the Racketeer Influenced and Corrupt Organization Act (RICO), engaged in unjust enrichment, and violated Virginia’s usury law by partnering with federally-recognized tribes to issue loans with allegedly usurious interest rates. (Covered by InfoBytes here.) The plaintiffs alleged the defendant partnered with the tribes to circumvent state usury laws even though the tribes did not control the lending operation. The district court stated that, as there was “no substantive involvement” by the tribes in the lending operation and that the evidence showed that the defendant was “functionally in charge,” the lending operation—which allegedly charged interest rates exceeding Virginia’s 12 percent interest cap—could not claim tribal immunity.
After the district court certified two borrower classes, the defendant appealed, arguing, among other things, that “[b]orrowers entered into enforceable loan agreements with lending entities in which they waived their right to bring class claims against him,” and that “common issues do not predominate so as to permit class treatment in this case.” Specifically, the defendant claimed that his role in the lending operations changed throughout the class period, and that individualized “proof” and “tracing” would be necessary to prove that he “participated in the direction of the affairs of the alleged enterprise” or that he received some portion of each borrower’s interest payments.
On appeal, the 4th Circuit disagreed with the defendant’s assertions. It found no reason to question the district court’s conclusion that the defendant was the “de facto” head of the lending operations throughout the class period. “And the fact that [the defendant] served as the ‘de facto head’ of the lending operations for the entire class period supports the district court’s determination that the Borrowers will be able to use common proof to show that [the defendant] ‘participated in the direction of the’ lending operations such that common questions predominate over individual questions[,]” the appellate court stated. The 4th Circuit further concluded that the “record supports the district court’s conclusion that [the defendant] lied when he said he was never involved in receiving or demanding payments on [the lending operation’s] loans.”
CFPB says EFTA applies to pandemic assistance prepaid cards
On January 10, the CFPB filed an amicus brief in a case before the U.S. Court of Appeals for the Fourth Circuit concerning the scope of accounts covered under EFTA and Regulation E. (See also CFPB blog post here.) As previously covered by InfoBytes, last August the U.S. District Court for the District of Maryland dismissed a putative class action alleging violations of EFTA and state privacy and consumer protection laws brought against the national bank on behalf of consumers who were issued prepaid debit cards providing pandemic unemployment benefits. The named plaintiff alleged that he lost nearly $15,000 when an unauthorized user fraudulently used a prepaid debit card containing Pandemic Unemployment Assistance (PUA) funds that were intended for him. However, the district court dismissed the class claims with respect to EFTA and Regulation E, finding that the PUA payments were “qualified disaster relief payments” and, as such, they were excluded from Regulation E’s definition of a “prepaid account.”
The Bureau disagreed. In its amicus brief, it argued that a prepaid debit card loaded with PUA funds is a “government benefit account” subject to EFTA and Regulation E and their error resolution requirements, which apply to alleged unauthorized transfers such as the one at issue in the case. Writing that the district court erred by applying “a regulatory exclusion to hold that prepaid accounts loaded with pandemic unemployment benefits were excluded from coverage,” the Bureau claimed that the holding is not supported by statutory and regulatory text and “undermines the primary purpose of EFTA to provide individual rights to consumers.” According to the Bureau, a “prepaid account” under Regulation E includes specific categories of accounts, including a “government benefit account,” which is not subject to the prepaid account exclusions.
District Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including names, Social Security numbers, driver’s license numbers, dates of birth, and username/password information. According to plaintiffs’ amended complaint, the defendant insurance software providers failed to notify affected individuals about the data breach until on or after May 10, 2021, despite commencing an investigation in March. Plaintiffs maintained that the defendants’ alleged failure to comply with FTC cybersecurity guidelines and industry data protection standards put at risk their financial and personal records, and said they now face years of constant surveillance to prevent potential identity theft and fraud. Under the terms of the settlement (see also plaintiffs’ memorandum of law in support of the motion for final approval), class members will each receive up to $5,000 for out-of-pocket expenses, including up to eight hours of lost time at $25/hour, as well as 12 months of financial fraud protection. Members of a California subclass will receive additional benefits of between $100 and $300 each. The defendants are also responsible for paying each named plaintiff a $2,000 service award and must pay over $3 million in attorney fees, costs, and expenses.
District Court stays stablecoin suit pending arbitration proceedings
On January 6, the U.S. District Court for the Northern District of California granted a defendant cryptocurrency exchange’s motion to compel arbitration in a class action alleging the exchange, along with the issuer of a stablecoin cryptocurrency, misrepresented the stability of the coin when offering it on the exchange’s platform. The defendants filed separate motions to compel arbitration, however, the plaintiffs claimed, among other things, that since they opened their accounts, the exchange’s user agreement, which contains an arbitration agreement, “has been unilaterally modified more than 20 times.” They further maintained that the exchange’s motion to compel arbitration should be denied because the arbitration provision is “unconscionable and thus unenforceable” and “the delegation clause is inapplicable and unconscionable.”
In granting the exchange’s motion to compel arbitration, the court found that the plaintiffs are parties to the exchange’s terms of use, which specify that an arbitrator, not a court, must decide whether any disputes a customer has with the exchange should be resolved via arbitration. “Plaintiffs do not dispute they agreed to [the] User Agreement, nor do they contest that … it contains an arbitration and a delegation clause,” the court said, noting that since arbitrability must be determined first, it has not reached “the issue of whether the arbitration agreement as a whole is unconscionable.” However, the court denied the defendant issuer’s motion to compel arbitration after finding that the user agreement “contains clear-cut language showing an intent to arbitrate disputes between the signatories [i.e., the exchange and its customers] only.” The user agreement does not state that obligations and rights are extended to a nonsignatory, such as the issuer, the court said—additionally staying all other judicial while arbitration proceedings between the exchange and the plaintiffs are pending.