Search auto data

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On January 14, four House Republicans introduced legislation to “abolish” the Consumer Financial Protection Bureau (CFPB). Rep. Byron Donalds (R-FL) issued a press release, indicating Ted Cruz (R-TX) would sponsor the legislation in the Senate. For more information, click here.
  • On January 14, the CFPB announced it settled a lawsuit, alleging that the Taskforce on Federal Consumer Financial Law did not comply with the Federal Advisory Committee Act. For more information, click here.
  • On January 13, the CFPB released a bulletin, reminding debt collectors and credit bureaus of their legal obligations in light of the No Surprises Act, which protects consumers from certain unexpected medical bills. Companies that try to collect on medical bills prohibited by the No Surprises Act, or who furnish information to credit bureaus about such invalid debts, may face significant legal liability under the Fair Debt Collection Practices Act and the Fair Credit Reporting Act. The bulletin advises credit bureaus that the accuracy and dispute obligations apply to debts stemming from charges that exceed the amount permitted by the No Surprises Act. For more information, click here.
  • On January 13, a group of U.S. state banking regulators dropped a lawsuit, seeking to block the federal government from granting bank charters to fintech companies after the company that was first in line modified its business plan. For more information, click here.
  • On January 13, the Federal Trade Commission (FTC) settled charges against a business credit reporting company, arising from allegations that the company engaged in deceptive and unfair practices. The company agreed to an order, requiring substantial changes in its operations that would benefit small- and mid-sized businesses. Under the proposed order, the company also would provide refunds to certain businesses that purchased the company’s products in the belief that using the products would improve their business credit scores and ratings. For more information, click here.
  • On January 12, Congressman Tom Emmer (R-MN) introduced a bill, prohibiting the Federal Reserve from issuing a central bank digital currency (CBDC) directly to individuals. The bill contains a single amendment to the Federal Reserve Act, extending Section 13 to ban the Federal Reserve from offering products or services directly to an individual, maintaining an account on behalf of an individual, or issuing a CBDC directly to an individual. For more information, click here.
  • On January 11, the FTC issued a blog post to help consumers take advantage of the U.S. Department of Education’s decision to extend the pause on federal student loan payments. For more information, click here.
  • On January 10, the CFPB announced that it sued several debt-collection companies and their owners for illegal debt-collection practices. The CFPB alleges that the defendants placed consumer debt with, or sold consumer debt to, collection companies that used unlawful and deceptive collection tactics. The defendants knew, or should have known, the collection companies made false threats and false statements to consumers. For more information, click here.
  • On January 10, the Government Accountability Office (GAO) identified virtual currency kiosks as one reason driving an increase in the use of crypto payments to facilitate illegal activities, such as human and drug trafficking. According to the report, virtual currency kiosks are less regulated than crypto exchanges, and transactions are more difficult to trace. The GAO believes the Internal Revenue Service (IRS) and the Financial Crimes Enforcement Network (FinCEN) should do more to regulate crypto automated teller machines (ATMs), and its report indicates the agencies agreed with its two recommendations to tighten crypto ATM regulations. For more information, click here.
  • On January 10, the FTC issued an alert about a new cryptocurrency payment scam involving impersonators convincing consumers to send money obtained from a cryptocurrency ATM via a quick response code. For more information, click here.

State Activities:

  • On January 13, one of the nation’s largest student loan servicers entered into a $1.85 billion settlement agreement with a coalition of 39 attorneys general. New York Attorney General Leticia James stated that the servicer “deceived thousands of student loan borrowers into costly, long-term, forbearance plans, causing students to pay more than they should have.” Under the terms of the agreement, the servicer would cancel $1.7 billion in subprime, private student loan balances — with an additional $95 million in restitution payments to borrowers and $142.5 paid to the states. For more information, click here.
  • On January 10, New York Attorney General Letitia James issued a consumer alert to warn New York homeowners about deceptive practices related to the Homeowner Assistance Fund (HAF). According to the alert, the “HAF is a federally funded program designed to assist homeowners who are experiencing financial hardship due to the coronavirus disease 2019 (COVID-19) pandemic,” with New York state receiving approximately $540 million in HAF funding. Attorney General James warned homeowners against scams that request upfront HAF application fees or fees for upfront mortgage assistance. For more information, click here.
  • On January 10, California Attorney General Rob Bonta urged the Federal Communications Commission (FCC) to take action to prevent a “flood of illegal foreign-based robocalls that ‘spoof’ U.S. phone numbers by imposing additional obligations on the U.S.-based telecom companies that first receive such calls.” According to the attorney general’s press release, the FCC attributes “the majority of robocall scams are perpetuated by foreign actors who gain access to the U.S. phone network through ‘gateway providers.'” Attorney General Bonta urged the FCC to implement caller ID frameworks that detect and block robocalls with spoofed caller IDs. For more information, click here.
  • On January 10, New York State Assemblywoman Rodneyse Bichotte Hermelyn introduced a bill that would ban debt collectors from attempting to collect debts using social media platforms, which is in contradiction with the CFPB’s Regulation F. Under the bill, collectors would be prohibited from joining or requesting to join a consumer’s social media network or communicating or attempting to communicate with a debtor using a social media platform for the purpose of collecting or attempting to collect a debt owed by such debtor. For more information, click here.

Privacy and Cybersecurity Activities:

  • On January 13, the U.S. Chamber of Commerce sent a letter to Congress, urging members to pass a federal privacy legislation. The letter was signed by various groups, local affiliates of the chamber, and others. The letter urges a “comprehensive privacy legislation” to avoid a patchwork of state laws. To read the letter, click here.
  • On January 13, U.S. Senators Bill Cassidy (R-LA) and Ben Ray Luján (D-NM) joined U.S. Representative Lori Trahan (D-MA-03) in introducing the Terms-of-Service Labeling, Design, and Readability (TLDR) Act, which would require commercial websites and mobile apps to create a simple and readability summary of their terms-of-service agreements. To read the press release, click here.
  • On January 13, the Brookings Institute released a study on how COVID-19 has impacted internet users’ privacy. This report examined websites between April 9 and August 27, 2020, and it noted that third-party data sharing “increased with internet use as the pandemic progressed and users relied more on online alternatives.” However, websites “that asked for permission before placing cookies on users’ browsers have been shown to reduce their third parties over time as their traffic surged over the pandemic.” To read the press release and report, click here.
  • On January 10, Massachusetts released a “much-anticipated” digital vaccine card through a system called SMART Health Card — a system already used in California, Connecticut, and New York, among other states. To read about the release, click here. For further Troutman Pepper analysis on digital vaccine records, click here.
  • On January 7, Florida State Senator Jennifer Bradley reintroduced the Florida Privacy Protection Act, a comprehensive privacy bill that previously failed in the Florida Senate last year. The bill would create affirmative obligations on companies that collect consumer personal information and provide consumers with certain rights. To view the bill, click here.
  • On January 10, Indiana State Representative Carey Hamilton introduced a comprehensive privacy bill that would require businesses to disclose certain information to consumers, allow consumers to request information from businesses, and assign enforcement of consumer privacy to the Indiana division of consumer protection. To view the bill, click here.
  • On January 10, Washington State Senator Reuven Carlyle reintroduced the Washington Privacy Act for a fourth consecutive session, along with companion bill Senate Bill 5813. The senate bill includes provisions on children’s privacy, data brokers, and the Global Privacy Control. To view the bill, click here.
  • On January 7, House Representative Vandana Slatter introduced a separate Washington state privacy bill, which would “establish mechanisms for consumers to exercise control over their data; and requires companies to be responsible custodians of data as technological innovations emerge.” To view the bill, click here.

Q. My company uses dash-cams to monitor driver conduct, but the company is not located in Illinois. Do I still have to comply with the Biometric Information Privacy Act?

A. Yes, as long as the company has drivers who are Illinois residents, you must comply with BIPA. The good news, however, is that as long as your company fully complies with the statute, it can continue to use telematics.

The newest target for plaintiffs wielding their private right of action under Illinois’ Biometric Information Privacy Act (BIPA) are companies offering dash-cam “telematics.” Telematics involves use of an in-vehicle camera device that employs artificial intelligence, machine learning, and “computer vision” to collect and analyze, among other things, driver behavior. In the last few weeks, at least two complaints were filed against non-Illinois companies asserting violations of BIPA through use of telematics.

As a refresher, BIPA regulates the collection, use, safeguarding, and storage of biometric information (such as fingerprints, retina scans, or face scans). It generally requires any private entity in possession of such biometric information to: (1) develop a written policy governing management of the information; (2) inform the owner of the biometric information in writing; and (3) obtain informed prior consent to collect the biometric information and a retention schedule for destroying it.

The first telematics class action filed last week, Arendt et al. v. Netradyne Inc., No. 2022-CH-00097 (Cook County, Illinois), alleges that Netradyne supplied a “multi-use camera hardware device” to Bob’s Discount Furniture’s fleet of trucks. According to the complaint, the device captures a driver’s face geometry to “continuously monitor and classify the driver’s status as well as external variables like cars or road signs.” The data is then allegedly sent to Netradyne, which analyzes it using “vision-based artificial intelligence.” The plaintiff alleges he and class members never received notice of the collection, purpose, and length of retention of their biometric information, and never gave written consent for that collection and retention.

The second complaint, Hernandez v. Omnitracs, LLC, No. 1:22-cv-00109 (Northern District of Illinois), was brought against Omnitracs, a company that allegedly provides telematics hardware and data analytics to over 15,000 customers. According to the complaint, Omnitracs collects and scans a driver’s facial geometry to analyze his/her driving behavior, including, for example, whether the driver’s eyes are closed or if the driver is looking down. The plaintiff claims he was a driver whose employer implemented Omitracs telematics (he does not identify his employer) and that he was never informed that the technology would be collecting his biometric information, of the purpose for the collection, or of the length of time the information would be retained. He also alleges he never gave written consent to the collection or retention.

A similar class action was brought last November against non-Illinois companies Maveric Transportation LLC and Lytx, Inc. in Madison County, IL by plaintiff Joshua Lewis (No. 2021-L-001379). Maveric is a transportation and logistics company, and Lytx offers video telematics and fleet management systems, including a DriveCam using machine vision and artificial intelligence to collect and assess facial geometry. Like the other class actions, the plaintiff in this case alleges Maveric and Lytx never provided notice of the collection, purpose, and length of retention of his biometric information and that he never gave written consent for that collection and retention. He also alleges the defendants sold, leased, traded, or otherwise profited from his biometric information.

Telematics is a critical tool to help fleet operators ensure that their drivers are safe and — ironically — to avoid exposure to litigation, resulting from automobile collisions and other road incidents. The recent flurry of telematics litigation should be a warning to companies using such technology that they must comply with BIPA if they have Illinois drivers. Such companies should make sure they comply with BIPA by, among other things, providing written notice, obtaining informed consent, and creating a publicly available retention schedule.

Companies are continuing to reap the rewards of the Supreme Court’s decision in Facebook v. Duguid earlier this year, in which the Supreme Court confirmed a narrow reading of the Telephone Consumer Protection Act’s (TCPA) much-beleaguered definition of an automatic telephone dialing system (ATDS). In the latest victory, Pascal v. Concentra, Inc., out of the Northern District of California, the district court granted summary judgment to the defendant company, holding that the text messages at issue in the class action had not been sent using an ATDS.

The plaintiff, Lawrence Pascal, claimed that Concentra’s use of Textedly, a messaging application, constituted use of an ATDS. Concentra, however, provided evidence at summary judgment showing that the Textedly system not only did not generate numbers randomly or sequentially, the system also had all of the hallmarks of human intervention that courts relied upon pre-Facebook. To send messages through Textedly, subscribers like Concentra upload lists of telephone numbers to Textedly’s platform, draft a message, schedule the transmission, and then activate the transmission. Textedly does not provide or generate any numbers itself. As the numbers are uploaded, Textedly’s database assigns each an identification number, but does not change the order of the numbers or determine when any number will be contacted. According to the call logs, Pascal’s number was texted in sequential identification number order. Pascal argued that because the phone numbers were assigned unique, sequential identification numbers, Textedly had used a random or sequential number generator to store telephone numbers, qualifying as an ATDS within the meaning of the TCPA.

Looking to recent decisions from the same court in Hufnus v. DoNotPay and Tehrani v. Joie de Vivre Hospital, the court ruled that because the phone numbers themselves are not produced randomly or sequentially, but are uploaded or manually input into Textedly, the Textedly system is not an ATDS. The court first explained that the statute’s requirement that a “number” be stored or produced by an autodialer, it implicitly refers to phone numbers, not the database’s identification numbers. As a result, “a platform that merely targets telephone numbers that were obtained in a non-random way is not an autodialer.” Dismissing Pascal’s arguments under Footnote 7 of the Facebook decision, the court explained that footnote, in context, referred to a technology that randomly dialed numbers from a pre-produced but also randomly generated list, while the Textedly system did not produce numbers randomly and the numbers were contacted in the same order they were uploaded to Textedly. Based on those undisputed facts, the court held that Concentra had not used an ATDS to text Pascal, granted Concentra’s motion for summary judgment, and denied Pascal’s cross-motion.

Though certain TCPA cases continue to sneak past the motion to dismiss stage, courts continue to apply a common-sense reading of Facebook and are not swayed by attempts to expand Footnote 7 beyond its narrowly circumscribed purpose. While callers may still have to litigate through discovery, the likelihood of similar TCPA cases surviving the written motions stage continues to shrink. Finally, the stand-by of human intervention continues to pay dividends. Facebook may have provided clarity, but traditional evidence of consistent and repeated human intervention still holds sway with federal courts.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On December 9, the Federal Deposit Insurance Corp. (FDIC) rebuked a move by its Democratic members seeking public feedback on how the agency analyzes potential bank mergers. The FDIC stated that the board had not voted or approved the release and that it was not seeking comment or information. For more information, click here.
  • On December 8, U.S. Senators John Thune and Ed Markey, authors of the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, introduced the Robocall Trace Back Enhancement Act, which would help bolster privately led efforts to trace the origins of illegal and bothersome robocalls. For more information, click here.
  • On December 8, the Consumer Financial Protection Bureau (CFPB) issued a Supervisory Highlights report on legal violations identified by the CFPB’s examinations in the first half of 2021. The report also highlights prior CFPB supervisory findings that led to public enforcement actions in the first half of 2021. For more information, click here.
  • On December 7, the CFPB finalized a rule facilitating the transition away from the LIBOR interest rate index for consumer financial products. The rule establishes requirements for how creditors must select replacement indices for existing LIBOR-linked consumer loans after April 1, 2022. No new financial contracts may reference LIBOR as the relevant index after the end of 2021. Starting in June 2023, LIBOR can no longer be used for existing financial contracts. The transition away from LIBOR was set into motion after a criminal rate-setting conspiracy implicated large international banks and undermined public confidence in the index. Approximately $1.4 trillion in consumer loans are estimated to be currently tied to LIBOR. For more information, click here.
  • On December 7, the U.S. Department of Housing and Urban Development released guidance on the Fair Housing Act’s treatment of certain special purpose credit programs designed and implemented in compliance with the Equal Credit Opportunity Act and Regulation B. For more information, click here.
  • On December 6, the Office of the Comptroller of the Currency warned of elevated operational risks stemming from increasingly “brazen” cyberattacks and ransomware schemes, urging banks to employ the latest fintech security measures and system backups to protect customer data. For more information, click here.

State Activities:

  • On December 6, the Attorney General of Nebraska, Doug Peterson, announced the creation of a Consumer Affairs Response Team (CART) to residents of the state from frauds, scams, and deceptive business practices. For more information, click here.
  • On December 6, the American Bankers Association, American Financial Services Association, California Financial Services Association, and Consumer Bankers Association filed a joint amicus brief with the California Supreme Court in Pulliam v. HNL Automotive Inc., a case with significant implications for the amount of money a plaintiff can recover when proceeding against a dealer/seller under the FTC Holder Rule. For more information, click here.

Privacy and Cybersecurity Activities:

  • On December 9, the New York Department of Financial Services (NYDFS) released new guidance addressing the question of whether covered entities should implement a cyber assessment framework (e.g., the NIST Cybersecurity Framework, the FFIEC Cyber Assessment Tool, etc.) as part of their risk assessment process. These risk assessments are required under Sections 500.9 & 500.2(b) of the NYDFS Cybersecurity Regulation. In this brief guidance update, NYDFS states that they “do not require a specific standard or framework for use in the risk assessment process” and that entities should “implement a framework and methodology that best suits their risk and operation.” For more information click here.
  • On December 9, the National Institute of Standards and Technology (NIST) released an updated version of their “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach” guidance (NIST Special Publication 800-160). This guidance is intended to help organizations “anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems.” In the accompanying press release, NIST notes that this latest version offers “significant new content and support tools for organizations to defend against cyber-attacks.” Prioritizing cyber-resilience has been especially important during the pandemic, as many businesses have been forced to implement and rely on new systems/software for remote working. For more information on this guidance, click here.
  • On December 9, Senators Chris Coons (D-DE), Rob Portman (R-OH), and Amy Klobuchar (D-MN) announced the release of the Platform Accountability and Transparency Act (PATA). Under this bill, social media companies would be required to provide internal data about their platforms to university-affiliated researchers for National Science Foundation-approved research projects. It would also expand the Federal Trade Commission’s (FTC) authority to “require that platforms proactively make certain information available to researchers or the public on an ongoing basis, such as a comprehensive ad library with information about user targeting and engagement.” Further, under PATA, a new “Platform Accountability and Transparency Office” would be established within the FTC. This office would create privacy and cybersecurity safeguards for the use of data furnished under PATA. A full version of this legislation is available here.

On November 29, House Financial Services Committee Chairwoman Maxine Waters (D-CA) and committee member Bill Foster (D-IL) sent a letter to the leaders of multiple federal regulators, asking them to monitor technological development in the financial services industry to ensure that algorithmic bias does not occur. The letter was sent to the following individuals:

  • Jerome Powell, Chairman, Board of Governors of the Federal Reserve System (the Fed)
  • Todd Harper, Chairman, National Credit Union Administration (NCUA)
  • Rohit Chopra, Director, Consumer Financial Protection Bureau (CFPB)
  • Jelena McWilliams, Chairman, Federal Deposit Insurance Corporation (FDIC)
  • Michael Hsu, Acting Comptroller, Office of the Comptroller of the Currency (OCC)

Last Congress, the committee convened the Task Force on Artificial Intelligence — headed by Foster — to examine, among other things, how to reduce algorithmic bias. The task force held three hearing on artificial intelligence (AI) and machine learning (ML) and machine learning in 2021. The first, held in May, focused on the use of AI/ML and explored how human-centered AI can build equitable algorithms and address systemic racism in housing and financial services. The second, held in July, examined how financial institutions rely on AI to create and authenticate digital customer identities. The third, held in October, focused on governments, industry, and society and the need for these groups to develop better AI ethical frameworks.

The letter argues that historical data used as inputs for AI and ML may contain longstanding biases that could potentially create models that discriminate against protected classes — such as race or sex — or proxies of such variables. For example, the letter notes that the use of ZIP codes in loan applications and related lending processes can lead to disparate racial lending outcomes, even though ZIP codes appear to be neutral, because ZIP codes may act as a proxy for race or ethnicity.

The letter asks the regulators to prioritize the following areas in their oversight of AI use:

  • Transparency and Explainability. The letter advocates for human review of automated decision systems rather than a “black box” approach, and it encourages the regulators to develop guidelines and potential rulemaking to make financial institutions disclose pertinent information on their AI modeling, data sets, and methodologies.
  • Oversight and Enforceability. The letter states that regulators must ensure that financial institutions are following all consumer, investor, and housing laws, and it advocates for the use of “regtech” monitoring and compliance systems by financial institutions.
  • Safeguarding Consumer Privacy. The letter provides that financial institutions must safeguard consumer information in their use of AI and must not share such information with third parties without consent.
  • Promoting Fairness and Equity in AI Usage. The letter states that financial institutions using AI must be extra vigilant in proactively addressing algorithmic bias, and they must be encouraged to do more to promote racial and gender equity.

The letter is yet another reminder that both regulators and legislators are keenly watching both the use of AI and ML in financial services and the concept of equity more generally.

Wednesday, December 8 • 2:30 – 3:30 p.m. ET

Join us on Wednesday, December 8 as a panel of Troutman Pepper class-action litigators examine recent developments in class-action litigation and provide insights on what the future holds. The panel will dive into the major decisions rendered this year and explore ways for class-action practitioners and in-house counsel to manage class actions effectively and efficiently.

WEBINAR SERIES

We will continue to offer webinars related to legal issues and recent decisions affecting the consumer financial services industry caused by COVID-19 or otherwise. If you have any questions about this series, please contact us.

VISIT OUR BLOG FOR REGULAR UPDATES

The Consumer Financial Services Law Monitor blog offers timely updates regarding the financial services industry to inform you of the recent changes in the law, upcoming regulatory deadlines, and significant judicial opinions that may impact your business. We report on several sectors within the consumer financial services industry, including payment processing and prepaid cards, debt buying and debt collection, credit reporting and data brokers, background screening, cybersecurity, mortgage lending and servicing, auto finance, and state AG, CFPB, and FTC developments.

The Federal Trade Commission (FTC) recently released a “Serving Communities of Color” report that details fraud and consumer issues that have a disproportionately negative impact on communities of color. This report is the latest installment released by the FTC on the topic and follows prior initiatives, such as the 2014 “Every Community Initiative” that helped the FTC develop a strategic plan for addressing disparities in communities of color and the June 2016 “Combating Fraud in African-American and Latino Communities” report, which focused on reducing fraud in Black and Latino communities.

The report focuses its findings on Black and Latino communities and summarizes the FTC’s efforts over the last five years to address and understand consumer issues that have disproportionately impacted these communities. The report explains that the FTC filed more than 25 actions involving alleged conduct that either targeted or disproportionately impacted communities of color. The report includes 10 main law enforcement areas affecting communities of color: automobile buying; for-profit school advertising; marketing prepaid cards; government impersonators; marketing for inmate services; jobs and money-making opportunities; credit, background checks; access to housing; and payday loans and debt collection.

Some of the most relevant insights from the 2021 report data include:

Within Majority Latino Communities

  • Majority white and Latino communities were more susceptible to impersonator scams, while majority Black communities faced issues with credit bureaus at higher rates.
  • When compared against majority white communities, majority Latino communities filed more reports related to credit bureaus, banks and lenders, debt collection, auto issues, and business opportunities.

Within Majority Black Communities

  • The FTC analyzed 23 cases that revealed typical cases for consumers in majority Black communities involved issues with, among other things, payday loan applications, student debt relief programs, and money-making schemes, such as false “work-at-home-business opportunities” and “employment scams” where scammers promise large profits for selling certain products.

Within Both Majority Black and Latino Communities

  • Reports from majority Black and Latino communities show that these groups are more likely to pay scammers in ways that have few, if any, fraud protections by paying with the following: cash, cryptocurrency, money orders, and debit cards. In contrast, reports from majority white communities show that this group is more likely to pay scammers with credit cards.

Additionally, the report emphasizes that outreach programs are an integral part of the FTC’s work to protect and educate consumers in all communities. The FTC notes that it has grown its outreach efforts to reach communities of color by listening to and working with trusted sources in those communities to deliver consumer protection messages in an effective way. Additionally, the FTC has furthered its community outreach efforts by working with national and local minority organizations to educate consumers, create consumer education materials in multiple formats and languages, and create educational materials to alert people to scams and offer helpful information to those effected financially by COVID-19.

The report serves as another example of the FTC’s focus on disparities with fraud and consumer issues facing minority communities.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On November 4, the Consumer Financial Protection Bureau (CFPB) released research, finding that consumers in majority Black and Hispanic neighborhoods, as well as younger consumers and those with low credit scores, are far more likely to have disputes appear on their credit reports. As part of a series of reports focusing on trends in the consumer financial marketplace, the new research uses data on auto loan, student loan, and credit card accounts opened between 2012 and 2019. For more information, click here.
  • On November 4, the Occupational Safety and Health Administration (OSHA) released the COVID-19 vaccination emergency temporary standard (ETS), which became effective on November 5. Employers covered by the standard must develop, implement, and enforce a mandatory COVID-19 vaccination policy, with the exception of employers that instead adopt a policy requiring employees to either get vaccinated or in lieu of vaccination, choose to undergo regular COVID-19 testing and wear a face covering at work. For more information, click here.
  • On November 2, the CFPB issued an advisory opinion, affirming that consumer reporting companies, including tenant and employment screening companies, are violating the law if they engage in shoddy name-matching procedures. Regulators are concerned about the significant harms caused by false identity matching, where an applicant is disqualified from rental housing or a job based on having the same name as another individual with negative information in his/her credit history. Specifically, the CFPB affirmed that matching consumer records solely through the matching of names is illegal under the Fair Credit Reporting Act. For more information, click here.
  • On November 1, the Treasury Department called on Congress to regulate issuers of “stablecoins” and urged financial agencies to assess whether the role of these fast-growing digital assets in the country’s payments system posed a systemic risk. For more information, click here.
  • In October, the Consumer Bankers Association released a new white paper, “The Case For Regulation Through Rulemaking & Guidance,” that advocates for the CFPB to use rulemaking and informal written guidance in lieu of attempting to create new industry regulatory standards through enforcement. For more information, click here.

State Activities:

  • On November 3, the New York State Department of Financial Services (DFS) announced proposed regulations that will “evaluate how well New York regulated banking institutions are serving their communities under an enacted amendment New York State’s Community Reinvestment Act (CRA) with respect to minority- and women-owned businesses.” The proposed regulation is subject to a 60-day comment period, following publication in the State Register. For more information, click here.
  • On November 3, California Attorney General Rob Bonta announced the creation of a Housing Strike Force within the California Department of Justice and that his office would convene a series of tenant roundtables across the state. “California is facing a housing shortage and affordability crisis of epic proportion,” said Attorney General Rob Bonta. “Our Housing Strike Force, along with the tenant roundtables and Housing Portal, will allow DOJ to ramp up our efforts to tackle this crisis and advance housing access, affordability, and equity across California.” For more information, click here.
  • On November 4, South Carolina Attorney General Alan Wilson issued a statement after OSHA released the details of its private employer vaccine mandate, indicating “[t]his is garbage and it’s unconstitutional so we will be fighting it. OSHA does not have the authority for this kind of mandate.” Attorney General Wilson stated South Carolina plans to join other states in filing a lawsuit to stop the regulations. For more information, click here.
  • On October 29, the New York State Department of Financial Services issued proposed revisions to the regulation concerning third-party collection agencies and debt buyers. The amendments intend to help ensure consumers only pay debts they owe and pay them only once by improving consumers’ access to information about alleged debts and by mitigating opportunity for predatory debt collection. For more information, click here.

Privacy and Cybersecurity Activities:

  • On November 5, the Federal Trade Commission (FTC) published tips intended to help small businesses bolster their digital defenses. Since the COVID-19 pandemic has forced small businesses into the virtual world, many businesses may not have the strongest cybersecurity practices due to lack of preparation time. The FTC recommends (1) making sure your tech team follows best practices to fend off a ransomware attack and (2) scheduling a security refresher for your employees. The FTC recommends a refresher for all staff — not just information technology personnel. To read the full article, click here.
  • On November 2, Republicans in the House Energy and Commerce Committee released a draft privacy bill known as the Control Our Data Act (CODA). As currently drafted, CODA would not offer a private right of action and would prevent states from exceeding “one national standard” in privacy legislation. Cathy McMorris Rodgers argues that a “national standard will provide clear rules of the road and give Americans the same data protections wherever they go[.]” In addition, the bill calls for establishing a new administrative unit, the Bureau of Consumer Privacy Protection and Data Security, which would be tasked with enforcement, education, and rule making powers. For those interested in reading the full draft privacy bill, click here.
  • On November 3, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operative Directive (BOD) 22-01, which provides priorities and vulnerability management priorities for federal agencies. While these directives only apply to federal civilian agencies, CISA strongly recommends that any private businesses, as well as local and state governments, prioritize mitigation of vulnerabilities listed in CISA’s public catalog. These priorities include (1) establishing a process to review and update agency internal vulnerability management procedures, (2) defining necessary action to enable prompt response to actions required by this directive, and (3) remediating each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. With the rise of ransomware attacks and remote work, businesses and governments alike can take guidance from this directive. To read the full directive, click here.

In a report released on November 2, the Consumer Financial Protection Bureau (CFPB) found that credit report disputes more commonly occur among consumers in majority Black and Hispanic neighborhoods than consumers in majority white neighborhoods. New CFPB Director Rohit Chopra attributed this disparity to alleged “[e]rror-ridden credit reports” that “are far too prevalent and may be undermining an equitable recovery” for minority consumers.

The Fair Credit Reporting Act (FCRA) allows consumers to file a dispute with a credit reporting agency (CRA) if they believe an inaccuracy exists on their credit report. The FCRA then requires the CRA to conduct a reasonable investigation and correct any inaccuracies discovered as a result of its investigation.

The CFPB’s report seeks to “document how disputes can appear in credit data, the characteristics of consumers whose disputes appear on their credit reports, and what happens to accounts that have been reported as being disputed.” The report catalogued the percentage of auto loan, student loan, credit card, and retail card accounts opened between 2012 and 2019 in which a dispute flag appeared on the applicant’s credit report. The report then isolated these statistics by various demographic categories based on census data for the area in which the consumer resided. The resulting numbers showed that credit disputes more commonly occur among consumers residing in areas identified as majority Black or Hispanic by census data. In particular, the research found that consumers residing in majority Black neighborhoods were more than twice as likely to file credit report disputes than those in majority white areas.

The CFPB’s report concluded that this demographic disparity was “striking,” but also noted “a few important caveats to this result.” First, it noted that census data on race and ethnicity strongly correlated with other characteristics that may affect the likelihood of a dispute to appear on the consumer’s record, most notably credit score. The report acknowledged that “[i]t may be that the disparity in dispute flag rates by census tract race in part reflects the patterns in credit score.” Second, the report noted that census data on race is only a proxy for the consumer’s actual race, and therefore it does not necessarily reflect the actual race of each consumer for whom a dispute flag appeared.

In addition to showing a disparity correlating to race and ethnicity, the report also revealed that younger consumers were generally more likely to have disputes appear on their consumer records than older consumers, contrary to the researchers’ expectation that older consumers, “who typically have more experience with the credit system,” would more likely file disputes. Finally, the report showed a strong correlation between a consumer’s credit score and the likelihood of dispute, with consumers with credit scores below 619 being roughly twice as likely to have a dispute on their credit report than not. The report further noted several caveats for this finding, including that consumers with low credit scores may be more likely to experience errors in the first place, or that these consumers are more likely to monitor their credit reports frequently due to experiencing credit denials more often.

The report concluded that the results, “[w]hile providing some key facts, … also raise further questions.” One such question raised was “whether these patterns are driven by differences across groups and credit types in the type or frequency of the underlying issues that result in a dispute flag, or whether they are driven by furnishers’ practices for reporting dispute flags or responding to disputes.”

In its press release announcing the report’s findings, the CFPB emphasized its commitment to conduct further research on these issues and to investigate the underlying reasons for the demographic disparities revealed by the report.

The California Privacy Protection Agency (CPPA) is the first state privacy agency in the nation and was created as part of the California Privacy Rights Act (CPRA). While this agency has already been formed, it will not begin enforcement activities until July 1, 2023 (six months after the CPRA takes effect).

The agency’s mandate includes enforcing California privacy law, a duty currently carried out by California’s attorney general. In addition to enforcement, the CPPA will engage in other functions, including privacy rulemaking and promoting public awareness of privacy issues. In recent weeks, the CPPA’s executive director was announced, and the agency has issued a call for public comments on initial rulemaking. These developments shed some light on the future of this privacy-focused regulatory agency.

Appointment of Ashkan Soltani

On October 4, the CPPA announced that Ashkan Soltani would serve as its inaugural executive director. As executive director, Soltani will oversee the day-to-day operations of the agency, as well as direct enforcement, rulemaking, and public awareness activities.

Soltani is a self-described “independent researcher and technologist specializing in privacy, security, and technology policy.” He currently holds a dual appointment at Georgetown University Law School as a distinguished fellow at both the Institute for Technology Law & Policy and the Center on Privacy & Technology. In these academic roles, Soltani’s research has focused on areas, such as consumer protection, online tracking, surveillance, and mobile privacy. Soltani formerly served as chief technologist for the U.S. Federal Trade Commission (FTC) and as senior advisor to the White House under President Obama. In California, Soltani helped author both the CCPA and CPRA. He also has been a vocal advocate of “global privacy control” (GPC),[1] which was subsequently included in the CCPA’s regulations.[2]

Earlier this month, Soltani provided testimony during the Senate Commerce Committee’s “Protecting Consumer Privacy” hearing. During his testimony, Soltani called out multiple large tech companies by name, highlighting his role in bringing successful enforcement actions against these entities during his tenure at the FTC. Soltani also highlighted the fact that the FTC “doesn’t have the adequate resources to properly investigate [large tech companies].” Soltani further expressed his support for additional FTC funding and the establishment of an FTC privacy bureau. Soltani also emphasized hiring technologists and highlighted the important support role they played at the FTC. For more information, see Troutman Pepper article here.

Under his leadership, the CPPA is expected to focus on consequential cases as opposed to just issuing fines. Professor Chris Hoofnagle predicts that this will “require companies to advocate differently [and] lawyers will have to have a forensic-level understanding of client practices.”[3] Justin Brookman, director of Consumer Privacy and Technology Policy at Consumer Reports, expects Soltani to aggressively focus on advertising technology issues and GPC noncompliance.[4] Digital publishers, advertisers, and advertisement technology firms are among those that will likely be most impacted by a stronger focus on email-based identity technology, which the ad tech industry appears to be embracing as an alternative to cookies.

With his background and expertise, Soltani is expected to be cognizant of the variety of stakeholders and views involved, while seeking to protect consumer privacy in a way that meets the expectations of regulators and other privacy officials around the world.

CPRA Rulemaking

The CPPA has already issued a call for comments related to any area on which the CPPA has authority to adopt rules. These topics include:

  1. Cybersecurity audits and risk assessments,
  2. Activities that involve automated decision making and profiling,
  3. The CPPA’s authority to audit businesses’ compliance with the law,
  4. Procedures and rules to facilitate consumer rights, such as the right to delete, right to correct, and right to know,
  5. Consumers’ right to opt out of selling or sharing personal information,
  6. Consumers’ rights to limit the use and disclosure of “sensitive personal information” (a new concept introduced under the CPRA),
  7. Information to be provided in response to a consumer’s request to know, and definitions and categories of information.

In addition to these topics, the public may submit comments on any other area of interest related to the CPPA. Preliminary comments are due by November 8, 2021.

The CPPA’s final deadline to promulgate regulations is July 1, 2022, which will allow companies time to comply before the CPRA goes into effect on January 1, 2023. In order to meet this July deadline, the agency will need to publish an initial draft of the regulations no later than December 2021 to account for the time necessary for approval by the California Office of Administrative Law and the required public comment periods. Enforcement of the CPRA will begin July 1, 2023.

Conclusion

Soltani is a well-respected privacy and technology expert with experience in the academic and regulatory spaces. His appointment signals that the CPPA will likely take an aggressive stance when enforcing privacy regulations and policy. Companies that are not currently CPRA compliant should take the time to review their current privacy policies in preparation of the January 1, 2023 enforcement date, and also keep watch on any new rulemaking initiated by the CPPA. Troutman Pepper will continue to monitor and provide updates on the CPPA.

Additional Resources

At Troutman Pepper, we understand the complexities of information technology and how it intersects with the changing regulatory landscape. Our team is dedicated to breaking down complex legal issues and providing guidance that the business and information technology/security can understand. As it relates to the CPRA, Troutman Pepper issued a compendium on the CPRA, which provides an overview of the operational impact of the CPRA on existing CCPA compliance frameworks. It focuses on issues, including notable updates to existing definitions, the addition of new consumer rights, modifications to existing CCPA rights, and newly introduced concepts (at least for the CCPA), such as data minimization and limitations on the use of “sensitive personal information.” Readers can access Troutman Pepper CCPA-related articles and resources by clicking here.

[1] This browser extension then informs every website that the user visits, which allows a user to broadly signal their request instead of submitting individual requests to each website. Current California Attorney General Rob Bonta has already listed this as an acceptable method for businesses to accept requests from consumers. As discussed below, the CPPA is expected to promulgate further rules regarding opt out rights and has already issued a public call for comments on the topic.

[2] There has been growing interest in designs and technology that allows a consumer to (1) easily understand data processing activities and (2) understand privacy controls quickly and to set them conveniently. For example, Apple launched “nutrition labels,” which are modeled after nutrition labels on packaged food and are intended to provide consumers with a user-friendly overview of how each application processes their data. For further analysis please see https://www.law360.com/technology/articles/1432138/-app-store-nutrition-labels-raise-new-privacy-risks-for-cos-.

[3] See https://www.ischool.berkeley.edu/news/2021/alum-ashkan-soltani-named-executive-director-california-privacy-protection-agency.

[4] See https://iapp.org/news/a/ftc-alum-soltani-selected-to-lead-cppa/.