InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District court: BIPA does not violate Illinois constitution
On August 19, the U.S. District Court for the Southern District of Illinois denied defendants’ motion to dismiss claims that they unlawfully collected individuals’ biometric fingerprint data without first receiving informed consent. The court also addressed an argument as to whether the Illinois Biometric Information Privacy Act (BIPA) exemption for financial institutions violates the state’s constitution, ruling that the exemption applies only to institutions already subject to data protection standards of the Gramm-Leach-Bliley Act (GLBA) and therefore does not arbitrarily exempt financial institutions. According to the order, the plaintiff filed a putative class action against two companies (defendants) alleging they violated Section 15(b) of BIPA by unlawfully collecting employees’ biometric fingerprint data for timetracking purposes without informing employees in writing “of the purpose and period for which [their] fingerprints were being collected, stored, or used.” The plaintiff also claimed the defendants violated Section 15(a) of BIPA, which requires them to implement and follow a publically available biometric data retention and destruction schedule. The defendants filed a motion to dismiss, which presented several arguments, including that (i) the plaintiff failed to plead an actual injury and therefore lacked Article III standing; (ii) BIPA violates the state’s constitution because it imposes strict compliance requirements on certain entities but “arbitrarily” exempts “‘the entire financial industry’”; (iii) one of the defendants—a fingerprint database manager—qualifies as an exempt financial institution under BIPA; and (iv) the claims are time-barred and barred by waiver or equitable estoppel.
The court disagreed, allowing the plaintiff’s informed consent claims under Section 15(b) to proceed, noting, among other things, that BIPA’s financial institution exclusion is not “‘artificially narrow’ in its focus since both exempt and non-exempt financial institutions are subject to data reporting laws, with neither group receiving a benefit the other does not.” The court further noted that it has no indication in the pleading or declaration filed in motion practice that the fingerprint database manager defendant is a financial institution subject to the GLBA. However, the court remanded part of the suit back to state court. According to the court, the plaintiff’s Section 15(a) claims were not sufficient to establish Article III standing because this section “does not outline an entity’s duty to an individual” but rather “outlines a duty to the public generally.”
Pennsylvania settles with bank to resolve “aggressive” collection practices
On August 19, the Pennsylvania attorney general announced it had entered into an Assurance of Voluntary Compliance with a national bank to end the bank’s “aggressive” debt collection practices. According to the AG, the bank allegedly filed collection lawsuits against individuals with unpaid auto loans “in a district justice court in Warren, Pennsylvania despite the fact that most of the defendants in those actions were consumers who purchased their vehicles in another part of the state and merely had their vehicle installment contract assigned to [the bank].” After obtaining judgments, the bank also allegedly violated Pennsylvania law by sending post-judgment letters that threatened further legal action, including a sheriff’s sale of an individual’s vehicle. These alleged misrepresentations constituted an unfair or deceptive debt collection act or practice, the AG stated. The bank did not admit to the violations, but agreed to modify its collection practices to, among other things, (i) strike all existing judgments entered between 2013 and the effective date of the agreements in a magisterial district court that the consumer did not reside in at the time the vehicle was purchased or the action commenced, or that was not where the vehicle was purchased; (ii) issue a credit to the deficiency balance on any amount that was paid as a result of a judgment; (iii) refund any remaining amounts once the deficiency balance has been reduced to $0; and (iv) pay $15,000 in monetary relief.
Connecticut Department of Banking extends work from home guidance for licensees
On August 21, the Connecticut Department of Banking issued a memorandum extending through December 31, 2020, its no-action position (previously discussed here and here) with respect to various licensees temporarily working from home during Covid-19, provided that certain criteria set forth in the memorandum are met.
CFPB reaches $122 million settlement with national bank to resolve overdraft violations
On August 20, the CFPB announced a settlement with a national bank, resolving allegations that the bank violated the EFTA, CFPA, and FCRA through the marketing and sale of its optional overdraft service. According to the consent order, the bank violated the EFTA and Regulation E by enrolling customers who orally consented to the bank’s optional overdraft program without first providing the customers with written notice, and subsequently charged those customers overdraft fees. The bank also allegedly engaged in abusive practices by, among other things, (i) requiring new customers to sign its optional overdraft notice with the “enrolled” option pre-checked without first providing written notice or, in certain instances, without mentioning the optional overdraft service to the customer at all; (ii) enrolling new customers in the optional overdraft service without requesting their oral enrollment decision; and (iii) deliberately obscuring, or attempting to obscure, the overdraft notice “to prevent a new customer’s review of their pre-marked ‘enrolled’ status” in the optional overdraft service. The CFPB also asserted the bank engaged in deceptive practices by marketing the optional overdraft service as a “free” service or benefit, downplaying the associated fees and disclosures, and by suggesting that the overdraft service was a “‘feature’ or ‘package’ that ‘comes with’ all new consumer-checking accounts, rather than as an option that new customers must opt in to.” However, the bank actually charged customers $35 for each overdraft transaction paid through the service, the CFPB alleged.
With respect to the alleged FCRA and Regulation V furnishing violations, the CFPB claimed the bank failed to establish and implement policies and procedures concerning the accuracy and integrity of the consumer-account information it furnished to two nationwide specialty consumer reporting agencies (NSCRAs). The bank also allegedly failed to implement policies or procedures for investigating customer disputes related to the furnished information, failed to timely investigate certain indirect customer disputes concerning its furnishing to one of the NSCRAs, and instructed customers who called to dispute furnished information to contact the NSCRA instead of submitting a direct dispute to the bank.
Under the terms of the consent order, the bank is required to provide approximately $97 million in restitution to roughly 1.42 million consumers and pay a $25 million civil money penalty. The bank has also agreed to (i) correct its optional overdraft service enrollment practices; (ii) stop using pre-marked overdraft notices to obtain affirmative consent from customers; (iii) provide current customers who have remained enrolled in the optional overdraft service with enrollment status details and instructions on how to unenroll from the service; and (iv) establish policies and procedures designed to ensure its furnishing practices comply with the FCRA.
DOJ initiates two SCRA actions for auctions without court orders
On August 18, the DOJ announced (see here and here) two separate Servicemembers Civil Relief Act (SCRA) actions. First, the DOJ filed a complaint against a Massachusetts-based moving and storage company for failing to obtain a court order prior to auctioning an active duty servicemember’s storage unit, while he was deployed overseas. The DOJ asserts that while a servicemember has no duty to inform lienholders of their military service, the servicemember told the storage company’s agent about his military status during a phone call. Additionally, the servicemember provided the storage company with his address on Hanscom Air Force Base. In the second complaint, the DOJ alleges a Florida-based towing company auctioned a car belonging to an active duty servicemember without obtaining a court order. The DOJ asserts that the towing company had reason to believe the car was owned by a servicemember, including that there was a military decal on the car and the owner’s auto loan was through a military-oriented financial institution. In both actions, the DOJ is seeking damages, injunctive relief and civil penalties.
Federal agencies and CSBS to hold webinar on PPP
On August 20, the FDIC, Federal Reserve Board, OCC, NCUA, and the Conference of State Bank Supervisors announced that a webinar will be held with SBA officials discussing the loan forgiveness process and recent changes in the Paycheck Protection Program on Thursday, August 27 from 11:00 a.m. to 12:00 p.m. (EDT). Participants must preregister for the webinar and are encouraged to email questions in advance to asktheregulators@stls.frb.org. An archive of the webinar materials will be available here, a few hours after the webinar ends.
Maine governor launches grant program for small businesses and nonprofits
On August 20, the Maine governor launched a $200 million economic grant program to assist Maine small businesses and nonprofits. To qualify for a grant, a business or nonprofit must demonstrate financial relief need due to Covid-19 impacts or a related public health response. Additionally, the business or organization must meet eligibility requirements, including having “significant operations” in Maine and being current and in good standing with certain tax filings through July 31, 2020. Grants may be used to cover expenses including, payroll costs and expenses, rent or mortgage payments for business facilities, and utilities payments. The application period begins on August 21, 2020, and runs through September 2, 2020. Awards will be made in early October. Additional information about the program can be found on the Maine Department of Economic and Community Development’s website.
Alaska governor proposes expanded eligibility for small business funding
On August 20, the Alaska governor announced that he proposed modifications to the AK CARES Grant Program to expand eligibility for applicants. The program provides funding for Alaska small businesses. Under the current program, applicants are restricted from applying if they received more than $5,000 in other federal assistance or if the business is a source of secondary income. The changes would lift the $5,000 restriction and restriction on secondary income businesses. Restrictions requiring that businesses be Alaska-based or have no more than 50 employees remain in place, but may be subject to review in the future. Absent earlier action, these changes will take effect in 45 days.
Final CCPA regulations approved: Overview of changes
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. While the regulation package was under review by the OAL, the California attorney general made certain “nonsubstantial changes” and “changes without regulatory effect” to the CCPA regulations, which are outlined here (Buckley created redline available here). Under the OAL’s regulations, changes are considered “nonsubstantial” if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text. Changes are considered to be “without regulatory effect” if they involve renumbering or relocating a provision, revising structure, syntax, grammar or punctuation, and, subject to certain conditions, making a provision consistent with statute.
Among others, the following nonsubstantial changes were made to the final regulations:
- The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute (i.e. “Do Not Sell My Personal Information”).
- The requirement in Section 999.308(c)(1)(e) that the identification of sources from which personal information is collected “be described in a manner that provides consumers a meaningful understanding of the information being collected” in the privacy policy has been removed but the categories of sources still must be identified.
- The severability provision, formerly in Section 999.341 was deleted as unnecessary. This provision previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” (formerly § 999.341).
Additionally, the following requirements were deleted from the regulations at this time, although the California attorney general has indicated that these provisions may be resubmitted “after further review and possible revisions”:
- The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.
- The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
- The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.”
- The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.
The final regulations became effective on August 14, 2020.
Department of Education extends Covid-19 student loan protections until 2021
On August 21, the U.S. Department of Education announced the implementation of the presidential memorandum extending a forbearance plan on federal student loans through the end of the year. As previously covered by InfoBytes, the memorandum directed the Department of Education to take action to continue to provide “deferments to borrowers as necessary to continue the temporary cessation of payments and the waiver of all interest on student loans held by the Department of Education until December 31, 2020.” According to the announcement, until December 31, in addition to suspended payments and the waiver of all interest, there will be (i) no collections on defaulted federal loans; and (ii) borrowers will receive a refund of any continued employer garnishment related to defaulted federal loans. Additionally, non-payments by borrowers working full-time for qualified Public Service Loan Forgiveness employers will continue to receive credit towards their 120 payments.