Last Week, This Morning

June 17, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW®, HouseLaw®, InstallmentLaw™, PrivacyLaw®, and BizFinLaw™ - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

On June 11, the Consumer Financial Protection Bureau released for public comment a proposed rule that would limit creditors from obtaining or using information on medical debts for credit eligibility determinations and generally prohibit consumer reporting agencies from furnishing to a creditor a consumer report containing information on medical debt that the creditor is prohibited from using. According to the proposed rule, "medical debts [historically] have been the most common type of debt on consumer reports at both the consumer-report and individual collections tradeline level," and 15 million Americans have more than $49 billion in unpaid medical bills in collection. The CFPB commented that "information about medical debt is often plagued with inaccuracies and errors" and that "medical debt has limited predictive value for credit underwriting purposes." For that reason, according to the CFPB, "[m]arket participants, including in the consumer reporting industry and those most financially incentivized to assess the predictive value of medical debt, have reduced their reliance on medical debt."

As CFPB Director Rohit Chopra noted, to "stop debt collectors from using the credit report as a cudgel to coerce consumers into paying bills they may not even owe, and make sure the credit reporting system doesn't unjustly punish people for getting sick," the CFPB proposes to: (1) remove the financial information exception to the Fair Credit Reporting Act's limitation on a creditor's use of medical debt information (which currently permits consumers' medical financial information to be obtained and used by creditors in connection with credit eligibility determinations if certain conditions are met), while retaining select elements of the exception related to disability income and similar benefits and medical information relevant to the loan purpose, so long as certain conditions are met; (2) limit the circumstances under which consumer reporting agencies are permitted to furnish medical debt information to creditors in connection with credit eligibility determinations; and (3) prohibit lenders from taking medical devices as collateral and ban lenders from repossessing medical devices, like wheelchairs or prosthetic limbs. The proposed rule would apply to any person that participates as a creditor in a transaction, except for a person excluded from coverage by Section 1029 of the Consumer Financial Protection Act of 2010 (i.e., certain auto dealers).

Comments on the proposed rule are due by August 12.

Amicus brief(ly): This move has been in the works for a while, notwithstanding the move last year by the three biggest national consumer reporting agencies to remove medical debts of $500 or less from consumer reports. During the comment period, it is unlikely that the CFPB will hear anything that will change its mind on the rule, which, when finalized, will have a direct impact on credit scores for 15 million consumers (by the CFPB's count) and the underwriting models that rely on them. Losing the ability to report these debts to the CRAs will likely have a material impact on the collectability of medical debts not paid by insurance and may result in providers requiring payment of that potentially uncollectible debt up front before service - if the patient can afford to pay it. Fortunately for credit card issuers and debt collectors, the proposed rule does not prohibit furnishing data on general purpose or specialty consumer credit cards where part or all of the balance includes medical debts.

Colorado recently enacted Senate Bill 192, which amends the state's Lemon Law. Current law requires a manufacturer, a manufacturer's agent, or a manufacturer's authorized dealer to replace or buy back a motor vehicle if the consumer notified the dealer about the exercise of that right within the earlier of the warranty period or one year after original delivery of the motor vehicle ("notification time"), and the vehicle underwent a reasonable number of attempts to repair. Under the current law, the number of repairs required to allow the consumer to invoke the right to ask for a replacement or a buyback is considered reasonable if: (1) the vehicle was out of service for repairs for a cumulative total of 30 or more business days; or (2) the manufacturer, manufacturer's agent, or dealer tried unsuccessfully to repair the vehicle four or more times.

The new law:

• expands the Lemon Law to cover vehicles affected by safety-based nonconformities;
• expands the notification time to include the earlier of the first 24,000 miles or two years after original delivery of the vehicle;
• lowers the number of out-of-service business days to 24; and
• lowers the number of required repair attempts to three.

The current law requires the manufacturer to be notified of a defect and be given an opportunity to cure the defect in order to be subject to the "reasonable repairs" presumption. The new law adds a 10-day limit on the opportunity to cure the defect after receipt of the notification.

The current law allows a dealer, when buying back a vehicle, to deduct a reasonable allowance for use. The new law sets a formula for determining the reasonable allowance for use.

The current law exempts from the Lemon Law vehicles that have a problem that does not affect the market value of the motor vehicle. The new law adds that the problem must not affect the safety of the vehicle to qualify for the exemption.

The new law requires a dealer selling a Lemon Law buyback vehicle to a potential purchaser for purposes other than for resale to either: (1) allow a third-party agent of a potential purchaser to inspect the vehicle before selling the vehicle; or (2) provide a 7-day free-look period during which the purchaser may return the vehicle and receive a refund of all money paid to the dealer to purchase the vehicle. The dealer must notify purchasers of this inspection right.

Finally, the dealer is required to give notice that the vehicle was returned, including to the Department of Revenue, which must put a brand on the title to notify subsequent purchasers.

Amicus brief(ly): Dealers should note the notice requirements and create procedures for tracking repairs and timing to be prepared for the required buybacks because this consumer-friendly change to the Lemon Law reduces the number of repair attempts from four to three (25%) and the number of days where the consumer is without his or her car from 30 to 24 business days (20%). These are pretty significant, but understandable, changes, especially to anyone who has experienced multiple recalls or necessary repairs on their new car. Ultimately, the manufacturers bear the most impact of this law change, but dealers will be on the front lines with irritated buyers to service the buyback requests.

On June 10, the Connecticut Department of Banking issued guidance relating to the state's new Commercial Financing Disclosure Act, Conn. Gen. Stat. Ann. §§ 36a-861 et seq. The guidance includes a template sales-based financing disclosure form, which appears to be based on Virginia's commercial financing disclosure form.

The CFDA applies to a sales-based financing transaction in Connecticut with an amount financed of $250,000 or less, beginning on July 1, 2024. However, the DOB's guidance states that it will not enforce the disclosure requirements, including the requirement to obtain a recipient's signature on the disclosures, before October 1, 2024. This no-action position does not apply to certain provisions of the CFDA, effective July 1, 2024, that prohibit the following conduct:

• obtaining a contractual waiver of the recipient's right to notice, judicial hearing, or prior court order in connection with certain prejudgment remedies; and
• revoking, withdrawing, or modifying a specific offer of financing until midnight of the third calendar day after the date of the specific offer, except that a specific offer may be revoked, withdrawn, or modified based on information obtained in the underwriting process, including, but not limited to, verification of any information provided by the recipient or at the request of the recipient.

The CFDA also requires sales-based financing providers and brokers to register with the DOB beginning on October 1, 2024. Additional information regarding the registration process will soon be made available on the DOB's website and the NMLS Resource Center.

Amicus brief(ly): Sales- or revenue-based financing providers should be accustomed to these disclosure rules, and multistate providers already doing business in Virginia have a leg up in implementing this template form in Connecticut. The DOB is giving some grace in timing for the implementation of the new statute, including the registration requirement. Whether we like the guidance regulators give or not, we definitely appreciate when they make their thoughts known in writing, especially when that guidance includes model or template forms designed to comply with statutory or regulatory requirements. Sales- or revenue-based financing providers should review the guidance from the DOB and begin preparing for the implementation of this new law.

Kentucky, Maryland, Minnesota, and Nebraska have joined the other 11 states with comprehensive data privacy laws. The four new laws follow the general approach of the other comprehensive privacy laws but have important differences that businesses should be aware of as they review their privacy compliance approach and update their privacy policies. Small differences in these laws can have a large impact on covered entities' data processing. Under all four laws, consumers have the right to know what data is collected about them, access certain data, correct certain data, delete certain data, and obtain copies of the data if it is available in a digital format.

Coverage Thresholds

The four states have different coverage threshold triggers.

Like most states, Maryland, Kentucky, and Minnesota have revenue- and consumer-based coverage threshold triggers.

Maryland's law applies to entities that conduct business in the state and: (1) control or process the personal data of at least 35,000 Maryland consumers in a calendar year, or (2) control or process personal data of at least 10,000 Maryland consumers while deriving more than 20% of gross revenue from the sale of personal data. These thresholds are notably lower than other states.

Kentucky's law covers entities that conduct business in the state and: (1) control or process the personal data of at least 100,000 Kentucky consumers in a calendar year, or (2) control or process the personal data of at least 25,000 Kentucky consumers while deriving more than 50% of gross revenue from the sale of personal data.

Minnesota's law covers entities that conduct business in the state and: (1) control or process the personal data of at least 100,000 Minnesota consumers in a calendar year, or (2) control or process the personal data of at least 25,000 Minnesota consumers while deriving more than 25% of gross revenue from the sale of personal data.

Unlike most privacy laws, Nebraska lacks revenue- or consumer-based coverage triggers, following the Texas approach to coverage. Nebraska's law applies to entities that conduct business in Nebraska, process or sell personal data, and are not a small business as defined by the Small Business Administration.

Opt-Out Rights

All four laws give consumers the right to opt out of the sale of personal data, targeted advertising, and profiling in furtherance of automated decisions that produce a legal or similarly significant effect concerning the consumer.

Note that Maryland, Minnesota, and Nebraska define the "sale" of personal data broadly to include not only an exchange for monetary consideration but also for "other valuable consideration" from a third party. Kentucky has a narrow definition of "sale" requiring monetary consideration.

Minnesota has implemented a unique right for consumers: the right to question automated profiling decisions. Specifically, a consumer has the right to be informed of the reason that the profiling resulted in the decision and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and what actions the consumer might take to secure a different decision in the future. A consumer also has the right to review the data upon which the automated profiling decision was based and to correct any inaccuracies in that data.

Exemptions

All four laws have exemptions for certain entities and data we have come to expect, including exemptions for entities and data subject to the Gramm-Leach-Bliley Act, as well as data subject to the Fair Credit Reporting Act. Note that Minnesota only has a data-level, rather than an entity-level, GLBA exemption.

Special Treatment of Sensitive Data

The four states require special treatment of "sensitive data," which they define in similar ways to include data revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.

In Kentucky and Nebraska, consumers must opt in to the processing of their sensitive data. Maryland is stricter, forbidding the collection, processing, or sharing of sensitive data unless it is necessary to provide or maintain a specific product or service requested by the consumer. Maryland also forbids the sale of sensitive data.

Opt-Out Preference Signals

A controller must allow a Maryland or Minnesota consumer to opt out of targeted advertising and the sale of personal data (but not profiling) through an opt-out preference signal. A controller that "recognizes signals approved by other states" is deemed compliant with this requirement.

While Nebraska does not explicitly require the honoring of "global opt-out signals," it does require covered entities to treat "an Internet browser setting or extension or a global setting on an electronic device" as an authorized agent of the consumer that can exercise the consumer's right to opt out of targeted advertising and the sale of personal data.

Right to Cure

Nebraska and Kentucky give covered entities a 30-day right to cure violations before the state attorney general may bring an enforcement action. Notably, the right to cure provisions in these two states do not sunset. Maryland provides for a 60-day right to cure, which expires on April 1, 2027. Minnesota provides for a 30-day right to cure, which expires on January 31, 2026.

Effective Dates

Kentucky's Act Relating to Consumer Data Privacy will be effective January 1, 2026.

Maryland's Online Data Privacy Act of 2024 will be effective October 1, 2025.

Minnesota's Consumer Data Privacy Act will be effective July 31, 2025.

Nebraska's Data Privacy Act will be effective January 1, 2025.

Amicus brief(ly): Did you know that Vermont would have been on this list except that its governor vetoed a bill last Thursday that would have allowed private litigation to enforce the law's data use and privacy provisions? Evidently the state legislature is meeting today to vote to override the veto, but we'll see what happens. In the interim, it is abundantly clear that the states - like the Consumer Financial Protection Bureau - are focused on giving consumers more control over what happens with their personal data. Naturally, the states could not find a way to borrow from each other to generate a consistent result. Note the "opt-in" requirements for Kentucky and Nebraska and Maryland's even stricter rules that prohibit the sale of sensitive data and restrict data sharing to only that sharing that is necessary to provide or maintain a product or service requested by the consumer. There is plenty of work for data privacy and information security professionals in this area of increasing regulation.

The Washington Department of Financial Institutions issued interim guidance on the recently enacted Predatory Loan Prevention Act (Senate Bill 6025), which amends the state's Consumer Loan Act and was effective on June 6, 2024. The guidance provides additional information on the CLA, describes changes made to the CLA by the PLPA, and grants a grace period to any person requiring licensure under the new Section 2(3) of RCW 31.04.025. The DFI anticipates rulemaking on this matter in Fall 2024.

Licensees under the CLA are permitted to make a loan "at a rate that does not exceed twenty-five percent per annum as determined by the simple interest method of calculating interest owed."

The PLPA amends the CLA by incorporating an anti-evasion provision. The PLPA provides that "a person may not engage in any device, subterfuge, or pretense to evade the requirements of the [CLA] including, but not limited to: [m]aking loans disguised as personal property sale and leaseback transactions; disguising loan proceeds as a cash rebate for the pretextual installment sale of goods or services; or making, offering, assisting, or arranging a debtor to obtain a loan with a greater rate of interest, consideration, or charge than permitted by the [CLA] through any method, including mail, telephone, internet, or any electronic means regardless of whether the person has a physical location in the state."

In addition, the PLPA adds a new Section 2(3) that incorporates the predominant economic interest and the totality of the circumstances standards in determining whether the lender is a "true lender." Section 2(3) provides that "[i]f a loan exceeds the rate permitted under the [CLA], a person is a lender making a loan subject to the requirements of the [CLA] notwithstanding the fact that the person purports to act as an agent, service provider, or in another capacity for another person that is exempt from the [CLA] if, among other things: (a) [t]he person holds, acquires, or maintains, directly or indirectly, the predominant economic interest in the loan; or (b) [t]he totality of the circumstances indicate that the person is the lender, and the transaction is structured to evade the requirements of the [CLA]." The guidance states that "[a]ny person asserting that they are an agent, service provider, or in some other capacity acting on behalf of an exempt person should consider whether they are subject to licensure pursuant to section 2(3). For example, if Person A asserts that they are acting on behalf of an exempt Person B, but Person A holds the 'predominant economic interest' or 'the totality of the circumstances' indicate Person A is the lender and is structuring their involvement to evade the requirements of the CLA, this would constitute a violation of the CLA."

The guidance states that the DFI is granting a grace period to any person requiring licensure under Section 2(3) until December 31, 2024, subject to conditions specified in the guidance. However, the grace period is only available to persons that did not require a license prior to the enactment of the PLPA.

Amicus brief(ly): Washington's grant of a grace period into December of this year for non-bank partners involved in bank partnership lending that need a license is welcome, as is this guidance - at least inasmuch as it explains how the DFI reads the amended law (though, as we suggested above in connection with the Connecticut regulator guidance, there are times when we don't like the regulator's guidance, and this is one of those times). The guidance appears to clear up a question that the statute left open: whether or not the goal of this law is to limit the interest rate on loans made by banks in a bank partnership with a non-bank servicer to the 25% rate cap already in the law for non-bank licensees. Based on this guidance, it seems like the answer is yes, at least in circumstances where the non-bank servicer buys a sufficient interest in the loans to become the person with the predominant economic interest in the loans such that it is the "true lender." And it is important to get this right - loans are void and uncollectible under the amended law if the "true lender" "makes" loans that violate the statute. We expect this law to find its way to the courts.

---

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.