June 17, 2024
Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW®, HouseLaw®, InstallmentLaw™, PrivacyLaw®, and BizFinLaw™ - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.
On June 11, the Consumer Financial Protection Bureau released for public comment a proposed rule that would limit creditors from obtaining or using information on medical debts for credit eligibility determinations and generally prohibit consumer reporting agencies from furnishing to a creditor a consumer report containing information on medical debt that the creditor is prohibited from using. According to the proposed rule, "medical debts [historically] have been the most common type of debt on consumer reports at both the consumer-report and individual collections tradeline level," and 15 million Americans have more than $49 billion in unpaid medical bills in collection. The CFPB commented that "information about medical debt is often plagued with inaccuracies and errors" and that "medical debt has limited predictive value for credit underwriting purposes." For that reason, according to the CFPB, "[m]arket participants, including in the consumer reporting industry and those most financially incentivized to assess the predictive value of medical debt, have reduced their reliance on medical debt."
As CFPB Director Rohit Chopra noted, to "stop debt collectors from using the credit report as a cudgel to coerce consumers into paying bills they may not even owe, and make sure the credit reporting system doesn't unjustly punish people for getting sick," the CFPB proposes to: (1) remove the financial information exception to the Fair Credit Reporting Act's limitation on a creditor's use of medical debt information (which currently permits consumers' medical financial information to be obtained and used by creditors in connection with credit eligibility determinations if certain conditions are met), while retaining select elements of the exception related to disability income and similar benefits and medical information relevant to the loan purpose, so long as certain conditions are met; (2) limit the circumstances under which consumer reporting agencies are permitted to furnish medical debt information to creditors in connection with credit eligibility determinations; and (3) prohibit lenders from taking medical devices as collateral and ban lenders from repossessing medical devices, like wheelchairs or prosthetic limbs. The proposed rule would apply to any person that participates as a creditor in a transaction, except for a person excluded from coverage by Section 1029 of the Consumer Financial Protection Act of 2010 (i.e., certain auto dealers).
Comments on the proposed rule are due by August 12.
|
Colorado recently enacted Senate Bill 192, which amends the state's Lemon Law. Current law requires a manufacturer, a manufacturer's agent, or a manufacturer's authorized dealer to replace or buy back a motor vehicle if the consumer notified the dealer about the exercise of that right within the earlier of the warranty period or one year after original delivery of the motor vehicle ("notification time"), and the vehicle underwent a reasonable number of attempts to repair. Under the current law, the number of repairs required to allow the consumer to invoke the right to ask for a replacement or a buyback is considered reasonable if: (1) the vehicle was out of service for repairs for a cumulative total of 30 or more business days; or (2) the manufacturer, manufacturer's agent, or dealer tried unsuccessfully to repair the vehicle four or more times.
The new law:
The current law requires the manufacturer to be notified of a defect and be given an opportunity to cure the defect in order to be subject to the "reasonable repairs" presumption. The new law adds a 10-day limit on the opportunity to cure the defect after receipt of the notification.
The current law allows a dealer, when buying back a vehicle, to deduct a reasonable allowance for use. The new law sets a formula for determining the reasonable allowance for use.
The current law exempts from the Lemon Law vehicles that have a problem that does not affect the market value of the motor vehicle. The new law adds that the problem must not affect the safety of the vehicle to qualify for the exemption.
The new law requires a dealer selling a Lemon Law buyback vehicle to a potential purchaser for purposes other than for resale to either: (1) allow a third-party agent of a potential purchaser to inspect the vehicle before selling the vehicle; or (2) provide a 7-day free-look period during which the purchaser may return the vehicle and receive a refund of all money paid to the dealer to purchase the vehicle. The dealer must notify purchasers of this inspection right.
Finally, the dealer is required to give notice that the vehicle was returned, including to the Department of Revenue, which must put a brand on the title to notify subsequent purchasers.
|
On June 10, the Connecticut Department of Banking issued guidance relating to the state's new Commercial Financing Disclosure Act, Conn. Gen. Stat. Ann. §§ 36a-861 et seq. The guidance includes a template sales-based financing disclosure form, which appears to be based on Virginia's commercial financing disclosure form.
The CFDA applies to a sales-based financing transaction in Connecticut with an amount financed of $250,000 or less, beginning on July 1, 2024. However, the DOB's guidance states that it will not enforce the disclosure requirements, including the requirement to obtain a recipient's signature on the disclosures, before October 1, 2024. This no-action position does not apply to certain provisions of the CFDA, effective July 1, 2024, that prohibit the following conduct:
The CFDA also requires sales-based financing providers and brokers to register with the DOB beginning on October 1, 2024. Additional information regarding the registration process will soon be made available on the DOB's website and the NMLS Resource Center.
|
Kentucky, Maryland, Minnesota, and Nebraska have joined the other 11 states with comprehensive data privacy laws. The four new laws follow the general approach of the other comprehensive privacy laws but have important differences that businesses should be aware of as they review their privacy compliance approach and update their privacy policies. Small differences in these laws can have a large impact on covered entities' data processing. Under all four laws, consumers have the right to know what data is collected about them, access certain data, correct certain data, delete certain data, and obtain copies of the data if it is available in a digital format.
Coverage Thresholds
The four states have different coverage threshold triggers.
Like most states, Maryland, Kentucky, and Minnesota have revenue- and consumer-based coverage threshold triggers.
Maryland's law applies to entities that conduct business in the state and: (1) control or process the personal data of at least 35,000 Maryland consumers in a calendar year, or (2) control or process personal data of at least 10,000 Maryland consumers while deriving more than 20% of gross revenue from the sale of personal data. These thresholds are notably lower than other states.
Kentucky's law covers entities that conduct business in the state and: (1) control or process the personal data of at least 100,000 Kentucky consumers in a calendar year, or (2) control or process the personal data of at least 25,000 Kentucky consumers while deriving more than 50% of gross revenue from the sale of personal data.
Minnesota's law covers entities that conduct business in the state and: (1) control or process the personal data of at least 100,000 Minnesota consumers in a calendar year, or (2) control or process the personal data of at least 25,000 Minnesota consumers while deriving more than 25% of gross revenue from the sale of personal data.
Unlike most privacy laws, Nebraska lacks revenue- or consumer-based coverage triggers, following the Texas approach to coverage. Nebraska's law applies to entities that conduct business in Nebraska, process or sell personal data, and are not a small business as defined by the Small Business Administration.
Opt-Out Rights
All four laws give consumers the right to opt out of the sale of personal data, targeted advertising, and profiling in furtherance of automated decisions that produce a legal or similarly significant effect concerning the consumer.
Note that Maryland, Minnesota, and Nebraska define the "sale" of personal data broadly to include not only an exchange for monetary consideration but also for "other valuable consideration" from a third party. Kentucky has a narrow definition of "sale" requiring monetary consideration.
Minnesota has implemented a unique right for consumers: the right to question automated profiling decisions. Specifically, a consumer has the right to be informed of the reason that the profiling resulted in the decision and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and what actions the consumer might take to secure a different decision in the future. A consumer also has the right to review the data upon which the automated profiling decision was based and to correct any inaccuracies in that data.
Exemptions
All four laws have exemptions for certain entities and data we have come to expect, including exemptions for entities and data subject to the Gramm-Leach-Bliley Act, as well as data subject to the Fair Credit Reporting Act. Note that Minnesota only has a data-level, rather than an entity-level, GLBA exemption.
Special Treatment of Sensitive Data
The four states require special treatment of "sensitive data," which they define in similar ways to include data revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.
In Kentucky and Nebraska, consumers must opt in to the processing of their sensitive data. Maryland is stricter, forbidding the collection, processing, or sharing of sensitive data unless it is necessary to provide or maintain a specific product or service requested by the consumer. Maryland also forbids the sale of sensitive data.
Opt-Out Preference Signals
A controller must allow a Maryland or Minnesota consumer to opt out of targeted advertising and the sale of personal data (but not profiling) through an opt-out preference signal. A controller that "recognizes signals approved by other states" is deemed compliant with this requirement.
While Nebraska does not explicitly require the honoring of "global opt-out signals," it does require covered entities to treat "an Internet browser setting or extension or a global setting on an electronic device" as an authorized agent of the consumer that can exercise the consumer's right to opt out of targeted advertising and the sale of personal data.
Right to Cure
Nebraska and Kentucky give covered entities a 30-day right to cure violations before the state attorney general may bring an enforcement action. Notably, the right to cure provisions in these two states do not sunset. Maryland provides for a 60-day right to cure, which expires on April 1, 2027. Minnesota provides for a 30-day right to cure, which expires on January 31, 2026.
Effective Dates
Kentucky's Act Relating to Consumer Data Privacy will be effective January 1, 2026.
Maryland's Online Data Privacy Act of 2024 will be effective October 1, 2025.
Minnesota's Consumer Data Privacy Act will be effective July 31, 2025.
Nebraska's Data Privacy Act will be effective January 1, 2025.
|
The Washington Department of Financial Institutions issued interim guidance on the recently enacted Predatory Loan Prevention Act (Senate Bill 6025), which amends the state's Consumer Loan Act and was effective on June 6, 2024. The guidance provides additional information on the CLA, describes changes made to the CLA by the PLPA, and grants a grace period to any person requiring licensure under the new Section 2(3) of RCW 31.04.025. The DFI anticipates rulemaking on this matter in Fall 2024.
Licensees under the CLA are permitted to make a loan "at a rate that does not exceed twenty-five percent per annum as determined by the simple interest method of calculating interest owed."
The PLPA amends the CLA by incorporating an anti-evasion provision. The PLPA provides that "a person may not engage in any device, subterfuge, or pretense to evade the requirements of the [CLA] including, but not limited to: [m]aking loans disguised as personal property sale and leaseback transactions; disguising loan proceeds as a cash rebate for the pretextual installment sale of goods or services; or making, offering, assisting, or arranging a debtor to obtain a loan with a greater rate of interest, consideration, or charge than permitted by the [CLA] through any method, including mail, telephone, internet, or any electronic means regardless of whether the person has a physical location in the state."
In addition, the PLPA adds a new Section 2(3) that incorporates the predominant economic interest and the totality of the circumstances standards in determining whether the lender is a "true lender." Section 2(3) provides that "[i]f a loan exceeds the rate permitted under the [CLA], a person is a lender making a loan subject to the requirements of the [CLA] notwithstanding the fact that the person purports to act as an agent, service provider, or in another capacity for another person that is exempt from the [CLA] if, among other things: (a) [t]he person holds, acquires, or maintains, directly or indirectly, the predominant economic interest in the loan; or (b) [t]he totality of the circumstances indicate that the person is the lender, and the transaction is structured to evade the requirements of the [CLA]." The guidance states that "[a]ny person asserting that they are an agent, service provider, or in some other capacity acting on behalf of an exempt person should consider whether they are subject to licensure pursuant to section 2(3). For example, if Person A asserts that they are acting on behalf of an exempt Person B, but Person A holds the 'predominant economic interest' or 'the totality of the circumstances' indicate Person A is the lender and is structuring their involvement to evade the requirements of the CLA, this would constitute a violation of the CLA."
The guidance states that the DFI is granting a grace period to any person requiring licensure under Section 2(3) until December 31, 2024, subject to conditions specified in the guidance. However, the grace period is only available to persons that did not require a license prior to the enactment of the PLPA.
|