Search auto data

Like most industries today, Consumer Finance Services businesses continue to be significantly impacted by COVID-19. To help you keep abreast of relevant activities, below find a breakdown of some of the biggest legislative and regulatory events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On April 29, the Consumer Financial Protection Bureau (CFPB) released Spanish language translations for certain model and sample forms included in the Prepaid Rule in Regulation E and for certain adverse action model and sample notices included in Regulation B. For more information, click here.
  • On April 28, Representatives Glenn Thompson (R-PA), Ro Khanna (D-CA), Tom Emmer (R-MN), and Darren Soto (D-FL) introduced the Digital Commodity Exchange Act of 2022, which would create a definition for “digital commodity” and allow the Commodity Futures Trading Commission to oversee companies issuing or letting people trade these types of tokens, while having the Securities and Exchange Commission continue to oversee tokens that fall under U.S. securities laws. For more information, click here.
  • On April 28, the Department of Education announced it will deliver relief to tens of thousands of borrowers harmed by pervasive and widespread misconduct at Marinello Schools of Beauty. The 28,0000 borrowers who enrolled in the schools from 2009 through its closure in February 2016 will receive loan discharges based on borrower defense findings, totaling approximately $238 million. This group discharge also includes borrowers who enrolled at Marinello during this period, but have not yet applied for a borrower defense discharge. For more information, click here.
  • On April 27, Acting Comptroller of the Currency Michael J. Hsu issued a statement, calling for unified standards for stablecoins after his appearance at the Artificial Intelligence and the Economy: Charting a Path for Responsible and Inclusive AI Symposium hosted by the U.S. Department of Commerce, National Institute of Standards and Technology (NIST), FinRegLab, and the Stanford Institute for Human-Centered Artificial Intelligence. Hsu stated that creating one set of technical and legal standards for the dollar-pegged cryptocurrencies is as “vital to keeping the dollar competitive in the blockchain-based digital economy” as setting the standards for the World Wide Web was to the development of the modern internet economy. For more information, click here.
  • On April 25, the CFPB announced that it would begin invoking a provision in Dodd-Frank, previously used only infrequently, to conduct supervisory examinations over a greater number of nonbank financial companies that may “pose risks to consumers,” in particular fintechs. For more information, click here.

State Activities:

  • On April 28, Southern District of New York Judge Vyskocil granted a preliminary injunction, preventing sheriffs from enforcing New York’s Fair Consumer Judgment Interest Act on a retroactive basis. The act, which became effective on April 30, lowers the statutory rate of interest accrued on money judgment for consumer debt to 2% per year (from 9%). The amendment applies retroactively to judgments unsatisfied at the time the law went into effect. The court enjoined the sheriff’s office “from refusing to execute an existing judgment calculated with the interest rate in effect at the time the judgment was obtained, and from enforcing reduction of the existing interest rate of the judgments entered prior to the effective date of the Amendment.” For more information, click here.
  • On April 28, the New York Department of Financial Services issued guidance on the use of blockchain analytics, emphasizing “the importance of blockchain analytics to effective policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.” For more information, click here.
  • On April 26, Washington, DC Attorney General Karl Racine issued a press release, announcing his office’s legal victories in protecting housing for D.C. residents. The announced victories included restitution secured for residents for tenants in the district and directed residents to resources and tips for how to report problems with landlords. For more information, click here.
  • On April 22, Arkansas Attorney General Leslie Rutledge joined a bipartisan coalition of attorneys general, urging “GoFundMe to better disclose policies and to provide greater clarity in terms of service for consumers who use its platform.” GoFundMe has helped organizers raise more than $5 billion since 2010 and collects fees between 2.2 to 2.9% plus $0.3 per transaction. However, according to the press release, information “related to blocking, freezing, refunding, and re-directing donations, is hard to find and unclear.” For more information, click here.
  • On April 20, Tennessee became the second state to pass legislation, recognizing and allowing the registration of decentralized autonomous organizations (DAOs) as LLCs under Tennessee’s Revised Limited Liability Company Act. For more information, click here.

Privacy and Cybersecurity Activities:

  • On April 28, the Connecticut Data Privacy Act (SB-6) cleared the penultimate legislative hurdle, passing in the House by a vote of 144-5. This legislation previously passed Connecticut’s State Senate by a vote of 35-0 on April 20, and will now head to Governor Ned Lamont for final signature. If signed, Connecticut would be the fifth state in the country to pass a data privacy law, and the majority of the substantive requirements would take effect on July 1, 2023. The final version of SB-6 shares many similarities with other recently enacted state privacy statutes, but most closely resembles the Colorado Privacy Act (CPA). Notably, this legislation does include temporary right to cure, which sunsets on December 31, 2024. For more information, click here.
  • On April 25, the Federal Trade Commission (FTC) released guidance titled, “What the Pandemic Has Taught Businesses About the Collection of Health Information.” This guidance includes several recommendations for businesses to consider regarding checking/storing information from employee’s COVID-19 vaccination cards. This includes, but is not limited to, considering the objection of the data collection, analyzing how long this sensitive health information needs to be retained, and providing secure technology to safely store this information. The guidance also makes specific recommendations for companies that provide vaccine verification “passport” applications used to store information related to vaccination status. For more information, click here.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On March 31, the U.S. Supreme Court significantly limited the jurisdiction of federal courts to confirm or vacate arbitral awards under Sections 9 and 10 of the Federal Arbitration Act (FAA) in Badgerow v. Walters. The Court confirmed its prior rulings that the FAA itself does not create subject matter jurisdiction and held that a federal court must have an “independent jurisdictional basis” to confirm or vacate an award. The impact of the ruling is significant and will result in parties turning to state courts to confirm arbitral awards in ostensible federal question cases. For more information, click here.
  • On March 31, Rep. Trey Hollingsworth (R-IN) and Sen. Bill Hagerty (R-TN), introduced the Stablecoin Transparency Act (S. 3970 and H.R. 7328) in both the House of Representatives and the Senate. The bill requires stablecoins to be backed by government securities with maturities less than 12 months or domestic dollars, while requiring stablecoin issuers to publicly release audited reports of reserves executed by third-party auditors. For more information, click here.
  • On March 30, the Consumer Financial Protection Bureau (CFPB) sanctioned Edfinancial for deceiving student loan borrowers about their eligibility for Public Service Loan Forgiveness, and the steps they could have taken to obtain loan cancellation. Edfinancial made a series of deceptive statements to borrowers about loan cancellation for public service, including falsely telling borrowers with FFELP loans that they could not qualify for the program. For more information, click here.
  • On March 29, the CFPB issued a report, showing that credit card issuers charged $12 billion in late fees in 2020. Late fee penalties are charged in addition to interest when a cardholder does not make the minimum payment by the due date. For more information, click here.
  • On March 28, Representative Stephen Lynch (D-MA), along with co-sponsors Jesús G. García (D-IL), Rashida Tlaib (D-MI), Ayanna Pressley (D-MA), and Alma Adams (D-NC), introduced H.R. 7231, the Electronic Currency and Secure Hardware Act (ECASH Act). The bill would direct the U.S. Treasury secretary to develop and issue a digital analogue to the U.S. dollar, or “e-cash,” intended to “replicate and preserve the privacy, anonymity-respecting, and minimal transactional data-generating properties of physical currency instruments such as coins and notes to the greatest extent technically and practically possible,” all without requiring a bank account. For more information, click here.
  • On March 24, the Department of Justice (DOJ) announced that it charged two individuals in non-fungible token (NFT) fraud and money laundering related to purchasers of NFTs advertised as “Frosties.” According to a DOJ press release, “[r]ather than providing the benefits advertised to Frosties NFT purchasers, [defendants] transferred the cryptocurrency proceeds of the scheme to various cryptocurrency wallets under their control.” U.S. Attorney for the Southern District of New York Damian Williams said the defendants “promised investors the benefits of the Frosties NFTs, but when it sold out, they pulled the rug out from under the victims, almost immediately shutting down the website and transferring the money.” For more information, click here.
  • On March 23, the CFPB Director Rohit Chopra issued a statement regarding the final report of the Interagency Task Force on Property Appraisal and Valuation Equity (PAVE). For more information, click here.

State Activities:

  • On March 31, California Attorney General Rob Bonta filed an amicus brief “in defense of state laws protecting consumers from false and misleading advertising” in the Ninth Circuit Court of Appeals case of Moreno v. Vi-Jon. The case purportedly centers around false advertising related to claims made on the front and back labels of hand sanitizer that allegedly misstate the effectiveness of the product against common, harmful viruses and bacteria. According to the press release, the district court dismissed “the case, finding both that [the plaintiff] should have known that [the defendant’s] claims were untrue, and that [the plaintiff] lacked standing to even pursue the litigation.” The attorney general’s office argued that the court erred in dismissing the case as economic injury from deceptive advertising should be sufficient to establish standing. For more information, click here.
  • On March 29, Virginia Attorney General Jason Miyares joined 20 other states in a multistate action against the Center for Disease Control and Prevention’s (CDC) use of a mask mandate for public transportation. According to the press release, “the CDC’s unlawful mask mandate exceeds the agency’s authority by not authorizing economy-wide measures.” Attorney General Miyares stated, “The CDC’s mask mandate on public transportation, like air travel, is scientifically unnecessary at this stage of the pandemic. Not only are the CDC’s mask mandates for public transportation an example of federal overreach, but they are outdated as states across the country have lifted mask mandates in other aspects of daily life.” For more information, click here.
  • On March 29, New York Attorney General Letitia James sent letters to the largest credit card companies and major debt collectors operating in New York, warning those companies of new state regulations that prevent them from suing consumers for old debts. According to the press release, the Consumer Credit Fairness Act of 2021 “will go into effect next month and reduces the statute of limitations for consumer debt collection from six years to three years.” The act also mirrors many of the regulations promulgated in Regulation F by the CFPB. For more information, click here.
  • On March 24, Manhattan District Attorney Alvin L. Bragg, Jr. announced the indictment of an individual for “operating a global money laundering business that enabled at least 7 clients, who engaged in a wide-range of criminal activity, to use Bitcoin anonymously to hide and obscure their illegal proceeds,” which involved the individual “convert[ing] more than $2.3 million into Bitcoin and more than $380,000 worth of Bitcoin into U.S. dollars, using a rotating set of accomplices … to open bank and cryptocurrency exchange accounts to launder criminal proceeds.” For more information, click here.
  • On March 15, the D.C. Council of the District of Columbia Committee of the Whole met in a full hearing, in part to hear amendments introduced to B24-0357 — the Protecting Consumers from Unjust Debt Collection Practices Amendment Act of 2021. Raised in July 2021 as a trio of legislation, B24-0357, Emergency B24-0347, and Temporary B24-0348 address debt collection in the district during the pandemic. All three affect debt collection in D.C.; legislation such as this is often introduced as a series of emergency, temporary, and permanent bills. B24-0357 is the permanent version of the Protecting Consumers legislation. For more information, click here.

Privacy and Cybersecurity Activities:

  • On March 29 and 30, the California Privacy Protection Agency (CPPA) held pre-rulemaking “informational sessions” regarding the California Privacy Rights Act (CPRA). In addition to rulemaking, the CPPA handles the future implementation and enforcement of the CPRA. Last week’s sessions included 10 “informational presentations” given by experts from government and academia, covering various topics, such as dark patterns, automated decision-making, and cybersecurity audits. These sessions intend to help the CPPA and general public understand various topics relevant to the CPRA rulemaking process and will be followed by “stakeholder sessions” later this month. For more information, click here.
  • On March 29, the Office of the Comptroller of the Currency (OCC) issued a bulletin aimed at ensuring that OCC-regulated entities use the appropriate “designated points of contact” when complying with the Computer-Security Incident Notification: Final Rule (OCC Bulletin 2021-55). This rule requires that banking organizations notify their federal regulator “no later than 36 hours after the banking organization determines that a notification incident has occurred.” Under the bulletin, OCC-regulated entities may carry out this notification by contacting their supervisory office, submitting a notification via the BankNet website (available here), or contacting the BankNet help desk. A similar release published by the Federal Deposit Insurance Company (FDIC) is available here, and our summary and analysis of the interagency final rule is available here.

California Privacy Protection Agency Director Ashkan Soltani recently announced that long-awaited regulations related to the California Privacy Rights Act (CPRA) would be delayed. The agency initially scheduled a July 1 deadline to promulgate regulations and allow companies time to comply with the CPRA, which is set to be enforced beginning July 1, 2023. However, Director Soltani recently announced that rules will not be promulgated until Q3 or Q4 of 2022. In a recent public meeting, he stated: “Formal proceedings, including public hearings, will continue into Q3 with rulemaking being completed in Q3 or Q4. While this puts us somewhat past the July 1 rulemaking schedule in the statute, it allows us to balance staffing of the agency while undertaking substantial information gathering to support our rules.”

While neither Director Soltani nor the CPPA offered an explanation, there already were hints that the agency would miss the rulemaking deadline. In the September 2021 meeting, the CPPA board discussed potential remedies for a missed deadline. These included a formal extension, enactment of temporary or “emergency” regulations, or adding compliance grace periods. This is not the first time that privacy regulations have been delayed in California. In 2020, the California attorney general’s office went past its deadline to adopt regulations for the California Consumer Privacy Act (CCPA).[1] Those regulations took effect more than a month later, and the attorney general opted against delaying enforcement.

In remarks with the California Lawyers Association in October 2021, CPPA Board Chair Jennifer Urban spoke on her own behalf and addressed the many logistical and legal impediments in getting the new administrative agency up and running in time to develop and adopt regulations by the deadline. The many challenges include hiring, rulemaking under California’s Open Meetings Act, and the capacity of the board to undertake the many efforts needed to position the administrative agency to begin enforcement. Further complicating the CPPA’s efforts is the obligation to develop a significant volume of unprecedented rules governing issues, such as cybersecurity audits, risk assessments, automated decision-making, and agency audit authority. These rules are expected to double the existing body of regulations under the CCPA.

Urban appears to be considering various options for extending the “particularly aggressive” CPRA statutory deadline for adopting final regulations. One potential option would be “extending when we might begin enforcing [the regulations] … so people have time to understand and implement the regulations.” As an administrative agency, CPPA will have discretion regarding the timing of initiating investigations, holding hearings, and issuing administrative orders. Urban noted that the agency will actively receive counsel on all of its options for a potential extension if necessary. The precise timeline to adopt final regulations is murky, but one thing is clear, companies may find it challenging to comply with potentially significant compliance obligations without the benefit of additional regulatory guidance.

While the regulations will not be promulgated by July 1, companies can still undertake steps to prepare for compliance, such as undertaking a review of current privacy policies and practices and aligning them with CPRA statutory language requirements. Companies may choose to engage in the agency’s rulemaking by attending upcoming informational hearings when announced, which also may shed light on what is to come out of the regulations.

Additional Resources

At Troutman Pepper, we understand the complexities of information technology and how it intersects with the changing regulatory landscape. Our team is dedicated to breaking down complex legal issues and providing guidance that the business and information technology/security can understand. As it relates to the CPRA, Troutman Pepper issued a compendium on the CPRA, which provides an overview of the operational impact of the CPRA on existing CCPA compliance frameworks. It focuses on issues, including notable updates to existing definitions, the addition of new consumer rights, modifications to existing CCPA rights, and newly introduced concepts (at least for the CCPA), such as data minimization and limitations on the use of “sensitive personal information.” Readers can access Troutman Pepper CCPA-related articles and resources by clicking here.

[1] It is worth noting that the California attorney general’s office was not subject to the same open meeting requirements as the CPPA, and the rulemaking process was much more efficient as a result. Even so, meeting the aggressive deadline proved challenging in 2020.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On March 2, New York Governor Kathy Hochul announced actions to strengthen New York Department of Financial Services (NYDFS) enforcement of sanctions against Russia, including the expedited procurement of additional blockchain analytics technology to bolster the ability to detect exposure among NYDFS-licensed virtual currency businesses to Russian individuals, banks, and other entities that the Biden administration has sanctioned, which is intended to strengthen the ability to enforce anti-money laundering and Bank Secrecy Act laws. For more information, click here.
  • On March 1, the Consumer Financial Protection Bureau (CFPB) released a report about the nature of the medical billing system in the U.S. The report concludes that the U.S. health care system is supported by a billing, payments, collections, and credit reporting infrastructure where mistakes are common, and where patients often have difficulty getting these errors corrected or resolved. For more information, click here.
  • On March 1, the Federal Reserve Board invited public comment on a supplement to its May 2021 proposal intended to ensure that Federal Reserve Banks use a transparent and consistent set of factors when reviewing requests to access Federal Reserve accounts and payment services. For more information, click here.
  • On February 28, the CFPB issued a compliance bulletin regarding inadvertent repossessions of automobiles, reminding the industry of guidance previously issued by the CFPB in several editions of Supervisory Highlights and a 2020 consent order. For more information, click here.
  • On February 28, U.S. Representative Steve Cohen introduced the Keeping Evictions Off Credit Reports Act in the House of Representatives, which would prohibit evictions that were related to the COVID-19 pandemic from appearing on those individuals’ credit reports. For more information, click here.
  • On February 25, the NYDFS issued guidance to all individuals and entities subject to its regulation due to the rapidly evolving situation in Ukraine, following the Russian invasion and the imposition of sanctions, in particular businesses engaged in virtual currency activity. For more information, click here.

State Activities:

  • On March 4, New York Attorney General Letitia James launched a rulemaking process to “look into whether major corporations are using the pandemic and inflation as an excuse to unfairly raise the price of basic goods.” Attorney General James stated, “Throughout the pandemic, hardworking New Yorkers have been struggling to make ends meet, but big corporations have been celebrating record breaking profits. It doesn’t add up. My office is prepared to use every tool in our toolbox to crack down on price gouging and pandemic profiteering.” According to the press release announcing the rule launch, this is the “first-ever price gouging rulemaking process by the Office of the Attorney General.” For more information, click here.
  • On March 2, California Attorney General Rob Bonta announced “a nationwide investigation into TikTok, Inc. for promoting its social media platform to children and young adults while its use is associated with physical and mental health harms to youth.” Attorney General Bonta stated, “Our children are growing up in the age of social media — and many feel like they need to measure up to the filtered versions of reality that they see on their screens … We know this takes a devastating toll on children’s mental health and well-being. But we don’t know what social media companies knew about these harms and when.” According to the press release, the investigation will focus “on the techniques utilized by TikTok to boost young user engagement, including strategies or efforts to increase the duration of time spent on the platform and frequency of engagement with the platform.” For more information, click here.

Privacy and Cybersecurity Activities:

  • On March 3, the final version of the Utah Consumer Privacy Act (UCPA) was sent to Utah’s governor for final signature. The UCPA passed both chambers of Utah’s legislature with bipartisan support, and, if signed, would make Utah the fourth state in the country to adopt a comprehensive state privacy law. The final version of the UCPA would go into effect December 31, 2023 , and its substantive requirements closely mirror those found in the Virginia Consumer Data Protection Act (VCDPA). The UCPA does not include a private right of action, and businesses are provided a 30-day right to cure with regards to actions brought by the attorney general. For more information, click here.
  • On March 2, Florida’s House of Representatives passed HB-9, a comprehensive privacy bill, with strong bipartisan support. This legislation is now being considered by the Florida Senate, which must act quickly, as the 2022 legislative session in Florida ends on March 11. Notably this law would create a private right of action, under which consumers could seek $100-$700 per incident. There is still significant uncertainty regarding the future of this legislation, as the Senate has been considering a separate privacy bill that is materially different from HB-9. For more information, click here.
  • On March 1, the U.S. Senate unanimously approved the Strengthening American Cybersecurity Act of 2022. Notably this legislation would require critical infrastructure entities (e.g., energy, communications, transportation systems, etc.) to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Furthermore, under this legislation, cyber incidents that involve ransomware payments would need to be reported within 24 hours. The legislation is now with the House of Representatives, where it is expected to be taken into consideration shortly. For more information, click here.

In Eggleston v. Reward Zone USA LLC, No. 2:20-cv-01027-SVW-KS (C.D. Cal. Jan. 28, 2022), the U.S. District Court for the Central District of California rejected the argument that text messages are “artificial or prerecorded voice messages” under the Telephone Consumer Protection Act (the TCPA).

The plaintiff, Lucine Trim, alleged that Reward Zone USA LLC (Reward Zone), sent spam advertisements and promotional offers to her cellphone via text message in violation of TCPA § 227(b). This provision makes it unlawful to “make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice” to any telephone number assigned to a cellular telephone service.

In granting a motion to dismiss the § 227(b) claims, the District Court first held that the system at issue does not qualify as an automatic telephone dialing system (ATDS) as defined by the statute. Under the TCPA, an ATDS consists of “equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers.” In interpreting this definition, the District Court held that calling equipment only qualifies as an ATDS “if it uses a number generator to generate the phone numbers themselves — not if the number generator is used merely to index the phone numbers or select phone numbers from that index.” Reward Zone only used a number generator to index and select telephone numbers from a database, therefore its dialing system does not qualify as an ATDS, and thus, calls made with it do not violate the prohibition against the use of ATDS in § 227(b).

The District Court also held that a violation had not occurred because text messages are not artificial or prerecorded voice messages. The plaintiff argued that text messages meet the statutory definition because “‘artificial’ means ‘humanly contrived, often on a natural model’; ‘prerecorded’ means ‘to set down in writing in advance of presentation or use’; and ‘voice’ means ‘an instrument or medium of expression.'” The District Court rejected this argument as being “beyond the bounds of common sense,” stating:

Plaintiff’s interpretation conflicts with a primary principle of statutory interpretation — that words in a statute should generally be given their most natural understanding unless circumstances suggest otherwise. See Duguid, 141 S.Ct. at 1169. The most natural, commonplace understanding of “voice” is the sound produced by one’s vocal system. Indeed, it is not plausible that Congress intended the word “voice” in the TCPA to carry the tertiary, metaphorical meaning that plaintiff suggests over this primary, natural meaning — especially since if Congress had intended to adopt plaintiff’s broad meaning, it could have easily chosen clearer, more literal terms to do so, such as “medium of expression” or “communication.” [emphasis supplied by the District Court].

This case shows that for purposes of the TCPA, a text message is simply that: a message consisting of written text. And such messages do not qualify as artificial or prerecorded voice messages that can give rise to liability under § 227(b).

On February 14, Northern District of Illinois Judge Sharon Johnson Coleman rejected Clearview AI’s arguments that Illinois’ Biometric Information Privacy Act (BIPA) violated the First Amendment.

In 2020, Clearview AI was accused of violating BIPA in multiple cases filed in the Northern District of Illinois and the Southern District of New York. The plaintiffs alleged that Clearview AI covertly scraped over three billion photographs of facial images from the internet and used artificial intelligence to scan and harvest each individual’s unique biometric data without their knowledge or consent. The cases were consolidated into a multidistrict litigation in the Northern District of Illinois on January 8, 2021, styled In re: Clearview AI, Inc. Consumer Privacy Litigation.

In its motion to dismiss, Clearview AI argued, inter alia, that its capture of faceprints from public images and its analysis of the public faceprints was protected speech under the First Amendment. It asserted that it merely collected public photographs from the internet, created facial vectors, and compared them to images provided by law enforcement. This conduct, according to Clearview AI, helped law enforcement identify criminals, including some who had engaged in sexual exploitation of children and even those who participated in the January 6, 2021, Capitol riots. The database and search engine were never made public or sold to anyone.

In response, the plaintiffs contended that the capturing of faceprints and the action of extracting private biometric identifiers from the faceprints is unprotected conduct, not speech. They argued that a person’s sensitive biometrics do not somehow become “public information” simply because they can be harvested from public photographs. That the photographs were public was inapposite. As the plaintiffs asserted, “[t]his case is not about Defendants’ collection of online photographs. It is about Defendants’ trespass on the private domains of millions of Americans by harvesting their unique and immutable biometrics for personal gain.”

The ACLU filed an amicus brief supporting the plaintiffs’ argument, explaining that faceprints are “measurements of our immutable and unique biological characteristics — akin to fingerprints or DNA profiles.” Thus, “unlike a social security or passport number, they cannot be changed or protected once control is lost.” The ACLU challenged Clearview AI’s description of its services as “a search engine that merely analyzes and republishes publicly available information.” According to the ACLU, “Clearview can gather information from the public internet and it can run a search engine without violating BIPA. What it cannot do is capture Plaintiffs’ faceprints, or ‘scan[s] of … face geometry,’ … without their knowledge or consent.”

The court agreed with the plaintiffs that “[w]hile the photographs may have been posted to the internet, the additional conduct of harvesting plaintiffs’ nonpublic, personal biometric data violated BIPA.” This additional conduct “presents grave and immediate danger to privacy, individual autonomy, and liberty.” The court found Clearview AI’s process in creating its database involves both speech and nonspeech elements, and the court therefore applied an intermediate strict scrutiny approach under United States v. O’Brien. Finding the O’Brien elements were satisfied, the court found (1) BIPA furthered an important government interest, (2) the interest was unrelated to the suppression of free expression, and (3) any incidental restriction on speech was no greater than necessary to further that interest. (The first O’Brien prong — that BIPA was within Illinois’ power to enact — was uncontested and therefore not analyzed.) The court accordingly denied Clearview AI’s motion to dismiss on First Amendment grounds.

Clearview AI raised a smattering of other arguments in support of its motion to dismiss, most of which the court rejected. Specifically, it denied the motion relating to arguments based on (1) extraterritoriality, (2) the dormant clause, (3) whether BIPA excluded information derived from photographs, (4) the defendants sued in their individual capacities as personal participants, (5) piercing Rocky Mountain Data Analytics LLC’s corporate veil to reach its parent, Clearview AI, (6) whether the plaintiffs sufficiently stated that the defendants sold or profited from the plaintiffs’ information, (7) Article III standing, (8) Virginia’s statute prohibiting unauthorized use of pictures, (9) the Virginia Computer Crimes Act, (10) the common law right to publicity under California law, (11) the right to privacy under the California Constitution, (12) New York’s Civil Rights Act, (13) unjust enrichment under Illinois, Virginia, and California law, and (14) the failure to state a claim for declaratory and injunctive relief.

The court granted Clearview AI’s motion to dismiss the claims (1) to pierce Clearview AI’s veil to reach its co-founders, (2) under California’s Unfair Competition Law, and (3) for unjust enrichment under New York law (as it was preempted by New York’s Civil Rights Act).

Clearview AI’s overwhelming rejection on Valentine’s Day pulls on one’s heart strings, but don’t lose hope. There’s always the merits …

Troutman will continue to follow this case and bring you updates as the litigation progresses.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On February 25, the Federal Reserve Board announced that in March 2022, it will begin a statistical study of household finances, the “Survey of Consumer Finances,” that will provide policymakers with important insight into the economic condition of a broad cross section of American families. For more information, click here.
  • On February 24, the U.S. Department of the Treasury released demographic data, showing that funds delivered to millions of households through its Emergency Rental Assistance program are reaching underserved and vulnerable communities. For more information, click here.
  • On February 23, the Consumer Financial Protection Bureau (CFPB) outlined possible options for upcoming rulemaking to prevent algorithmic bias in automated home valuation models. The options now will be reviewed to determine their potential impact on small businesses. For more information, click here.
  • On February 23, the Federal Trade Commission (FTC) announced it has provided the CFPB an annual summary of its activities, enforcing the Equal Credit Opportunity Act and Regulation B. For more information, click here.
  • On February 22, the FTC released data, showing that consumers reported losing more than $5.8 billion to fraud in 2021, an increase of more than 70% over the previous year. For more information, click here.
  • On February 22, the CFPB, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the Department of Housing and Urban Development, the Department of Justice, and the Federal Housing Finance Agency released an interagency statement “to remind creditors of the ability under Equal Credit Opportunity Act and Regulation B to establish special purpose credit programs to meet the credit needs of specific classes of persons.” For more information, click here.

State Activities:

  • On February 23, the Wisconsin State Legislature passed a consumer data privacy measure that would give consumers the right to know what personal data is being collected about them and to request that the data be correct or deleted. For more information, click here.
  • On February 23, Virginia Attorney General Jason Miyares, as part of a bipartisan coalition of 49 attorneys general, has “called on the Federal Trade Commission to adopt a national rule to target impersonation scams.” Attorney General Miyares stated, “Too often, Virginia businesses and consumers fall victim to sophisticated impersonation scammers trying to steal money, data, and personal information. That’s why I’ve joined a bipartisan coalition of 48 other attorneys general to encourage the Federal Trade Commission to crack down on fraud and create tougher anti-scamming rules that will protect Virginians.” For more information, click here.
  • On February 22, Connecticut Attorney General William Tong issued a consumer warning on “common scams on dating apps that have swindled Americans out of $1.3 billion in the last five years.” According to the press release, the FTC states that “dating scams are one of the costliest scams every year,” with victims losing “$547 million to romance scams [in 2021] — up 80% since 2020.” Recovery of money can be difficult from these scams, and the AG’s office provides tips to avoid becoming a victim. For more information, click here.
  • On February 18, Texas Attorney General Ken Paxton issued two civil investigative demands to TikTok, Inc. According to the press release, the “investigation focuses on TikTok’s potential facilitation of human trafficking and child privacy violations, as well as other potential unlawful conduct.” Attorney General Paxton stated, “I will get to the bottom of these concerns and make sure Big Tech doesn’t interfere with the safety and security of Texans.” For more information, click here.

Privacy and Cybersecurity Activities:

  • State Senator Joseph Rafferty (D-ME) introduced the Maine Consumer Privacy Act, which would provide consumer rights, including the right to request information, the right to deletion, and the right to opt out of the sale of their personal information. It would not provide a private right of action. The bill was referred to the Innovation, Development, Economic Advancement, and Business Committee. To read the bill, click here.
  • State Senator Kirk Cullimore (R-UT) introduced the Utah Consumer Privacy Act, which would provide consumer rights, including the right to access and delete information and opt out of the collection and use of personal data for certain purposes. It also would impose an obligation on businesses to safeguard consumers’ personal data, but would not provide a private right of action. The bill was referred to the Senate Revenue and Taxation Committee. To read the bill, click here.
  • The Wisconsin State Assembly passed Assembly Bill 957 (59-37), a Consumer Privacy Act that provides consumers the right to know what personal data is being collected, as well as the right to correct and the right to delete. It is similar to the Virginia Consumer Protection Act, which was passed in 2021. The bill does not include a private right of action. The Wisconsin State Senate now will consider the bill. To read the bill, click here.

On February 23, the Consumer Financial Protection Bureau (CFPB) issued an outline of proposals and alternatives (Outline) under consideration related to an automated valuation model (AVM) rulemaking. Despite the lack of imminency on a final rule, the Outline serves as further proof that fair lending and its application to algorithmic systems is a top priority for the CFPB, as well as other regulators at both the federal and state levels.

The Dodd-Frank Wall Street Reform and Consumer Protection Act added Section 1125 of the Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA). Section 1125 requires that AVMs meet quality control standards designed to:

  • ensure a high level of confidence in the estimates produced by automated valuation models;
  • protect against the manipulation of data;
  • seek to avoid conflicts of interest;
  • require random sample testing and reviews; and
  • account for any other such factor that the agencies determine to be appropriate.

Section 1125 also provides that the CFPB, the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Federal Housing Finance Agency (FHFA) “shall promulgate regulations to implement the quality control standards required” under Section 1125. The CFPB prepared the Outline for use in the Small Business Regulatory Enforcement Fairness Act (SBREFA) Small Business Review Panel process, during which the panel will solicit feedback and assess the impact of the potential rule on small entities.

Among other things, the Outline covers the scope of potential eventual rule requirements. In regard to the first four standards listed above, the CFPB appears to be set on requiring regulated institutions to maintain policies and procedures to ensure that AVMs used for covered transactions adhere to the specified quality control standards. However, the CFPB is weighing whether to (1) provide regulated institutions flexibility in developing these policies and procedures, or (2) impose prescriptive requirements that would be more detailed and specific.

For the fifth standard, the CFPB is considering specifying “nondiscrimination quality control criteria” as an additional standard. Noting that the use of algorithmic systems, such as AVMs, are subject to the Equal Credit Opportunity Act (ECOA) and the Fair Housing Act (FHA), the CFPB states that it is considering the potential positive and negative consumer and fair lending implications of the use of AVMs. In its discussion of fair lending concerns, the CFPB reiterates several points that have become the hallmark of CFPB Director Rohit Chopra’s views on algorithmic systems. The Outline provides the following:

The “black box” nature of many algorithms, including those used in AVMs, introduces additional fair lending concern. The complex interactions that machine learning algorithms engage in to form a decision can be so opaque that they are not easily audited or understood. This makes it challenging to prevent, identify, and correct discrimination.

The Outline goes on to note that algorithmic systems can “replicate historical patterns of discrimination or introduce new forms of discrimination because of the way a model is designed, implemented, and used.”

A final rule is not on the immediate horizon. The CFPB is requesting all small entity feedback on the Outline by April 8, and then feedback from other stakeholders by May 13. From there, the CFPB will still need to issue a notice of proposed rulemaking, which will go through its own comment process, before issuing a final rule. In the Outline, the CFPB notes that it is looking at a 12-month implementation period once the final rule is issued.

The Outline’s comments about the fair lending concerns arising from the use of algorithmic decision-making are part of a larger regulatory and consumer advocacy effort to address perceived algorithmic bias. In November 2021, House Financial Services Committee Chairwoman Maxine Waters sent a letter to the leaders of multiple federal regulators, asking them to monitor technological development in the financial services industry to ensure that algorithmic bias does not occur (see our blog post here). Then, in December 2021, the D.C. attorney general transmitted the “Stop Discrimination by Algorithms Act of 2021” for consideration and enactment by the Council of the District of Columbia (see our blog post here).

We know that algorithms can be transparent in their decision-making, fairer than models built using traditional techniques, and can make credit decisions both more accurate and more inclusive. We will continue to monitor developments related to regulation of algorithmic models at both the federal and state level.

On December 8, District of Columbia Attorney General Karl A. Racine transmitted the “Stop Discrimination by Algorithms Act of 2021 (Act)” for consideration and enactment by the Council of the District of Columbia. While discrimination of various types is prohibited by a variety of federal and D.C. laws, this bill would apply to a broader range of industries; impose affirmative requirements, including an annual self-audit and reporting requirement; and provide enforcement authority to the Office of the Attorney General for the District of Columbia (AG). The bill also includes a private cause of action, penalties up to $10,000 per violation, and punitive damages. In his press release, AG Racine had some pointed comments about algorithms and artificial intelligence:

“Not surprisingly, algorithmic decision-making computer programs have been convincingly proven to replicate and, worse, exacerbate racial and other illegal bias in critical services that all residents of the United States require to function in our treasured capitalistic society. That includes obtaining a mortgage, automobile financing, student loans, any application for credit, health care, assessments for admission to educational institutions from elementary school to the highest level of professional education, and other core points of access to opportunities to a better life. This so-called artificial intelligence is the engine of algorithms that are, in fact, far less smart than they are portrayed, and more discriminatory and unfair than big data wants you to know. Our legislation would end the myth of the intrinsic egalitarian nature of AI.”

The Act, if passed, would prohibit covered entities from making an algorithmic eligibility determination or an algorithmic information availability determination on the basis of an individual’s or class of individuals’ actual or perceived race, color, religion, national origin, sex, gender identity or expression, sexual orientation, familial status, source of income, or disability in a manner that segregates, discriminates against, or otherwise makes important life opportunities unavailable to an individual or class of individuals. In addition, any practice that has the effect or consequence of violating the above prohibition would be deemed to be an unlawful discriminatory practice.

The Act also requires that each covered entity:

  • Audit its algorithmic eligibility determination and algorithmic information availability determination practices to determine, among other things, whether such practices are discriminatory;
  • Annually send a report of the above-mentioned audit to the AG’s office;
  • Send an adverse action notice to affected individuals if the adverse action is based in whole or in part on the results of an algorithmic eligibility determination;
  • Develop a notice that details how it uses personal information in algorithmic eligibility determinations and algorithmic information availability determinations;
  • Send the above-mentioned notice to affected individuals before its first algorithmic information availability determination and make the notice continuously and conspicuously available; and
  • Require service providers by written agreement to implement and maintain measures to comply with the Act if the covered entity relies in whole or in part on the service provider to conduct an algorithmic eligibility determination or an algorithmic information availability determination.

The AG’s office would have enforcement authority for the Act, including the ability to impose civil money penalties of $10,000 for each violation. For individual claimants, the Act includes a private right of action, where aggrieved persons may recover up to $10,000 per violation. In addition, either action could result in the violating party paying punitive damages and/or attorney’s fees.

The Act’s definitions are significant:

Covered entity captures nearly any individual or entity that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one of the following criteria:

  • Possesses or controls personal information on more than 25,000 D.C. residents;
  • Has greater than $15 million in average annualized gross receipts for the three years preceding the most recent fiscal year;
  • Is a data broker, or other entity, that derives 50% or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a D.C. resident who is not a customer or an employee of that entity; or
  • Is a service provider.

Important life opportunities means access to, approval for, or offer of:

  • credit,
  • education,
  • employment,
  • housing,
  • a place of public accommodation, or

Algorithmic eligibility determination means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual’s eligibility for, or opportunity to access, important life opportunities.

Algorithmic information availability determination means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual’s receipt of advertising, marketing, solicitations, or offers for an important life opportunity.

As currently written, the Act provides no compliance grace period upon enactment. Instead, the Act would be effective upon publication in the D.C. Register.

The AG’s proposed Act is another example of regulators seeking to address the potential for discrimination in algorithms. In November 2021, House Financial Services Committee Chairwoman Maxine Waters sent a letter to the leaders of multiple federal regulators, asking them to monitor technological development in the financial services industry to ensure that algorithmic bias does not occur (see our blog post here). Further, CFPB Director Rohit Chopra has remarked in the past that “black-box algorithms relying on personal data can reinforce societal biases, rather than eliminate them.”

We will continue to monitor developments related to regulation of algorithmic models at both the state and federal level.

In a succinct, emphatic opinion issued on January 19, the Ninth Circuit quietly rejected one of the last remaining arguments made by plaintiffs attempting to neutralize the Supreme Court’s decisive Facebook opinion interpreting the Telephone Consumer Protection Act (TCPA). The Ninth Circuit affirmed a district court’s grant of summary judgment to the defendant and held that a system that stores a pre-produced list of numbers does not qualify as an automatic telephone dialing system (ATDS) under the statute.

Background

In the much-anticipated Facebook v. Duguid case on April 1, 2021, the Supreme Court issued a unanimous decision, holding that the TCPA must be read as it is written, namely, that an ATDS must have capacity to store or produce a telephone number using a random or sequential number generator. The Court’s bottom line was plain: No random or sequential number generator, no ATDS.

In the months following the opinion, TCPA plaintiffs’ counsel latched onto footnote seven in an attempt to save TCPA claims, especially against defendants who employ predictive dialers. Footnote seven reads:

Duguid argues that such a device would necessarily “produce” numbers using the same generator technology, meaning “store or” in § 227(a)(1)(A) is superfluous. “It is no superfluity,” however, for Congress to include both functions in the autodialer definition so as to clarify the domain of prohibited devices. For instance, an autodialer might use a random number generator to determine the order in which to pick phone numbers from a preproduced list. It would then store those numbers to be dialed at a later time. In any event, even if the storing and producing functions often merge, Congress may have “employed a belt and suspenders approach” in writing the statute.

Courts, however, have not looked favorably on this argument, with many rejecting the footnote seven argument. Many have held their breath, however, waiting to see how the Ninth Circuit would address it.

The Ninth Circuit’s Decision

Appellant Richard Meier appealed the Southern District of California’s grant of appellee Allied Interstate LLC’s motion for summary judgment on Meier’s TCPA claim. Echoing footnote seven of Duguid, Meier alleged that Allied Interstate’s click-to-dial, HCI system — the LiveVox Platform — was an ATDS under the TCPA because the system stores telephone numbers using a sequential number generator and produces them to be dialed in the same order they were provided.

The Ninth Circuit rejected Meier’s argument. “Under Meier’s interpretation, virtually any system that stores a pre-produced list of telephone numbers would qualify as an ATDS (if it could also autodial the stored numbers …).” The court further noted that footnote seven was “not central” to the interpretation of the TCPA and that it was not required to adopt the “expansive interpretation” proffered by Meier.

The court also found that the LiveVox system was not an ATDS because it does not have the capacity to automatically dial telephone numbers and, though Meier highlighted the system’s ability to switch from “dialer” functions to click-to-dial functions, the court nevertheless concluded that the system was not an ATDS. “The fact that LiveVox offers multiple dialers to its customers does not bring every call that LiveVox makes within the scope of the TCPA.”

The opinion packs a serious punch to eliminate footnote seven arguments in the Ninth Circuit and beyond.