Featured posts for main page slider

In the last few years, the right to privacy debate in the United States has increased in pace and volume. One issue at the center of this long debate is how best to implement the right privacy tools in a manner that does not disrupt business and technological innovation. The current criticisms fail to appreciate that the next technological paradigm is completely dependent on both the quality and quantity of data.

As connected things (IoT) explode in popularity, they make things such as augmented reality (AR) and autonomous vehicles possible. And as interconnectivity grows, so too do the opportunities. The companies that fail to properly leverage new technologies and data opportunities may find themselves falling behind their competitors.

In venturing into these emerging paradigms, companies should stay informed of recent enforcement actions, cases, and laws to determine how their role within new ecosystems may be impacted.

This publication covers the ongoing evolution of the legal landscape for data-centric products, so that organizations can continue to succeed in their development of data-centric products.

Click here to download the report

In several weeks, the U.S. Securities and Exchange Commission will release its annual enforcement results, and speculation about the trajectory of the SEC’s Division of Enforcement will resume in full force.

The results will reflect enforcement activity from the first full fiscal year of Jay Clayton’s tenure as SEC chairman. In the 16 months since Clayton’s swearing in, there have been repeated questions about how vigorously the Division of Enforcement is policing the U.S. capital markets. Naturally, following Mary Jo White’s “bold and unrelenting” enforcement agenda, many expected a decline in enforcement activity under Clayton.

There has, in fact, been a dip in the number of SEC enforcement actions during Clayton’s tenure, but the decline has not been as precipitous as many anticipated. And the decline in enforcement activity does not tell the whole story of the current enforcement program. There have been marked changes in priorities and tone and subtle shifts in the mix of cases coming out of the commission.

To read full article go to Law360

Clarity on Overlapping Background Check Laws in California

By Timothy St. George, David Anthony, Ronald Raether, Jonathan Yee and Sadia Mirza

On Aug. 20, 2018, the California Supreme Court issued its long-awaited order in Connor v. First Student Inc., finding the state’s Investigative Consumer Reporting Agencies Act, or ICRAA, was not unconstitutionally vague as applied to employer background checks, despite overlap with the Consumer Credit Reporting Agencies Act, or CCRAA.[1]

The Supreme Court resolved a conflict between two courts of appeal which had left many consumer reporting agencies, or CRAs, wondering whether the ICRAA applied even if they did not obtain the information from personal interviews — the definition of “investigative consumer report” used under the Fair Credit Reporting Act to impose additional requirements under 15 U.S.C. §1681l similar to those included in the ICRAA. With this decision, CRAs providing consumer reports for employment and tenant screening will need to carefully review their products to assure compliance with the ICRAA and the CCRAA.

View full article published on Law360.

 

Increases Attorney Diversity by Broadening Candidate Pool

ATLANTA, August 22 – Troutman Sanders LLP is one of 41 law firms that have earned Mansfield Certification from Diversity Lab, the national incubator for innovative ideas and solutions to boost diversity and inclusion in law.

Law firms earning Mansfield Certification met or exceeded goals for law firm diversity and inclusion by adopting and complying with the Mansfield Rule, which was inspired by the NFL’s Rooney Rule and named after Arabella Mansfield, the first woman admitted to the practice of law in the United States.

“We are proud to achieve Mansfield Certification,” said Steve Lewis, managing partner of Troutman Sanders. “Increasing the diversity of our workforce is a strategic priority for the firm, and our commitment to an inclusive environment at work is a core value that helps define us.”

Mansfield-certified firms made significant progress in diversifying, following adoption of the Mansfield Rule, specifically:

  • 40 percent of the firms increased representation of women and diverse lawyers in leadership and governance roles;
  • 33 percent increased the number of women and diverse senior associates hired;
  • 35 percent increased the number of women and diverse partners hired;
  • 38 percent increased the number of women and diverse lawyers promoted to partner.

About Troutman Sanders

With a diverse practice mix, workforce and footprint, Troutman Sanders has cultivated its reputation for a higher commitment to client care for over 120 years. Ideally positioned to help clients across sectors realize their business goals, the firm’s 650 attorneys transact for growth, resolve mission-threatening disputes and navigate complex legal and regulatory challenges. See troutman.com for more information.

On August 20, 2018, the Supreme Court of California issued its long-awaited order in Connor v. First Student, Inc. finding the state’s Investigative Consumer Reporting Agencies Act (“ICRAA”) was not unconstitutionally vague as applied to employer background checks, despite overlap with the Consumer Credit Reporting Agencies Act (“CCRAA”). See Connor v. First Student, Inc., No. S229428, – P.3d –, 2018 Cal. LEXIS 6266 (Cal. Aug. 20, 2018). The Supreme Court resolved a conflict between two courts of appeal which had left many consumer reporting agencies (“CRAs”) wondering whether the ICRAA applied even if they did not obtain the information from personal interviews – the definition of “investigative consumer report” used under the Fair Credit Reporting Act to impose additional requirements under 15 U.S.C. §1681l similar to those included in the ICRAA. With this decision, CRAs providing consumer reports for employment and tenant screening will need to carefully review their products to assure compliance with the ICRAA and the CCRAA.

Relevant Legislative and Procedural History

Under California law, consumer reports are classified under the CCRAA and/or the ICRAA, depending largely on the means used to collect the information contained in those “consumer reports.” The CCRAA has always been limited to consumer reports containing specific credit information, and it expressly excludes character information obtained through personal interviews. And, certain reports containing information gathered through personal interviews are subject to the ICRAA only. However, both statutes govern reports that contain information relating to character and creditworthiness, based on public information and personal interviews, that were used for employment background purposes. Further, both the ICRAA and CCRAA impose obligations on CRAs regarding disclosure to consumers when the agencies furnish reports and also limit when and to whom those reports may be furnished and how such information must be verified before it is reported. However, the specific obligations and limitations, and the remedies for violations of each act are different. The ICRAA, for instance, imposes stricter requirements and penalties than the CCRAA. Under the ICRAA, an investigative consumer reporting agency (or user of information) may be liable to the consumer who is the subject of the report if the agency (or user) fails to comply with any requirement under the ICRAA in an amount equal to $10,000 or actual damages sustained by the consumer, whichever is greater, plus the cost of the action and reasonable attorney’s fees.

In Connor, which has been pending since 2010, a class of current and former bus drivers alleged that the defendant employers and consumer reporting agencies violated the ICRAA when the employers obtained background checks on the drivers without providing them notice and without obtaining the drivers’ prior written authorization to obtain such reports as required by the ICRAA. The defendant employers moved for summary judgment claiming that the ICRAA is unconstitutionally vague because it overlaps with the CCRAA and fails to provide adequate notice to regulated entities as to whether the statute governs its conduct, and that, in any event, the employers’ notice satisfied the requirements of the CCRAA.

The trial court granted defendants’ motion, finding that consistent with state court precedent (see Ortiz discussed below), the ICRAA was unconstitutionally vague and impressibility overlaps with the CCRAA, such that a person of common intelligence cannot determine which statute governs its conduct.

The Court of Appeal in Connor reversed in 2015, finding that “[t]here is nothing in either the ICRAA or the CCRAA that precludes application of both acts to information that relates to both character and creditworthiness.” The Court of Appeal further stated that under California law, “[a]n agency that furnishes a report containing both creditworthiness information and character information, and the person who procures or causes that report to be made, can comply with each act without violating the other. And despite the overlap between the CCRAA and the ICRAA … there remain certain consumer reports that are governed exclusively by the ICRAA (those with character information obtained from personal information) because each act expressly excludes those specific reports governed by the other act.”

The Court of Appeal decision in Connor affirming the constitutionality of the ICRAA was itself contrary to a competing 2007 decision from the Court of Appeal in Ortiz v. Lyon Management Group, Inc., 157 Cal. App. 4th 604 (2007), which held that the ICRAA was unconstitutionally vague, as applied to tenant screening reports containing unlawful detainer information, as the court in Ortiz held that there was no “rational basis to determine whether unlawful detainer information constitutes creditworthiness information subject to the CCRAA or character information subject to the ICRAA.” Thus, given this split in authority, the issue was ripe for review by the Supreme Court of California.

The Supreme Court of California’s Decision

Before the Supreme Court of California, the defendant employers in Connor raised two principal contentions. First, defendants argued that the CCRAA and the ICRAA were initially intended to be exclusive of each other and that the ICRAA’s subsequent amendment in 1998 to expand its scope to include character information obtained under the CCRAA or “obtained through any means” was not intended to abolish that distinction. The Supreme Court rejected the argument, holding that while the legislature amended the ICRAA to expand its scope, it did not concurrently amend the CCRAA to limit its scope.

Thus, the Supreme Court found that potential employers could comply with both statutes without undermining the purpose of either. “In interpreting ICRAA and CCRAA, we agree with the Court of Appeal and find that potential employers can comply with both statutes without undermining the purpose of either . . . . If an employer seeks a consumer’s credit records exclusively, then the employer need only comply with CCRAA. An employer seeking other information that is obtained by any means must comply with ICRAA. In the event that any other information revealed in an ICRAA background check contains a subject’s credit information and the two statutes thus overlap, a regulated party is expected to know and follow the requirements of both statutes, even if that requires greater formality in obtaining a consumer’s credit records (e.g. seeking a subject’s written authorization to conduct a credit check if it appears possible that the information ultimately received may be covered by ICRAA).” In this manner, the Supreme Court held that the prior decision in Ortiz was “inconsistent with [its] own precedent governing the interpretation of overlapping statutes.”

The defendants in Connor also argued that if the legislature intended the ICRAA to apply to employment screening reports that previously were exclusively subject to the CCRAA, then it would have amended the CCRAA to conform to this understanding. However, the Supreme Court found that the limiting language of the CCRAA obviated the need to amend the statute in response to the changes it made to the ICRAA. Thus, the Supreme Court confirmed that the ICRAA is also applicable in the employment screening context, despite its overlap with the CCRAA. And, by overruling Ortiz, the Supreme Court likewise confirmed that the ICRAA is also applicable in the tenant screening context, and more generally when its threshold definitions are satisfied.

The Supreme Court ultimately held that: (1) because partial overlap between two statutes does not render one superfluous or unconstitutionally vague; (2), the ICRAA and CCRAA can coexist, as both acts are sufficiently clear; and (3) each act regulates that information that the other does not, which supports concurrent enforcement of both statutes.

Practical Impact of the Decision

As a practical matter, the Supreme Court’s decision removes the cloud of uncertainty regarding whether the ICRAA is enforceable against consumer reporting agencies preparing reports in California. Companies that fall under the purview of the ICRAA must comply with its provisions, regardless of whether the report also triggers the requirements of the CCRAA.

The ICRAA contains a number of distinct, technical requirements, that should be the subject of a compliance review after the decision in Connor. To use but one example, under the ICRAA, “public record” information (e.g., civil actions, tax liens, and outstanding judgments) cannot be included unless the background checking agency has verified the accuracy of the information during the 30-day period before the report is issued. That requirement counsels in favor of the implementation of procedures to address any delay of 30 days or more in receiving public records updates from the providers of such records.

The decision in Connor will also have indirect ramifications for other open questions regarding the preparation of consumer reports in California. For instance, the matter of Moran v. Screening Pros, LLC, No. 2:12-CV-05808-SVW, 2012 U.S. Dist. LEXIS 189350 (C.D. Cal. Nov. 20, 2012), is currently on appeal to the United States Court of Appeals for the Ninth Circuit. Moran, however, was stayed pending this decision in Connor. The Moran case concerned the issue of what dates must be used to calculate the temporal limitations on reporting of criminal records that do not result in a conviction under the federal Fair Credit Reporting Act. Presumably, that case will also now move forward to resolution.

Troutman Sanders LLP has a national and industry-leading practice counseling clients and defending them in litigation concerning consumer reporting issues under the Fair Credit Reporting Act and its state part counterparts, including under California state law. We will continue to monitor these developments.

On July 31, 2018, the Office of the Comptroller of the Currency (“OCC”) announced its intent to accept applications for special purpose national bank charters from eligible non-depository financial technology (“Fintech”) companies.[1] This announcement coincides with the release of a Treasury Department report supporting financial innovation and the regulation of nonbank financial entities.[2]  These announcements signal a significant shift in the current banking marketplace. On the one hand, the announcements are good news for Fintech disrupters, as it opens an avenue to reaching a nationwide market despite sometimes hostile state laws. On the other, for traditional banks, the announcements are a further harbinger, if any is needed, of the emerging new competition from Fintech.

The OCC’s Response to Technological Innovation in Banking

Over the past several years, Fintech has caused meaningful disruption in the financial services industry. Working with banks and non-bank businesses, Fintech companies have introduced new approaches to traditional banking products and services, and entirely new products and services, by leveraging technology, data, and connectivity. Typically, Fintech avoids the expense of extensive brick-and-mortar physical presence, while reaching broad markets, by using the internet to provide products and services.

The OCC has expanded special-purpose national bank charters (“SPNBCs”) to eligible Fintech companies to bring these companies within the U.S. bank regulatory system, which in turn will increase consumer protection, foster healthy competition, and encourage technological innovation in the banking industry. Also, by granting SPNBCs to Fintech companies, the OCC will expand its oversight of technology-based products and services that are reshaping the banking industry. In exchange, OCC-chartered Fintech companies will be able to conduct business throughout the U.S. under a uniform set of regulations and supervisory standards without the need to seek multi-state licensing or partner with insured depository institutions, while enjoying the significant benefits of federal preemption of many state laws under the National Bank Act.

Only Certain Fintech Companies May Qualify for the OCC’s Special Purpose National Bank Charter

Historically, a special-purpose national bank has been an entity “that engages in a limited range of banking or fiduciary activities, targets a limited customer base, incorporates nontraditional elements, or has a narrowly targeted business plan.”[3] The OCC has for many years issued SPNBCs for trust institutions and credit card banks with little to no fanfare. In the current context, the OCC will make SPNBCs available to those Fintech companies engaged in one of the two core banking functions of paying checks or lending money (including activities interpreted by the OCC as the equivalent thereto[4]), subject to the OCC’s approval of a charter application (discussed below). However, the OCC will not consider applications from Fintech companies involving proposals to engage in deposit-taking activities.[5]  Those Fintech companies must apply to the Federal Deposit Insurance Corporation (“FDIC”) for deposit insurance and seek a full-service bank charter.

The Benefits of the SPNBC

As with a national bank, a Fintech company that obtains a SPNBC will be subject to the corporate licensing, organization and structure provisions of the National Bank Act. In addition, the same statutes, regulations, examination and reporting metrics, and ongoing supervisory requirements applicable to national banks, such as legal lending limits, will apply to SPNBC Fintech companies.[6] Fintech companies that operate as special purpose national banks will also be subject to other federal statutory schemes such as the Bank Secrecy Act and federal anti-money laundering regulations, as well as prohibitions against unfair, deceptive or abusive acts or practices.[7] A Fintech company that obtains a SPNBC that engages in consumer lending will also continue to be subject to federal consumer lending laws, such as the Truth in Lending Act, the Equal Credit Opportunity Act, and the Fair Credit Reporting Act.

For a Fintech company that obtains a SPNBC, burdensome state-by-state licensing, regulatory and supervisory requirements – including state usury laws – will be preempted by the National Bank Act.[8] These companies will not need to be licensed under state law to engage in any activity permissible pursuant to the National Bank Act. However, a Fintech company that obtains a SPNBC should expect that some consumer protection and other state laws will continue to apply. Examples of state laws generally applicable to national banks include laws on anti-discrimination, fair lending, debt collection, and foreclosure.

The SPNBC Application Process

To obtain a SPNBC, a Fintech company must submit to the same de novo application review process as national banks, including an assessment of whether the Fintech company has a reasonable chance of success and will (i) be operated in a safe and sound manner, (ii) provide fair access to financial services, (iii) promote the fair treatment of customers, (iv) ensure compliance with applicable laws and regulations, and (v) foster healthy competition in the marketplace. [9]

The OCC’s approval of a Fintech company’s application to obtain a SPNBC will depend on the applicant:

    • presenting a comprehensive business plan that articulates why a SPNBC is being sought with significant detail about proposed activities; [10]
    • demonstrating the ability to meet minimum and ongoing capital and liquidity levels proportionate to the risk and complexity of the activities proposed in the business plan;[11]
    • committing to provide fair access to financial services and fair treatment of customers commensurate with the high standards imposed on traditional banks by the Community Reinvestment Act;[12] and
    • developing and committing to adhere to a contingency plan that includes various scenarios that could threaten the viability of the Fintech company.[13]

If approved for a SPNBC, the OCC will subject the recently chartered Fintech company to a scheduled supervisory cycle, including on-site examination and periodic off-site monitoring (as it would any de novo bank).[14] This means rigorous ongoing supervisory oversight to ensure that management and the board of directors are properly executing their business strategy and the Fintech company is meeting its performance and compliance goals.

Cost-Benefit Approach to the SPNBC

Whether a Fintech company should pursue a SPNBC from the OCC requires a tailored cost-benefit analysis. If the OCC processes Fintech applications for SPNBCs as rigorously as traditional de novo national bank charter applications, the SPNBC process could take several months from prefiling to approval. The OCC has stated that proposals from Fintech companies without an established business record will be subject to more scrutiny to evaluate the likelihood of long-term success.

Challenges from State Banking Regulators

In response to the OCC’s preliminary proposal regarding SPNBCs and Fintech issued in 2016, the New York Department of Financial Services and the Conference of State Bank Supervisors filed separate lawsuits challenging the OCC’s authority to issue SPNBCs to Fintech companies. Those suits were both dismissed on the basis that OCC had yet to issue any special purpose national bank charters. The OCC’s announcement of its intent to accept Fintech SPNBC applications paves the way for those parties to renew their opposition as soon as the first SPNBC is issued to a Fintech company, if not before.

Conclusion

The OCC’s decision to accept SPNBC applications from Fintech companies presents an opportunity for Fintech participants and the financial industry. Whether you are an established Fintech company or contemplating a new business, Troutman Sanders is ready to help you navigate the SPNBC process.


[1] OCC Press Release NR 2018-74 (July 31, 2018).

[2] U.S. Department of the Treasury, Press Release:  “Treasury Releases Report on Nonbank Financials, Fintech, and Innovation” (July 31, 2018).

[3] OCC Licensing Manual Suppl., Considering Charter Applications from Financial Technology Companies, p. 2 (July 2018).

[4] The OCC has indicated that it views “facilitating payments electronically” as the “modern equivalent of paying checks” and that the scope of qualifying activities would be determined on a case-by-case basis. See OCC White Paper, Exploring Special Purpose National Bank Charters, p. 4 (Dec. 2016).

[5] Id.

[6] Id. at 2 n.4 (internal citations omitted).

[7] Such prohibitions will continue to apply as required either by Section 5 of the Federal Trade Commission Act or Section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

[8] See generally Barnett Bank of Marion County v. Fla. Ins. Comm’r, et al., 517 U.S. 25 (1996) (federal law preempts state financial laws that prevent or significantly interfere with exercise of powers by national bank).

[9] OCC Licensing Manual Suppl. at 5.

[10] Id. at 6-8. See also 12 C.F.R. § 5.20(h) (detailing specific items to be addressed in business plans).

[11] Id. at 8-10. This may include an OCC-specified minimum capital level – and, if applicable, a commitment from the applicant’s parent company.

[12] Id. at 10. See also OCC Policy Statement on Financial Technology Companies’ Eligibility to Apply for National Bank Charters, p. 3 (July 31, 2018).

[13] The contingency plan must outline strategies for restoring the Fintech company’s financial strength and options for selling, merging, or liquidating the entity if the recovery strategies are ineffective. See OCC Licensing Manual Suppl. at 10.

[14] Id. at 13.

Two Troutman Sanders LLP attorneys discuss the Concepcion ruling, examining the historical landscape of arbitration, the law prior to the ruling, and what courts have done since.

When the Supreme Court (Court) handed down its opinions in AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011), the majority’s holding engendered breathless (at least in legal terms) headlines. Clearly, as arbitration’s opponents and proponents concurred, five jurists, led by Justice Antonin Scalia, had consigned bans on class-action arbitration waivers into oblivion in the hallowed name of the Federal Arbitration Act (FAA), 9 U.S.C. §§1–16.

Possibly due to the legal establishment’s quick recognition of its utility and peril, however, feverish debate over this holding’s validity and advisability beclouded the lead opinion’s subtle affirmation of older filaments of legal thought and endorsement of a new analytical approach to the FAA’s so-called “Savings Clause.”

Time’s passage has changed little, this initial ignorance ossifying instead. As a result, in opinion after opinion issued over the past eight years, these gravid assertions have rarely featured, and defects traceable to their inexplicable omission and damaging to their precedential value now plague much of arbitration law’s post-Concepcion jurisprudence. To discern these latent possibilities and buried flaws, one must return to, and pull back the curtain on, this most controversial matter.

View full article published on Bloomberg Law

Last night, California legislators passed Assembly Bill 375 (commonly known as the “California Consumer Privacy Act”) that would grant Californians “increased control” over their data. The new Act will have substantial effects on any business that has appreciable interactions with California, in how they store, share, disclose, and engage with consumer data.  The Act will be effective as of January 1, 2020.

To comply with the new Act, businesses will need to create internal processes to properly and timely respond to consumer requests for information, requests for deletion, and requests to opt out of having their information sold. Businesses will also need to update their privacy policies and websites to provide the more stringent disclosures and methods for consumers to exercise their newly acquired rights. Vendor management and controls will also need to be updated to ensure compliance with the limitations provided for in the Act. Businesses heavily reliant upon analyzing data will need to heighten technological capabilities to ensure that personal information is de-identified

For technology companies, this Act may create additional obstacles to innovation that leverage economies of scale across different organizations either through shared platforms or technologies.  Consider companies that have created tools to permit other companies to release consumer-facing mobile applications through various APIs and SDKs. While stakeholders often start with a common set of technologies, each partner may ultimately use the tools in their own unique way.  Consumers may argue that the web of privacy policies may ultimately need to be reconciled amongst the stakeholders because the ecosystem is presented to all consumers as one comprehensive application.

Practically, all parties involved in an ecosystem will likely be affected by the conduct of the others, which is a shift from the traditional American digital paradigms. However, the basic tenets are familiar to those of us who have worked with the Fair Credit Reporting Act and other statutory schemes that build off of the Fair Information Privacy Principles.  Partners and vendors will need to be carefully vetted prior to engagement by business teams and legal counsel. Each involved party will need to understand the data that the others are collecting, sharing, and selling, and obtain representations and warranties in their agreements to protect itself from a consumer class action or regulatory enforcement. Additionally, many contractual provisions such as licensing of data and indemnity will become greater points of contention in business-to-business deals and should be carefully discussed and reviewed with legal counsel.

Below is our summary and analysis of the Act:

What is “Personal Information”? Effectively adds the following categories of information:

  • Records of personal property, products, or services, and “consuming histories or tendencies”;
  • Biometric data;
  • Clickstream and “other electronic network activity information”;
  • Geolocation data;
  • Consumer sensory information;
  • Professional or employment-related information;
  • Educational information not publicly available;
  • “Inferences drawn” from personal information.

Does not include “public information” and “de-identified information.” But public information does NOT include: (1) information that is used in a way not compatible with its original purpose, or (2) de-identified or aggregate information.

When Is Personal Information “De-Identified”? Personal information is not considered “de-identified” unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information
Consent and Proportionality Adds the concept of proportionality (i.e., “reasonably necessary”) to the definition of “business purpose,” which must have been permitted.
What Is “Selling” of Personal Information? “Selling” personal information includes “releasing, disclosing, disseminating, making available” for “valuable consideration.” Does not include third party processors who receive that information for only processing.
Consumers’ Right to Request

Collectors – (1) Consumers have right to request categories of information collected, (2) from whom it was collected, (3) the specific business purposes for which it was collected, and (4) with whom it is shared.

Sellers – (1) Consumers have right to request categories of information sold, and (2) to whom it was sold. “Sellers” appear to be also “collectors.”

Both may require a verifiable request. Certain exceptions to the above apply for truly “one time” uses.

Consumers’ Right to Delete Records Businesses that receive verifiable requests from consumers to delete their personal information, must delete, and direct any service providers to delete, such information. Compliance is not required if it is necessary for the business or service provider to maintain the personal information (such as for legal, security, or transactional needs).
Response In a “Readily [Machine] Useable Format” Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer’s account, or by mail or electronically at consumer’s option if consumer does not maintain account, “in a readily useable format that allows consumer to transmit this information from one entity to another entity without hindrance.”
Forms of Disclosure Contains express form requirements for disclosures, including for opt-out notices and online webforms and links.
Consumers’ “Right to Say No,” And Opt-Outs & Opt-Ins

Consumers have a right to say no to the sale of their information at any time. Collectors have to provide an opt-out notice first before consumer information may be shared. Sellers have to obtain an “explicit notice” before they can sell information.

Minors under 16-years of age must “opt-in.”

Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information.

Clearer exceptions for: (1) completion of the business purpose with the consumer, (2) security and debugging purposes, and (3) comply with a legal purpose.

Requirement of Privacy Statement

A privacy statement that describes:

(1) a description of consumers’ rights and the methods of submitting requests;
(2) a list of categories of information collected;
(3) a list of categories of information disclosed;
(4) a list of categories of information sold.

Discriminatory Use of Personal Information Prohibited

Requirement that business not discriminate against consumers for exercising their rights under the title, including by:

(1) Denying goods or services;
(2) Charging different prices or imposing penalties;
(3) Providing a different quality of service;
(4) Suggesting the above;

…unless the above is related to differences resulting from “the value provided to the consumer by the consumer’s data.”

Business may offer financial incentives to consumers, however, to obtain their personal information. But the practices for this entire subsection may not be “unjust, unreasonable, coercive, or usurious.”

Exceptions Exceptions:
(1) to comply with federal, state, or local laws;
(2) cooperate with law enforcement;
(3) all activities take place outside of California;
(4) HIPAA exception;
(5) FCRA exception, for generation of a consumer report;
(6) GLBA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(7) DPPA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(8) Small businesses not covered by the definition of “business.”
Enforcement

Enforcement:

(1) Private right of action by consumers for between $100-$750 per violation in statutory or actual damages, after 30-notice to cure, if it can be cured.   Consumer will then notify state AG, if any, whose action will terminate consumer action.
(2) State AG enforcement available for stiffer penalties (up to $7,500 per violation).   Also gives prescriptive authority to AG.

 

On Monday, May 14, 2018, the Federal Communications Commission (“FCC”) issued a public notice seeking comment on interpretation of the Telephone Consumer Protection Act (“TCPA”) in light of the D.C. Circuit’s decision in ACA International v. FCC. The notice reflects an intent by the FCC to take up the proper interpretation of the TCPA promptly. Specifically, the FCC seeks comment on key areas of the TCPA, including:

  • How to interpret “capacity” in light of the D.C. Circuit’s decision in ACA, including the amount of user effort required to enable a device to function as an automatic telephone dialing system (“ATDS”);
  • The functions a device must be able to perform to qualify as an ATDS, including whether the word “automatic” envisions only non-manual dialing of telephone numbers;
  • How to treat reassigned wireless numbers and how to interpret the term “called party” for reassigned numbers, including whether the term refers to the person the caller expected to reach, the party the caller reasonably expected to reach, or the person actually reached;
  • Revocation of prior consent, including particular opt-out methods that would suffice to revoke consent;
  • The scope of the term “person” under the statute, and whether it includes federal government contractors; and
  • The appropriate limit for calls made to a reassigned number.

The initial comment period closes on June 13, 2018 and the reply comment period closes on June 28, 2018, meaning that the issues would be ripe for decision by the FCC in short order.

The ACA decision was immediately hailed by current FCC Chairman Ajit Pai, who said in a statement that the “unanimous D.C. Circuit decision addresses yet another example of the prior FCC’s disregard for the law and regulatory overreach. As the court explains, the agency’s 2015 ruling placed every American consumer with a smartphone at substantial risk of violating federal law. That’s why I dissented from the FCC’s misguided decision and am pleased that the D.C. Circuit too has rejected it.” Commissioners O’Rielly and Carr similarly praised the decision, giving Chairman Pai the necessary majority to effect major change in the TCPA landscape.

The call for comments also follows on the heels of a petition filed with the FCC by the U.S. Chamber of Commerce and 17 trade groups. The petition focused solely on the definition of an ATDS. Like the FCC’s request for comment, the petition tracks the language of the D.C. Circuit’s decision in ACA, where it struck down major portions of the FCC’s previous expansive interpretations of the TCPA, including its definition of an ATDS. While the FCC has taken the position for 15 years that a predictive dialer is an ATDS, the D.C. Circuit found that the 2015 Order and its predecessors do not give a clear answer as to whether a device qualifies as an ATDS only if it can generate random or sequential numbers for dialing. The U.S. Chamber petition urges the FCC to confirm that equipment must use a random or sequential number generator to store or produce numbers and dial those numbers without human intervention to qualify as an ATDS and to find that only calls made using actual ATDS capabilities are subject to the TCPA. Calling the ACA decision “an opportunity to restore rationality to . . . the TCPA,” the groups ask the Commission to issue a declaratory ruling as soon as possible to clarify the ATDS definition.

In sum, the groundwork is being laid at the FCC for a major change in interpretation of the TCPA, and the changes under consideration would substantially reduce the legal risks for companies using telephony to contact consumers.

Troutman Sanders LLP has unique industry-leading expertise with the TCPA, with experience gained trying TCPA cases to verdict and advising Fortune 500 companies regarding their compliance strategy. We will continue to monitor legislative developments and regulatory implementation of the TCPA in order to identify and advise on potential risks.

The District of Nevada recently applied the D.C. Circuit’s decision in ACA International v. FCC and granted summary judgment in favor of the defendant on plaintiff’s Telephone Consumer Protection Act claim.  Specifically, the Court held in Marshall v. The CBE Group, Inc. that CBE’s phone system does not qualify as an automatic telephone dialing system, commonly referred to as an “ATDS.”

Plaintiff Gretta Marshall filed suit against CBE, a third-party debt collector, alleging that it violated the TCPA and the Fair Debt Collection Practices Act through its collection efforts related to her outstanding bill.  Marshall alleged that CBE’s agents used an ATDS to contact her in violation of the TCPA.  CBE places calls using a Manual Clicker Application (“MCA”), requiring the call agent to click a bullseye on a computer screen to place a call.  When a CBE agent clicks the bullseye, a call is sent through a cloud-based connectivity pass-through, LiveVox, and then the CBE agent is connected with the person to whom the call is placed.

In analyzing CBE’s “communication infrastructure,” the Court stated that in light of the ACA v. FCC decision, it would apply the statutory language defining an ATDS, resulting in a focus on whether CBE’s phone equipment has the capacity to produce or store phone numbers to be called using a random or sequential number generator.  The Court noted that the overwhelming authority held that “point and click” dialing systems, used in unison with cloud-based pass-through services, did not qualify as ATDSs due to the human intervention required to place the call.  Applying this rationale, the Court found that CBE agents who were required to click the bullseye were “integral to initiating outbound calls.”  This finding weighed in favor of finding that the MCA, used with LiveVox, was not an ATDS.

Further, the Court dismissed Marshall’s allegations that LiveVox, the cloud-based pass-through, placed the calls and qualified as an ATDS.  Marshall argued that because LiveVox could perform call progress analysis (such as maintaining call logs), it actually initiated the call, not CBE.  Ultimately, the Court found that Marshall had not presented any evidence or legal authority sufficient to create a genuine dispute of material fact as to LiveVox’s alleged qualification as an ATDS.  Specifically, Marshall did not show that LiveVox’s ability to track calling information meant that LiveVox has the capacity to produce or store telephone numbers to be called, using a random or sequential number generator, and to dial the numbers.

Given the human intervention necessary to place calls using MCA and Marshall’s failure to create a genuine dispute of material fact regarding LiveVox’s role, the Court held that CBE did not use an ATDS to place calls to Marshall.

The District of Nevada is one of the first courts to apply the decision from ACA International v. FCC when interpreting the definition of an ATDS.  The decision in Marshall v. CBE indicates that courts will be able to simplify their analysis of whether a telephone system qualifies as an ATDS under the TCPA by eliminating the need to determine “potential functionalities” of a calling system and instead focusing on the calling systems’ “capacity to store or produce telephone numbers to be called, using a random or sequential number generator.”