Search auto data

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Federal Activities:

  • On September 23, the Federal Reserve Board invited comment on operational risk-management requirement updates for certain systemically important financial market utilities (FMUs) supervised by the Fed. FMUs provide essential infrastructure to clear and settle payments and other financial transactions relied upon by financial markets and the broader economy to function effectively. The proposed updates generally provide more specificity to the existing requirements. For more information, click here.
  • On September 22, the Consumer Financial Protection Bureau (CFPB) announced its request for public input on ways to spur new mortgage products that help households. The CFPB invites insights on ways to improve mortgage refinances for homeowners who would benefit from refinancing, especially for borrowers with smaller loan balances. The CFPB also seeks public input on ways to support automatic short- and long-term loss mitigation assistance for homeowners experiencing financial disruptions. The CFPB plans to use this information as it considers steps to support household financial stability and address refinance market gaps. For more information, click here.
  • September 22, the Commodity Futures Trading Commission (CFTC) entered an order, simultaneously filing and settling charges against Ooki DAO and its co-founders Tom Bean and Kyle Kistner. The order states that the bZx protocol, the predecessor of Ooki DAO, violated the Commodity Exchange Act (CEA) by failing to register as a futures commission merchant prior to enabling users of the bZx protocol to engage in margin and leverage trading. Notably, the order specifically stated that “[v]irtual currencies such as ETH, DAI, and others” traded on the bZx protocol constitute “commodities” under the CEA. Additionally, the order held that Ooki DAO is an unincorporated association, and as a result, the co-founders are personally liable for CEA violations committed by Ooki DAO. In July 2020, alleged members of Ooki DAO brought a class-action lawsuit against the DAO in a California federal court, which we discussed in depth here. For more information about the CFTC’s recent settlement with Ooki DAO, click here.
  • On September 22, the Department of Justice and the Internal Revenue Service announced that a federal judge granted their request for an order, authorizing the IRS to issue a John Doe summons requiring M.Y. Safra Bank to produce information about U.S. taxpayers who may have failed to report to the IRS, and pay taxes on, cryptocurrency transactions. For more information, click here.
  • On September 20, an identified party hacked DeFi liquidity provider Wintermute and absconded with $160 million worth of cryptocurrency. For more information, click here.
  • On September 19, the CFPB released its annual report on residential mortgage lending activity and trends for 2021, based on data from thousands of the nation’s lending institutions per the Home Mortgage Disclosure Act. The report shows a shift from refinance loans in 2020 to home purchase loans in 2021, with a greater share of home purchase loans going to Asian, Black, and Hispanic white borrowers relative to the share of home purchase loans for non-Hispanic white borrowers. The top 25 closed-end lenders by loan volume held nearly half of the market share of residential mortgage lending — a trend that has risen each year since 2018. For more information, click here.
  • On September 19, the Securities and Exchange (SEC) issued a cease-and-desist order against Sparkster Ltd. and Sparkster CEO Sajjad Daya for the unregistered offer and sale of crypto-asset securities from April 2018 through July 2018 and charged crypto influencer Ian Balina for failing to disclose compensation he received after reselling Sparkster tokens. For more information, click here.
  • On September 19, Representatives Peter Welch (D-VT) and Lance Gooden (R-TX) introduced the House companion of the Credit Card Competition Act of 2022 (CCCA), which Senators Dick Durbin (D-IL) and Roger Marshall (R-KS) introduced in late July 2022. The bill intends to expand interchange price controls by creating a new credit card routing mandate. For more information, click here.
  • On September 14, while addressing testimony presented by SEC Commissioner Gary Gensler, U.S. Senate Banking Committee Ranking Member Pat Toomey (R-PA) clearly expressed his frustration toward the SEC’s lack of helpful public guidance concerning the distinction between cryptocurrencies that constitute securities and cryptocurrencies that do not. For more information, click here.

State Activities:

  • On September 20, Colorado Governor Jared Polis (D) announced that Colorado residents may now pay state taxes with cryptocurrencies using PayPal. For more information, click here.
  • On September 15, California Governor Gavin Newsom signed into law Assembly Bill 1904, which amends the California Consumer Legal Remedies Act to make it unlawful for “covered persons” to fail to include certain information in a solicitation to a consumer for a financial product or service. The amendment supplements already-existing consumer protection laws, targeting the unlawful, unfair, deceptive, or abusive acts or practices related to consumer financial products or services, as well as unfair competition and deceptive acts pertaining to the sale or lease of goods or services to a consumer. As an example, the amendment would require a “covered person” to disclose that a solicitation is an “advertisement” and does not require payment or other action by the consumer. For more information, click here.
  • On September 15, New York Governor Kathy Hochul signed legislation to expand the reach of the federal Public Service Loan Forgiveness (PSLF) program statewide. PSLF incentivizes public service work by forgiving a portion of borrowers’ federal student loan debt. Hochul noted that “this legislation acknowledges the significant contributions of our public servants, first responders, educators, and more, by helping unlock federal loan forgiveness for countless members of New York’s workforce.” An estimated 2.7 million people currently serve New York’s public or nonprofit sectors. For more information, click here.
  • On September 14, the New York Department of Financial Services issued notice of proposed rules, pertaining to the state’s Commercial Finance Disclosure Law (CFDL). The CFDL requires certain providers of commercial financing to provide prescribed disclosures when extending a financing offer to a potential recipient. Among some of the issues addressed by the proposed regulations are the disclosure of annual percentage rate, a formula for determining when an annual percentage rate disclosure is accurate, and formatting and content requirements for various disclosures. Though the rules’ reception varied, many commenters acknowledged the rules as necessary to implement the CFDL. The public have until October 31 to provide further feedback on the proposed rule. For more information, click here.
  • On September 13, California Governor Gavin Newsom signed Assembly Bill 2311, which, among other things, would prevent a seller from conditioning the extension of credit, term of credit, or terms of a conditional sale contract for purchase of an automobile on the consumer’s purchase of a guaranteed asset protection (GAP) waiver. Additionally, the bill would prevent a GAP waiver sale where the loan-to-value ratio of the vehicle purchase exceeds the maximum loan-to-value ratio of the waiver, unless the GAP waiver discloses and the consumer is informed of the limitation. Furthermore, the bill would require that the GAP waiver include a statement, advising the consumer of the right to a refund of any unearned portion of the waiver on a pro-rata basis. For more information, click here.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Federal Activities:

  • On September 16, the White House released a statement, addressing the nine reports on digital assets it received from federal agencies aligning with President Biden’s executive order (EO) on “Ensuring Responsible Development of Digital Assets,” as well as how those reports advance certain priorities in the EO: consumer and investor protection; promoting financial stability; countering illicit finance; U.S. leadership in the global financial system and economic competitiveness; financial inclusion; and responsible innovation. For more information, click here.
  • On September 16, U.S. Secretary for the Treasury Janet Yellen issued a statement after the Treasury Department published three reports under Sections 4, 5, and 7 of President Biden’s Executive Order 14067 on “Ensuring Responsible Development of Digital Assets.” The reports address the future of money and payment systems, consumer and investor protection, and illicit finance risks. For more information, click here.
  • On September 16, the U.S. Department of Justice (DOJ) release its report under the President Biden’s March 9 EO on “Ensuring Responsible Development of Digital Assets: The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Asset,” announcing its formation of the Digital Assets Coordinators Network whose core function will provide the DOJ technical expertise as it continues to grapple novel challenges presented by the digital asset environment. For more information, click here.
  • On September 15, the Consumer Financial Protection Bureau (CFPB) published a report — “Buy Now, Pay Later: Market trends and consumer impacts” — offering key insights on the buy now, pay later industry. The report finds that the industry grew rapidly during the pandemic, but borrowers may receive uneven disclosures and protections. The five firms surveyed in the report originated 180 million loans, totaling over $24 billion in 2021 — a near ten-fold increase from 2019. For more information, click here.
  • On September 15, the Federal Trade Commission (FTC) released a report, showing how companies increasingly use sophisticated design practices known as “dark patterns” that can trick or manipulate consumers into buying products or services or giving up their privacy. The dark pattern tactics detailed in the report include disguising ads to look like independent content, making it difficult for consumers to cancel subscriptions or charges, burying key terms or junk fees, and tricking consumers into sharing their data. The report highlighted the FTC’s efforts to combat the use of dark patterns in the marketplace and reiterated the agency’s commitment to take action against tactics designed to trick and trap consumers. For more information, click here.
  • On September 15, while testifying before the Senate Banking Committee, Securities and Exchange Commissioner Gary Gensler stated that although the vast majority of cryptocurrencies on the market are securities, he recognized that it may be appropriate to be flexible in applying existing disclosure requirements to cryptocurrencies that register as securities. For more information, click here.
  • On September 14, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 10 individuals and two entities for their roles in conducting malicious cyberattacks, including ransomware activity. OFAC’s action continues a recent series of OFAC designations intended to protect U.S. citizens from “ransomware activity, facilitators of ransomware activity, and other cybercrime.” OFAC actions taken included the addition of seven crypto public keys, which were added to the SDN List. For more information, click here.
  • On September 13, a consortium of broker-dealers and venture capital firms announced the launch of EDX Markets, a first-of-its-kind crypto exchange that would enable investors to buy and sell digital assets through their existing broker dealer, rather than directly through a crypto-native exchange. For more information, click here.
  • On September 15, OFAC issued a press release, indicating it had designated 22 individuals and two entities as entities that “have furthered the Government of the Russian Federation’s (GoR) objectives in Ukraine” in an effort to target Russian efforts to find new ways to process payments and conduct transactions. OFAC also published frequently asked questions to provide additional guidance on the heightened risk of facilitating Russia’s efforts to evade sanctions through the expanded use of the National Payment Card System or the Mir National Payment System, given the broad sanctions imposed on Russia’s financial system this year. According to Secretary of the Treasury Janet Yellen, the designations will “further degrade Russia’s ability to rebuild its military, hold perpetrators of violence accountable, and further financially isolate Putin.” For more information, click here.
  • On September 14, the Securities and Exchange Commission (SEC) charged an unregistered crypto assets broker, its owner, and two salespeople with fraud and with conducting an unregistered offering. According to the press release, the charged entities “acted as unregistered broker-dealers and conducted an unregistered offering of BXY tokens, illegally raising at least $1.5 million in proceeds from approximately 100 individuals, many of whom had no experience investing in crypto assets.” The SEC alleged “investors never received their BXY tokens, and all those who invested paid an undisclosed markup on their BXY tokens.” For more information, click here.
  • On September 13, the U.S. Department of Treasury’s OFAC issued additional guidance, addressing the questions of persons affected by its recent sanctioning of crypto mixer, Tornado Cash. Among other things, OFAC asserted that investors who began “mixing” transactions on Tornado Cash, without completing such transactions prior to the effective date of the OFAC blacklist (August 8, 2022), may request and obtain a specific license from OFAC to withdraw or engage in other transactions involving the cryptocurrency that the person deposited on Tornado Cash. For more information, click here.

State Activities:

  • On September 13, Massachusetts Attorney General Maura Healey applauded the FTC for its new proposed rule on consumer protections in car sales. Healey co-led the drafting of a multistate letter by 18 attorneys general, urging the FTC to improve its proposed Motor Vehicle Dealers Trade Regulation Rule to encourage more transparency in vehicle sales, financing, and leasing. Complaints on auto issues continue to rank among the highest in Healey’s office, and this action attempts to curtail some of those complaints. For more information, click here.
  • On September 12, the New York State Bar Association announced the launch of its Emerging Digital Finance and Currency Task Force, geared toward researching how digital assets should be regulated within New York, as well as the legal issues digital assets may present to attorneys during their representation of clients. For more information, click here.

The Federal Trade Commission (FTC) recently released a Bringing Dark Patterns to Light report, detailing the rise in sophisticated “dark patterns” that the FTC asserts are designed to trick and trap consumers. As the FTC’s latest effort on the subject, the report follows an April 2021 workshop that featured a variety of speakers, including consumer advocates, congressional members, researchers, legal experts, and other industry professionals, and explored whether user interfaces can effectively obscure, subvert, or impair consumer autonomy and decision-making. Then in June, as we posted here, the FTC published a request for information on topics, including “the increased use of dark patterns, manipulative user interface design, and other forms of digital deception that pose unique risks to consumers online and in the mobile space.” Some of the issues addressed as “dark patterns” also are subject to other regulatory initiatives, such as the FTC’s proposed Motor Vehicle Trade Regulation Rule, which focuses on price advertising (discussed here) and a broader “war on fees” pursued by multiple regulators.

The new report found dark patterns used in a variety of industries, including e-commerce, cookie consent banners, children’s apps, and subscription sales. According to the FTC, four such patterns include:

1. FTC Says Design Elements Can Induce False Beliefs

  • A company may make an outright false claim or employ design elements that create a misleading impression to spur consumers into making a purchase they would not otherwise make.
  • Examples include advertisements deceptively formatted to look like independent, editorial content; purportedly neutral comparison-shopping sites that actually rank companies based on compensation; and countdown timers designed to make consumers believe they only have a limited time to purchase a product or service when the offer is not actually time limited.

2. FTC Says Design Elements Can Hide or Delay Disclosure of Material Information

  • Examples include burying key limitations in dense terms of service documents that consumers don’t see before purchase; tricking people into paying hidden fees; and “drip pricing” where companies advertise only part of a product’s total price to lure in consumers, while failing to mention other mandatory charges until late in the buying process.

3. FTC Says Design Elements Can Lead to Unauthorized Charges

  • Another common dark pattern involves tricking consumers into paying for goods or services they did not intend to buy, regardless of whether the transaction involves single or recurring charges.
  • Examples include offering a free trial period that automatically converts into a recurring subscription charge if consumers fail to cancel; making it hard for consumers to cancel subscription services, resulting in ongoing recurring charges; and children’s games that rack up real charges for the account holder.

4. FTC Says Design Elements Can Obscure Privacy Choices

  • This pattern often presents itself as giving consumers choices about privacy settings or sharing data, but it is designed to intentionally steer consumers toward the option that gives away the most personal information.
  • An example of this tactic includes when a company presents consumers with the option of whether to allow the company to set a cookie where the company’s preferred choice is highlighted, while greying out the disfavored.

The report highlights multiple enforcement actions under each of these dark pattern categories and concludes with a stern warning that “[f]irms that nonetheless employ dark patterns, take notice: where these practices violate the FTC Act, ROSCA, the TSR, TILA, CAN-SPAM, COPPA, ECOA, or other statutes and regulations enforced by the FTC, we will continue to take action.”

After analyzing public feedback, as well as information gathered from the five providers of Buy Now, Pay Later (BNPL) products, the Consumer Financial Protection Bureau (CFPB) issued a report, making it clear that the CFPB plans to increase regulation of the BNPL industry.

A form of credit that allows a consumer to split a retail transaction into smaller, interest-free installments and repay over time, the typical BNPL structure divides a $50 to $1,000 purchase into four equal installments. While BNPL credit is interest free, providers make money by charging fees to both sellers and consumers who don’t pay on time. Launched in the mid-2010s as an alternative form of short-term credit for online retail purchases, BNPL loan usage increased ten-fold during the pandemic.

Among other takeaways from the report, the CFPB found:

  • The financial and operational benefits of the interest-free, accessible at your fingertips product over legacy credit products are real and sizeable. According to the CFPB, however, those same benefits may lead to two forms of borrower overextension: loan stacking (the risk of overconsumption from BNPL usage at multiple concurrent lenders) and sustained usage (the risk of long-term BNPL usage causing stress on borrowers’ ability to meet other, non-BNPL financial obligations).
  • Consumer reporting companies have been slow to develop credit reporting protocols with respect to BNPL. Mortgage and auto lenders have raised concerns that the growth of BNPL with no associated credit reporting makes it more challenging to know whether a borrower can afford a mortgage or auto loan.
  • Credit performance is deteriorating on BNPL loans. In 2020, 2.9% of borrowers “charged off” a BNPL loan, while that number jumped to 3.8% in 2021. Public filings show this upward trend continuing through the first half of 2022.
  • BNPL lenders often collect a consumer’s data, as well as deploy models, product features, and marketing campaigns based on that data, to increase the likelihood of incremental sales. The CFPB claims that in addition to the general data harvesting risks, BNPL lenders’ use of consumer data for revenue-generating purposes can potentially increase overextension risks by engendering repeat usage.

Director Chopra also released prepared remarks on the report, acknowledging both the advantages and disadvantages of this new product. “Since taking office, I have directed our staff to identify ways to invite more competition into markets for consumer financial products and services. Buy Now, Pay Later firms are challenging existing players and offering new options to retailers and borrowers.” Director Chopra noted, however, that “[m]any Buy Now, Pay Later lenders are not offering the same clear set of dispute protections that credit card issuers have long been required to offer, which is creating chaos for some consumers when they return their merchandise or encounter other difficulties. Many Buy Now, Pay Later lenders do not offer clear and comparable disclosures of the terms of the loan like other lenders.”

The report and prepared remarks state actions the CFPB intends to take as a follow up to the report. These includes:

  • Identifying potential interpretive guidance or rules to issue to ensure that BNPL firms adhere to many of the baseline protections that Congress has already established for credit cards.
  • Identifying data surveillance practices that may need to be curtailed — specifically, examining some of the types of demographic, transactional, and behavioral data collected for uses outside of the lending transaction, including for the purpose of sponsored ad placements, sharing with merchants, and developing user-specific discounting practices.
  • Identifying options for appropriate and accurate credit reporting on these products.
  • Ensuring that BNPL companies are subjected to appropriate supervisory examinations, just like credit card companies.
  • Ensuring that the CFPB and the Federal Reserve System methodology used to estimate household debt burden reflects the reality of today’s market.

Director Chopra’s statement noted that “the report prepared by the CFPB staff does not seek to determine whether the rise of the Buy Now, Pay Later market is a positive or negative development. I believe that Buy Now, Pay Later can grow and serve consumers well if we can collectively address some of the gaps I’ve just outlined. If Buy Now, Pay Later lenders incorporate the protections and protocols that we observe in other financial products, this would go a long way to ensure that there is healthy competition where consumers have a baseline level of protections.”

The CFPB’s report denotes the latest action taken to reign in the burgeoning BNPL industry. As we posted here, here, and here, in November 2021, the House Financial Services Committee’s Task Force on Financial Technology held a “Buy Now, Pay More Later? Investigating Risks and Benefits of BNPL and Other Emerging Fintech Cash Flow Products” hearing. For the hearing, the task force invited both consumer advocates and industry tradespeople to address concerns that these products are designed in such a way that the disclosure requirements under the Truth in Lending Act and other credit laws may not apply. Next, in December 2021, the CFPB ordered five BNPL companies to answer a series of questions about the products. In January 2022, the CFPB then issued a notice and request for comment related to the products. In response, the Consumer Bankers Association sent a letter to the CFPB in March 2022, encouraging regulation of the industry.

According to Director Chopra, “As BNPL products continue to grow in popularity and the industry continues to add products and services to meet consumer need, a measured approach to regulation will be necessary to preserve market options and to protect consumers’ interests.”

On July 29, New York State’s Department of Financial Services (NYDFS) released draft amendments (Draft Amendments) to its Part 500 Cybersecurity Regulation for financial service companies that, among others things: (1) contain significant changes regarding ransomware; (2) propose a new class comprising larger entities, which will be subject to increased obligations for their cybersecurity programs; (3) require enhancements to governance policies and procedures; (4) announce new restrictions on privileged accounts; and (5) clarify its enforcement authority.

Highlights of the Draft Amendments include:

  • Ransomware:
    • Each covered entity would be required to notify the NYDFS superintendent electronically no later than 72 hours after a cybersecurity event that resulted in the deployment of ransomware within a material part of the covered entity’s information system.
      • Currently, the 72-hour notice would only be required if the ransomware required notice to another governmental entity or if there was a reasonable likelihood of it harming a material part of the company’s normal operations.
    • In the event of an extortion payment is made in connection with a cybersecurity event, the covered entity would be required to notify the superintendent electronically within 24 hours of payment and provide a written description of why the payment was necessary, what alternatives were considered, and all compliance due diligence performed within 30 days of payment.
  • Class A Companies:
    • The Draft Amendments create a new category of “Class A” companies, which are covered entities with over 2,000 employees or over $1 billion in gross annual revenue averaged over the past three fiscal years from all business operations of the company and its affiliates.
    • Class A companies would be subject to additional cybersecurity requirements, including:
      • Conducting annual audits of their cybersecurity program;
      • Engaging external experts to conduct a risk assessment at least once every three years;
      • Conducting systematic scans or review of information systems at least weekly, with the requirement that any material gaps found during testing be documented and reported to the board and senior management;
      • Implementing password vaulting solutions for privileged accounts with an automated method of blocking commonly used passwords; and
      • Monitoring anomalous activity with a solution that centralizes logging and security event alerting.
  • Governance Requirements:
    • The chief information security officer (CISO) would be required to have adequate independence and authority to ensure cyber risks are properly managed;
    • The CISO will be required to provide annual reporting to the board on plans for remediating inadequacies, as well as timely reporting on material cybersecurity issues or events;
    • The board will be required to have sufficient expertise and knowledge (or be advised by persons with such expertise) to exercise effective oversight of cyber risk;
    • The board, as opposed to senior management, will be required to approve the company’s cybersecurity policies;
    • Business continuity and disaster recovery plans would be required to include details, such as designating essential data and personnel, communication preparations, back-up facilities, and identifying necessary third parties; and
      • These plans must also be periodically tested with all staff who are critical to the effort, including senior officers.
    • Incident response plans will be required to address ransomware incidents and include recovery from backups;
      • These plans must be periodically tested with all staff who are critical to the response, including senior officers and the CEO.
  • Privileged Accounts:
    • The Draft Amendments define “privileged accounts” as any account that can be used to perform security-relevant functions, which ordinary users are not authorized to perform, or affect a material change to technical or business operations. These accounts would be required to:
      • Have multifactor authentication;
      • Be limited in number and access functions to only those necessary to perform the user’s job;
      • Limit the use of privileged accounts to only when performing functions requiring the use of such access;
      • Have all-user access periodically reviewed and remove all accounts that are no longer necessary; and
      • Disable or securely configure all protocols that permit remote control of devices.
  • Enforcement:
    • The Draft Amendments elucidate that a violation will be found if a covered entity commits any act prohibited by the regulations or fails to satisfy an obligation.
    • NYDFS would be within its purview to consider certain factors when assessing the severity of penalties, including cooperation, good faith, intentionality, prior violations, number or pattern of violations, gravity of the violation, provision of false or misleading information, harm to customers, accuracy and timeliness of customer disclosures, participation of senior management, penalties by other regulators, and business size.

The Draft Amendments are currently in the pre-proposal phase, and there will be a short comments period ending August 8 before the publishing of the official proposed amendments, which will trigger a 60-day comment period. The Draft Amendments will likely take effect in 2023. However, covered entities should review them now to ensure they have enough time to implement any technology upgrades necessary to be in compliance.

Troutman Pepper will continue to report on new developments with the New York Department of Financial Services and other institutions involved with cybersecurity regulation.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Federal Activities:

  • On July 29, the Federal Deposit Insurance Corporation (FDIC) issued an advisory and a fact sheet, addressing misconceptions about the scope of deposit insurance coverage and related concerns arising in the crypto space, including that banks should confirm and monitor digital asset companies to ensure the latter do not misrepresent the availability of deposit insurance. For more information, click here.
  • On July 29, the Department of Justice (DOJ) and the Consumer Financial Protection Bureau (CFPB) issued a joint letter, reminding auto finance companies of their responsibilities to recognize important legal protections for military families under the Servicemembers Civil Relief Act (SCRA). While servicemembers have the same rights as nonmilitary borrowers, the SCRA provides additional rights to protect servicemembers and their families against unique financial challenges. For more information, click here.
  • On July 29, the Federal Trade Commission (FTC) took action against a payment processing company and two of its sales affiliates for allegedly trapping small businesses with hidden terms, surprise exit fees, and zombie charges. The FTC claims that the defendants made false claims about fees and cost savings to lure merchants, many of whom allegedly had limited English proficiency. Once merchants were enrolled, the FTC alleges the defendants withdrew funds from their accounts without their consent and made it difficult and expensive to cancel the service. For more information, click here.
  • On July 28, the FDIC and the Federal Reserve Board issued a joint letter, demanding that a crypto brokerage firm stop making allegedly false and misleading statements regarding its FDIC deposit insurance status, as well as take immediate corrective action. For more information, click here.
  • On July 27, the CFPB published an analysis of how actions announced by the three largest national consumer reporting companies will affect people with unpaid medical debt on their credit reports. Nearly half of those with medical collections on their credit reports will continue to see them, even after the changes go into full effect next year. The medical collection tradelines that remain on credit reports after the changes likely represent a majority of the dollar amount of all medical collections currently reported. For more information, click here.
  • On July 27, the CFPB updated the Debt Collection Rule frequently asked questions. For more information, click here.
  • On July 26, U.S. Senate Banking Committee Ranking Member Pat Toomey (R-PA) and U.S. Senator Kyrsten Sinema (D-AZ) introduced the Virtual Currency Tax Fairness Act to simplify the use of digital assets for everyday purchases. This bipartisan legislation would exempt small personal transactions using virtual currencies for goods and services from taxation. For more information, click here.
  • On July 21, the Securities and Exchange Commission (SEC) and the DOJ initiated parallel crypto insider trading actions, with the SEC including allegations that multiple tokens listed on a crypto asset trading platform are securities. In its first insider trading case of “crypto asset securities,” the SEC charged three individuals with perpetrating a scheme to trade crypto assets that the SEC alleges are securities on the basis of confidential nonpublic information. The DOJ announced the unsealing of an indictment regarding its first cryptocurrency insider trading tipping scheme case, charging the same three individuals with conspiracy and wire fraud in connection with the alleged insider trading. For more information, click here and here.

State Activities:

  • On July 26, Virginia Attorney General Jason Miyares announced an $8 million data breach settlement with a gas station and convenience store chain. The breach allegedly occurred after “after hackers gained access to the company’s computer network in late 2018 through a phishing attack, and later deployed malware on [the company’s] point-of-sale terminals.” Based on this attack, the malware extracted sensitive payment card information between April 18, 2019 and December 12, 2019. “It is imperative that businesses employ every reasonable security measure to protect their customers and prevent sensitive data breaches like this one,” Attorney General Miyares said. “I am pleased we were able to reach a settlement that addresses the conduct at issue and implements safeguards going forward to ensure this type of breach does not happen again.” For more information, click here.
  • On July 25, California Attorney General Rob Bonta issued a consumer alert, warning military service members, veterans, and their families to be aware of targeted scams and fraud. According to the press release, “a recent report on consumer complaints received by the Federal Trade Commission, in 2021, military consumers lost over $103 million to scams.” Attorney General Bonta listed common scams against the military community, including: home loan scans, identity theft and fraud, pension scams, affinity fraud, and predatory auto sales and financing. For more information, click here.
  • On July 22, New Jersey Acting Attorney General Matthew J. Platkin announced that the Division of Consumer Affairs sent cease-and-desist warning letters to a combination of service, retail, and restaurant operators in New Jersey. The letters alert merchants of their duty to disclose total selling prices, including surcharges for using credit cards, debit cards, or pre-paid cards to consumers. For more information, click here.
  • On July 19, the U.S. District Court for the District of Delaware issued a decision that should draw the attention for banks charging overdraft fees for overdraft protection. In Miller v. Del-One Federal Credit Union, the court’s opinion: (1) validated a fraud claim based on allegedly inaccurate disclosure of overdraft policies; and (2) found that the official overdraft fee opt-in form included in Regulation E, promulgated under the Electronic Fund Transfers Act, and administered by the Consumer Financial Protection Bureau (CFPB), must not only adapt to the institution’s policies, but also state all associated overdraft procedures. For more information, click here.

Like most industries today, Consumer Finance Services businesses continue to be significantly impacted by COVID-19. To help you keep abreast of relevant activities, below find a breakdown of some of the biggest legislative and regulatory events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On June 17, the Federal Reserve released its latest Monetary Policy Report, which identified the growth of stablecoins as a key development for the financial stability of the U.S. and identified certain types of stablecoin arrangements as areas of concern. According to the Fed, “Stablecoins that are not backed by safe and sufficiently liquid assets and are not subject to appropriate regulatory standards create risks to investors and potentially to the financial system, including susceptibility to potentially destabilizing runs.” For more information, click here.
  • On June 16, the Federal Financial Institutions Examination Council (FFIEC) announced the availability of data on 2021 mortgage lending transactions reported under the Home Mortgage Disclosure Act (HMDA) by 4,338 U.S. financial institutions. Covered institutions include banks, savings associations, credit unions, and mortgage companies. As the most comprehensive publicly available information on mortgage market activity, HMDA data is used by industry, consumer groups, regulators, and others to assess potential fair lending risks and for other purposes. The data helps the public assess how financial institutions serve the housing needs of their local communities and facilitates federal financial regulators’ fair lending, consumer compliance, and Community Reinvestment Act examinations. For more information, click here.
  • On June 15, the Consumer Financial Protection Bureau (CFPB) issued an update about its December 2021 market monitoring inquiry into Buy Now, Pay Later (BNPL) — a short-term, no-interest consumer credit product that has become nearly ubiquitous at the point of purchase online and, increasingly, in brick-and-mortar stores. Issued to five BNPL firms, the inquiry ordered information and data on several key areas of consumer impact, including data furnished by BNPL firms to consumer reporting companies for inclusion in credit reports. For more information, click here.
  • On June 14, the CFPB announced its request for public input as to how bank customers can assert their rights to better customer service with big banks. In the request for information, the CFPB seeks data about, and consumer experiences with, obstacles that may prevent people from receiving high standards of customer service and high-quality human interactions with their banks or credit unions. For more information, click here.
  • On June 14, the Department of Justice Office of the Inspector General issued its audit of the U.S. Marshals Service’s management of seized cryptocurrency, covering the period from fiscal years 2017 through 2021. The audit report concludes that the Marshals Service does not have necessary operating procedures and controls and faces issues in managing and tracking seized cryptocurrency. For more information, click here.
  • On June 13, the CFPB released its annual report on the top financial concerns facing servicemembers, veterans, and military families based on the complaints they submitted to the CFPB. Servicemembers told the CFPB about billing inaccuracies and that debt collectors used aggressive tactics to recover allegedly unpaid medical bills. Servicemembers also reported failures by credit reporting companies in helping to resolve inaccuracies and other credit reporting issues. For more information, click here.
  • On June 11, Coin Center, a nonprofit group focused on cryptocurrency, sued the United States, the Treasury Department, the Internal Revenue Service, and related individuals, arguing the unconstitutionality of a recent tax code amendment. The amendment, known as the 6050I Provision and commonly referred to as the Transaction Reporting Rule, was part of the Infrastructure Investment and Jobs Act passed last summer, and requires individuals and businesses that receive $10,000 or more in cryptocurrency to report to the government the name, date of birth, and Social Security number of the person who sent those funds. For more information, click here.

State Activities:

  • On June 14, California Attorney General Rob Bonta issued a consumer alert, following reports that hospitals failed to fulfill obligations under state law to provide free or reduced-price health care to qualify patients. Attorney General Bonta also sent letters to hospitals “warning them that they must provide written notice to patients — in their native language — of the availability of ‘charity care’ and how to apply.” For more information, click here.
  • On June 9, North Carolina Attorney General Josh Stein issued a statement after the U.S. Department of Education announced it would discharge all remaining federal student loans for students who attended any college run by Corinthian Colleges. In North Carolina, “12,470 borrowers will receive a total of $142.1 million in loan relief.” After noting the cancellations would be automatically applied, Attorney General Stein stated, “I’ve been fighting on behalf of these student victims for years, and I’m grateful to the Biden administration for taking action to help them. Canceling these loans will give these student borrowers a fresh start at building a successful future unburdened by unfair debt.” For more information, click here.

Privacy and Cybersecurity Activities:

  • On June 15, Senators Elizabeth Warren (D-MA), Ron Wyden (D-OR), Patty Murray (D-WA), Sheldon Whitehouse (D-RI), and Bernie Sanders (I-VT) introduced the Health and Location Data Protection Act, which would ban data brokers from selling health and location data. The act would also empower the Federal Trade Commission (FTC), state attorneys general, and injured persons to sue to enforce the law, while also providing $1 billion in funding to the FTC. For more information, click here.
  • On June 15, Maine’s governor signed House Paper 669, establishing the Maine Data Collection Protection Act. The act would prohibit data collectors from collecting and aggregating, selling, or using information from specific types of public documents for the purpose of determining a consumer’s eligibility for consumer credit, employment, or residential housing. A data collector includes any person that collects or attempts to collect data from publicly maintained records and sells that data to third parties for any purpose, including but not limited to the determination of an individual’s eligibility for consumer credit, employment, or residential housing. To read more, click here.
  • On June 13, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance on how health care providers and health plans can use remote communication technologies to provide audio-only telehealth services that comply with the Health Information Portability and Accountability Act (HIPPA) Privacy, Security, and Breach Notification rules. OCR Director Lisa J. Pino stated that audio-only telehealth can assist “in reaching patients in rural communities, individuals with disabilities, and other seeking the convenience of remote options.” To read more, click here.

Like most industries today, Consumer Finance Services businesses continue to be significantly impacted by COVID-19. To help you keep abreast of relevant activities, below find a breakdown of some of the biggest legislative and regulatory events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On June 3, the Federal Trade Commission (FTC) provided its annual report to the Consumer Financial Protection Bureau (CFPB) on its 2021 enforcement and related activities regarding the Truth in Lending Act (TILA), Consumer Leasing Act (CLA), and Electronic Fund Transfer Act (EFTA). The report highlights the FTC’s enforcement actions related to the acts and their implementing regulations, including in the areas of automobile purchases and financing, payday lending, credit repair and debt relief, and electronic fund transfer. For more information, click here.
  • On June 2, ForUsAll, a San Francisco based 401(k) retirement provider, filed a lawsuit against the Department of Labor relating to the latter’s March 2022 guidance for 401(k) plan fiduciaries considering plan investments in cryptocurrencies. Published by the Department’s Employee Benefits Security Administration, Compliance Assistance Release No. 2022-01 cautions plan fiduciaries to exercise “extreme care” before they consider adding a cryptocurrency option to a 401(k) plan’s investment menu for plan participants. For more information, click here.
  • On June 1, the Department of Justice announced the unsealing of an indictment against a former product manager at Ozone Networks, Inc. d/b/a OpenSea (OpenSea) for wire fraud and money laundering concerning a scheme to commit insider trading in non-fungible tokens (NFTs) by using confidential information about what NFTs OpenSea’s homepage planned to feature for his personal financial gain. For more information, click here.
  • On May 31, the FTC took action against Financial Education Services and its owners, as well as a number of related companies, for scamming consumers out of more than $213 million. The FTC’s complaint alleges that the company preys on consumers with low credit scores by luring them in with the false promise of an easy fix and then recruiting them to join a pyramid scheme, selling the same worthless credit repair services to others. For more information, click here.

State Activities:

  • On June 1, New York lawmakers passed a pair of cryptocurrency-related bills, now pending with Governor Kathy Hochul, which would impose a two-year ban on issuing new permits for cryptocurrency mining operations that meet certain criteria and create a 16-member task force to examine “the effects of the widespread use of cryptocurrencies” along with “the use of digital currencies’ impact on state and local tax receipts.” For more information, click here and here.
  • On June 1, the California Department of Financial Protection and Innovation (DFPI) released an invitation for comment on the DFPI’s regulatory approach to crypto asset-related financial products and services, as well as the potential regulation of such products and services under the California Consumer Financial Protection Law (CCFPL). For more information, click here.
  • On May 26, the California Supreme Court ruled that the FTC’s “Holder Rule” does not limit the award of attorneys’ fees where a consumer seeks fees from a holder under a state-prevailing party statute. In Pulliam, the court concluded that the FTC did not intend to preempt state laws allowing attorneys’ fee awards. For more information, click here.
  • On May 26, North Carolina Attorney General Josh Stein issued a press release, indicating his office had won a permanent ban against an individual and his businesses from offering debt relief, debt settlement, foreclosure assistance, and mortgage loan modification services to North Carolinians. In the lawsuit, Attorney General Stein alleged the defendant “upfront fees for his services from North Carolina consumers. In exchange, he falsely promised that he would reduce people’s mortgage loan payments, get loan forbearance so they could delay making loan repayments, and prevent lenders or mortgage services from foreclosing on customers. However, he failed to provide any of these services.” For more information, click here.
  • On May 4, following in the footsteps of President Biden’s recent executive order (Federal EO), California Governor Gavin Newsom issued his own blockchain-related executive order (CA EO), making California the first among the states to endorse a proactive, harmonized approach to regulate blockchain technology. The CA EO assesses how existing state and public institutions may leverage blockchain technology to foster innovation and propel California to the forefront of the emerging digital asset market. The CA EO is founded on two notable objectives: (1) federal and state regulatory harmony and (2) consumer education and scholastic exposure. For more information, click here.

Privacy and Cybersecurity Activities:

  • On June 2, Politico Pro announced that federal lawmakers have circulated a draft of comprehensive federal privacy legislation, reportedly pieced together by House Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA), as well as Senator Roger Wicker (R-MI). The draft bi-partisan bill would provide a private right of action when a “substantial privacy harm” has occurred. A draft of the bill can be found here.
  • On June 3, the FTC published a report, finding that consumers have lost more than $1 billion in cryptocurrency to scams since 2021. Most of these cryptocurrency losses involved bogus cryptocurrency investment opportunities, which totaled $575 million in reported losses since January 2021. The report suggests that many of these scams begin on social media. The FTC advises consumers to watch out for anyone who claims they can guarantee profits or big returns by investing in cryptocurrency; people who require you to buy or pay in cryptocurrency; and love interests who want to show you how to invest in cryptocurrency or to send them cryptocurrency. For the report, click here.
  • On June 3, the FTC announced it was seeking input on ways to modernize the agency’s business guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising.” First published in March 2013, the FTC seeks guidance on several issues, including the use of sponsored and promoted advertising on social media, the adequacy of online disclosures when consumers must navigate multiple webpages, and whether the current guidance adequately addresses advertising on mobile devices. For the announcement, click here.

On April 28, the Joint Chiefs of Global Tax Enforcement (the J5), a global joint operational taxation group consisting of Australia, Canada, Netherlands, United Kingdom, and the United States, issued an intelligence bulletin (Bulletin), enumerating its perceived dangers of non-fungible tokens (NFTs).

NFTs, ERC-20, and Fungibility

Cryptocurrencies and NFTs are similar in the sense that the fundamental composition of both tokens is simply encrypted data that lives on the blockchain. However, these tokens do differ in an important way: fungibility. A large swath of today’s cryptocurrencies is traded and held on the Ethereum blockchain. For a cryptocurrency to operate on the Ethereum blockchain, it should comply with the ERC-20 standard, which is the smart contract protocol for Ethereum-based fungible tokens. Due to compliance with the ERC-20 standard, developers can seamlessly deploy new tokens (in the form of smart contracts) that are automatically interoperable with pre-existing Ethereum-based decentralized applications and software wallets like MetaMask. ERC-20 tokens are mutually interchangeable.

For example, Tether (USDT), the largest stablecoin by market capitalization, is an ERC-20 token. There are approximately 74 billion USDT tokens in circulation, and as stablecoins, each of these tokens (supposedly) possesses the same value of $1, as the issuer claims that for every unit of its stablecoin in circulation, there is a matching U.S. dollar in a bank account somewhere (algorithmic stablecoins are different — rather than being backed 1:1 by dollars, there are two tokens, the stablecoin itself and a sister token that is issued (created) or burned (destroyed) as needed to maintain the stablecoin’s price). Stated differently, each of the USDT tokens in circulation is intended to have identical data properties.

Conversely, NFTs are non-fungible. NFTs deployed on the Ethereum blockchain should comply with ERC-721, which is the smart contract protocol for Ethereum-based non-fungible tokens. All ERC-721 tokens have globally unique data properties, which makes these tokens immune from replication on the blockchain. Due to their lack of fungibility, NFTs can potentially serve as depictions of inherently unique data structures that constitute ownership identifiers of real-world, tangible assets like artwork, real estate, and products within a supply chain.

J5’s Perceived Dangers of NFTs

The Bulletin is compartmentalized into two sections: (1) strong indicators of fraud and (2) moderate indicators of fraud. The most striking indicators discussed within the Bulletin were phishing scams and lack of verification.

Phishing Scams

Phishing, a practice in which a cyber attacker purports to be a legitimate company to induce an individual to perform an action that materially benefits the cyber attacker, is a common tactic among NFT scammers. In the NFT space, phishing may manifest in URL impersonation of legitimate NFT marketplaces. For example, OpenSea.io is the URL of the world’s most prominent NFT marketplace. A scammer may deploy an exact replica of the OpenSea website and slightly modify the URL to deceive OpenSea patrons and obtain access to a consumer’s NFT wallet — or worse — convince a consumer to cough up his or her private keys.

Lack of Verification

Generally, each NFT marketplace will employ a standard for verifying NFT collections sold on its platform. For example, for a NFT collection to be designated as a verified collection on NFT marketplace LooksRare.org, a NFT collection must generate, inter alia, at least 250 ETH in trading volume on LooksRare.org or 500 ETH in trading volume across the NFT marketplace ecosystem. Today, 250 ETH is equivalent to approximately $500,000 USD. Trading volume is a reliable parameter for verifying the veracity of NFT collections because it indirectly substantiates market sentiment of a particular NFT collection and its developers.

Our Take

Although the Bulletin is not comprehensive, it does bring to the forefront a few problematic issues that stand to undermine an otherwise beneficially disruptive technology. But while the risks associated with consumer usage of NFTs will continue to persist due to regulatory nascency, the tech will likely remain a fixture in the global economy for years to come as tokenization of tangible assets becomes more prevalent.

On April 28, the Connecticut House passed Senate Bill 6, an act concerning personal data privacy and online monitoring (SB 6 or Connecticut Act). The Senate unanimously passed SB 6 on April 20, and is now currently under consideration by Governor Ned Lamont. If the bill becomes law, it will go into effect on July 1, 2023, making Connecticut the fifth state to enact a comprehensive data privacy law.

Who Must Comply?

The Connecticut Act would apply primarily to “controllers” and “processors.”

SB 6 defines a “controller” as any “individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” Under the Connecticut Act, a “processor” means an individual who, or legal entity that, processes personal data on behalf of a controller.

SB 6 would apply to individuals or entities that (1) conduct business in Connecticut and (2) control or process personal data during the preceding year of at least either:

  • 100,000 consumers, excluding personal data controlled or processed solely for completing a payment transaction, or
  • 25,000 consumers who derived more than 25% of their gross revenue from selling personal data.

What Is Protected?

The Connecticut Act protects “personal data” and “sensitive data.”

“Personal data” means any information linked or reasonably linked to an identified or identifiable individual. The definition does not include de-identified data or publicly available information.

“Sensitive data” means personal data that includes (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying any individual; (3) personal data collected from a known child; or (4) precise geolocation data.

Exempted Data

Various information is exempted under the Connecticut Act, including, information collected under the Health Information Portability and Accountability Act (HIPAA), information bearing on a consumer’s credit worthiness to the extent such activity is regulated by and authorized under the Fair Credit Reporting Act (FCRA), and financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA).

Information controlled or processed solely for the purpose of completing a payment transaction is exempted, which is an exemption that differs from other state laws.

Key Definitions

“Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. It does not include (1) disclosure of personal data to a processor that processes the personal data on behalf of the controller; (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; (3) the disclosure or transfer of personal data to an affiliate of the controller; (4) the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party; (5) the disclosure of personal data that the consumer (a) intentionally made available to the general public via a channel of mass media and (b) did not restrict to a specific audience; or (6) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

“Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated internet web services or online applications to predict such consumer’s preferences or interests. It does not include (1) advertisements based on activities within a controller’s own internet websites or online applications; (2) advertisements based on the context of a consumer’s current search query, visit to an internet website, or online application; (c) advertisement based on a consumer’s request for information or feedback; or (d) processing personal data solely to measure or report advertising frequency, performance, or reach.

What Rights Are Granted to Consumers?

The Connecticut Act grants consumers a number of rights, including, among others: (1) the right to confirm whether or not a controller is processing the consumer’s personal data and the right to access their personal data; (2) the right to correct inaccuracies in the consumer’s personal data; (3) the right to delete the personal data; (4) the right to obtain a copy of the consumer’s personal data that is portable and easily transferrable; and (5) the right to opt out of the process of personal data for (a) targeted advertising, (b) the sale of personal data, or (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

What Obligations Apply to Controllers?

  • Data Minimization. A controller shall “limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed.”
  • Duty to Avoid Secondary Use. A controller shall “not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”
  • Security Practices. A controller shall “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
  • Consent. A controller shall “not process sensitive data concerning a consumer without first obtaining the consumer’s consent, or in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA.” A controller also must provide an effective mechanism for a consumer to revoke consent.
  • Discrimination. A controller must “not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers.” A controller also shall not discriminate against a consumer for exercising any of his/her rights under the Connecticut Act.
  • Data Protection Assessments. A controller shall “conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer,” which includes any processing of personal data for the purposes of targeted advertising, the sale of personal information, or profiling.
  • Privacy Notices. A controller shall “provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third parties, if any, with which the controller shares personal data; and (6) an active electronic mail address that the consumer may use to contact the controller.”

What Obligations Apply to Processors?

  • Data Processing Agreements. A processor must be governed by a contract that must “set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.”
  • Data Subject Request. A processor have processes “taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller’s obligation to respond to consumer rights requests.”
  • Duty of Care. A processor shall assist “the controller in meeting the controller’s obligation in relation to the security of processing the personal data and in relation to the notification of a breach of security.”
  • Data Protection Assessments. A processor shall provide the necessary information to “enable the controller to conduct and document data protection assessments.”
  • Confidentiality. A processor must ensure “that each person processing personal data is subject to a duty of confidentiality with respect to the data.”
  • Subcontractors. A processor must “engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.”

Who Can Enforce the Connecticut Act?

The Connecticut Act does not create a private right of action. The Connecticut attorney general shall have exclusive authority to enforce violations of the Connecticut Act. Prior to any such enforcement action, the attorney general shall provide a 60-day notice to allow the business the opportunity to cure any alleged violations. This notice to cure provision will sunset on December 31, 2024.

What’s Next?

If signed by the governor (which is expected to occur), SB 6 will become law. If the governor vetoes the bill, it will be returned to the Senate to be reconsidered. If the governor fails to act within five days during legislative session or 15 days after adjournment from the day it was presented, it will become law automatically. If it becomes law, Connecticut will be the fifth state to adopt a comprehensive privacy law following California, Virginia, Colorado, and Utah.