Search auto data

In recent months, updated versions of the Data Protection Act of 2020 and the SAFE DATA Act have been reintroduced in the U.S. Senate. This post provides an overview of these updated privacy bills, both of which were previously introduced during the 116th Congress.

The Data Protection Act of 2021

On June 17, Sen. Kirsten Gillibrand (D-NY) introduced the Data Protection Act of 2021 (S. 2134). This latest bill includes significant updates from the previous version; however, both versions share the primary purpose of establishing a federal Data Protection Agency (DPA). Under this law, most of the Federal Trade Commission’s (FTC) privacy-related authority would be transferred to the DPA. This independent agency would be led by a director, who would be appointed by the president for a five-year term, much like the current structure of the CFPB.

Noteworthy updates include the following:

  • New Defined Terms: New definitions clarify the role and scope of the DPA. This includes definitions for “data aggregators”[1] and “service providers,”[2] which are the primary parties regulated by the DPA. The latest version also introduces the concept of “privacy harm,”[3] which is a key term in the sections of the bill describing the objectives and purpose of the DPA.
  • Merger Supervision: The DPA must (i) conduct a review of any merger that involves either “large data aggregators”[4] or the transfer of 50,000 individuals’ personal data and (ii) submit a report describing the “privacy and data protection implications” of such mergers to the Department of Justice (DOJ) and the FTC.
  • High-Risk Data Practices[5] Oversight: Additional enforcement power/oversight for certain “high-risk data practices.”
  • Office of Civil Rights: Establishes an Office of Civil Rights within the DPA and outlines the powers and duties of this office.
  • Larger Penalties and Fines: Remedies include fines (which vary based on severity from $5,000 to $3 million per day), disgorgement, limits on future activities, etc.

Many other state and federal privacy bills have sought to establish similar privacy-focused regulatory agencies; however, unlike the Data Protection Act of 2021, most of these bills also establish a comprehensive privacy regime (i.e., provide data subject rights, require privacy policies, etc.). The Data Protection Act of 2021 would only preempt state laws “to the extent that any such provision of law is inconsistent with the provisions of this title, and then only to the extent of the inconsistency.” In other words, state laws that offer greater protection, such as the California Consumer Privacy Act (CCPA), would likely remain in full effect.

The SAFE DATA Act

On July 28, Sens. Roger Wicker (R-MS) and Marsha Blackburn (R-TN) reintroduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S.2499). The previous version of the SAFE DATA Act was introduced in 2019 and was created by combining a discussion draft of the U.S. Consumer Data Protection Act with provisions from the Filter Bubble Transparency (FBT) Act[6] and the Deceptive Experiences to Online Users Reduction (DETOUR) Act[7].[8] Both the FBT Act and the DETOUR Act addressed narrower privacy-related issues, with a general focus on restricting the use of data with regards to consumer manipulation technologies.

The 2021 version of the SAFE DATA Act does not include the provisions that were incorporated from the FBT Act (which was separately reintroduced by Sen. Randolph Thune (R-SD)) or the DETOUR Act. These deletions make up the majority of the substantive changes to this bill. Other noteworthy changes reflected in the 2021 version include a prohibition on processing activities that violate civil rights law, and the removal of a provision affirming the FTC’s ability to seek equitable relief for privacy law violations.

Unlike the Data Protection Act of 2021, the SAFE DATA Act would establish a comprehensive federal privacy regime that includes many of the concepts found in other data privacy laws (e.g., data subject rights, consent requirements for sensitive data, and privacy policy requirements). This law would apply to most for-profit entities, nonprofits, and common carriers; however, a limited exception[9] is provided for smaller entities. The SAFE DATA Act includes a savings provision[10] that covers the Gramm-Leach-Bliley Act (GLBA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and numerous other sectoral privacy laws. This law would be enforced by both the FTC and state attorneys general and does not include a private right of action for consumers. Unlike the Data Protection Act of 2021, the SAFE DATA Act would preempt state privacy laws.

Both the Data Protection Act of 2021 and the SAFE DATA Act would provide additional resources for the federal regulation of privacy. Specifically, the FTC would be appropriated $100 million to enforce the SAFE DATA Act. The Data Protection Act of 2021 does not appropriate a specific amount of funding; however, the bill does state that the DPA should be apportioned “sums as may be necessary to carry out this Act.” Funding for the DPA could also come from assessments and fees on data aggregators, the existence and amount of which would be determined by the DPA’s director. These two bills also both provide for increased scrutiny with regards to the processing of certain sensitive data types, including biometric data and precise geolocation information.

As of late August, neither bill had advanced beyond committee assignment. In June, the chair of the Senate Commerce Subcommittee on Communications, Sen. Richard Blumenthal (D-CT), indicated there may be hearings on privacy this summer; however, as of late August no such hearings have taken place. Up to this point in the legislative session, cybersecurity and infrastructure seem to have taken priority over privacy. This focus can be attributed in part to the Colonial Pipeline ransomware attack.

Given this lack of federal movement, the prospect of a fragmented state-driven privacy regulatory landscape in the U.S. seems more likely than ever. Businesses should focus on ensuring that they are prepared for 2023, when the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA) all come into effect. During this current period of uncertainty businesses should also focus on the concepts that are consistent across most of the federal and state privacy bills/laws (e.g., data minimization, data subject rights, consent for sensitive data, etc.). Focusing on these general concepts and remaining flexible will allow for businesses to more quickly adapt and comply with future privacy regimes.

 

 

[1] Data aggregators are defined as “any person that collects, uses, or shares, in or affecting interstate commerce, an amount of personal data that is not de minimis, as well as entities related to that person by common ownership or corporate control.”

[2] Service providers are defined as “a data aggregator that collects, uses, or shares personal data only on behalf of another data aggregator in order to carry out a permissible purpose, and only to the extent of such activity.”

[3] Privacy harm is broadly defined. Examples of privacy harm include direct or indirect financial harm, physical harm, reputational harm, a threat to an individual or property, psychological harm (including anxiety, embarrassment, fear, etc.), the chilling of free expression, discrimination, etc.

[4] Large data aggregators are data aggregators that have more than $25 million in gross annual revenue or annually process the data of 50,000 individuals, households, or devices.

[5] Examples include but are not limited to the use of automated decision-making systems, the large-scale systematic processing of publicly available data, the processing of an individual’s precise geolocation, etc.

[6] This Filter Bubble Transparency Act would require that internet platforms provide their users with “the option to engage with a platform without being manipulated by algorithms driven by user-specific data.”

[7] The Deceptive Experiences to Online Users Reduction Act aims to (i) “prohibit the usage of exploitative and deceptive practices

by large online operators” and (ii) “promote consumer welfare in the use of behavioral research by such providers.” Specifically, this legislation is aimed at preventing “dark patterns,” which Sen. Warner described, as follows in the press release for this legislation: “The term ‘dark patterns’ is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not take under normal circumstances.”

[8] The FBT Act and the DETOUR Act were previously introduced with bipartisan support; however, despite this support, the 2019 version of the SAFE DATA Act did not advance beyond committee assignment.

[9] Portions of the SAFE DATA Act would “not apply in the case of a covered entity that can establish that, for the 3 preceding calendar years (or for the period during which the covered entity has been in existence if such period is less than 3 years) — (1) the covered entity’s average annual gross revenues did not exceed $50,000,000; (2) on average, the covered entity annually processed the covered data of less than 1,000,000 individuals; (3) the covered entity never employed more than 500 individuals at any one time; and (4) the covered entity derived less than 50 percent of its revenues from transferring covered data.”

[10] These provisions establish that the new law should not be construed to modify, limit, or supersede other existing laws.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

Our bank and loan servicing clients also face novel challenges affecting their industry due to COVID-19, particularly the ever-changing rules and regulations concerning evictions and foreclosures. We closely track these updates and have assembled an interactive tracker containing state orders and guidance documents regarding residential foreclosure and eviction moratoriums.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On August 27, the U.S. Supreme Court lifted the U.S. Centers for Disease Control and Prevention’s (CDC) moratorium on evictions. The Court found that the CDC lacked authority to impose the moratorium at this point during the COVID-19 pandemic. For more information, click here.
  • On August 27, the Board of Governors of the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency released a guide intended to help community banks assess risks when considering relationships with financial technology companies. Community banks are entering into business arrangements with fintech companies to offer enhanced products and services to their customers, increase efficiency, and reduce internal costs. This guide serves as a resource for community banks when performing due diligence on prospective relationships with fintech companies. For more information, click here.
  • On August 26, the U.S. Department of Education (DOE) announced it will make $1.1 billion in closed school discharges available to an additional 115,000 borrowers who attended the now-defunct ITT Technical Institute (ITT). This decision is based on a new review of the problems leading up to ITT’s closure. These borrowers did not complete their degree or credential and left ITT on or after March 31, 2008. The DOE estimates that 43% of these borrowers are currently in default. This action brings the total amount of loan discharges approved by the DOE since January 2021 to $9.5 billion, affecting over 563,000 borrowers. For more information, click here.
  • On August 25, the Consumer Financial Protection Bureau (CFPB) Ombudsman Wendy Kamenshine issued the 2021 Midyear Update, including news that the CFPB’s post-examination survey of supervised entities program is in the final development stages. For more information, click here.

State Activities:

  • On August 27, in response to the Tropical Storm/Hurricane IDA state-declared emergency, the Louisiana Public Service Commission has enacted temporary restrictions on callers, including those using automatic dialing and announcing devices, and has ordered a mandatory prohibition on solicitation. For more information, click here.
  • On August 26, Illinois Attorney General Kwame Raoul issued a press release applauding “Governor JB Pritzker for signing legislation Raoul initiated to protect student loan borrowers and help them select a student loan option that best meets their needs.” House Bill 2746, also known as “Know Before You Owe,” provides student borrowers with information about federal aid eligibility before turning to private loans. “For millions of student loan borrowers, the struggle of making loan payments has been exacerbated by the COVID-19 pandemic’s economic impact,” Raoul said. “Students should not be faced with a lifetime of debt because they were unaware they were eligible for federal aid or because they fell victim to the unfair and deceptive practices of a student loan debt relief company.” For more information, click here.
  • On August 24, California Attorney General Rob Bonta issued guidance to health care providers and facilities, reminding those entities of their obligations to comply with state and federal health data privacy laws. Attorney General Bonta reminded stakeholder organizations in a bulletin that entities “must notify the California Department of Justice (DOJ) when the health data of more than 500 California residents has been breached.” These obligations are located in California Civil Code Section 1798.82. For more information, click here.
  • On August 20, Arizona Attorney General Mark Brnovich issued a legal opinion regarding “COVID-19 vaccine mandates for employees, patrons of businesses, and airline passengers under existing state and federal laws.” In this opinion, Attorney General Brnovich stated: (1) “Schools, public universities, community colleges, and state and local governments are statutorily prohibited from requiring employees to obtain COVID-19 vaccinations;” (2) “private businesses can mandate vaccinations for employees but must provide reasonable accommodations for employees who cannot obtain the COVID-19 vaccine due to a disability or a sincerely held religious belief;” (3) private business may mandate vaccination for patrons but must also “provide reasonable accommodations to patrons who cannot obtain the COVID-19 vaccine due to disability … [or] sincerely held religious belief;” and (4) an “an airline may not refuse a customer based on a communicable disease unless the customer (1) actually has a communicable disease (2) that is a direct threat to other passengers, and (3) cannot obtain a medical certificate setting forth preventative measures.” For more information, click here.

Privacy and Cybersecurity Activities:

  • On August 24, California Attorney General Rob Bonta reminded health care providers that they need to be in “full compliance with state health data privacy laws[.]” Specifically, the Attorney General told “[health care] entities that they must notify the California Department of Justice (DOJ) when the health data of more than 500 California residents have been breached.” As the pandemic continues, more entities are entrusted with private and deeply personal information. Attorney General Bonta urged health care entities to:
    • “Keep all operating systems and software housing health data current with the latest security patches;
    • Install and maintain virus protection software;
    • Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
    • Restrict users from downloading, installing, and running unapproved software; and
    • Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.”

For those interested in reading the full announcement, click here.

  • On August 23, Wired reported that the Power Apps portal service was misconfigured, which led to more than a thousand web applications accessible to the general public, “including data from a number of [COVID]-19 contact tracing platforms, vaccination sign-ups, [and] [COVID]-19 vaccination status.” The report describes that the exposed data came from the Power Apps development platform, making it easy to create web or mobile apps. “If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.” To read the full report, click here. For those interested in learning about privacy guidelines for COVID-19 contact-tracing app makers, click here.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

Our bank and loan servicing clients also face novel challenges affecting their industry due to COVID-19, particularly the ever-changing rules and regulations concerning evictions and foreclosures. We closely track these updates and have assembled an interactive tracker containing state orders and guidance documents regarding residential foreclosure and eviction moratoriums.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On July 30, the U.S. Department of Agriculture, U.S. Department of Housing and Urban Development, U.S. Department of Veterans Affairs, and the Federal Housing Finance Agency extended their foreclosure-related eviction moratoria until September 30. The Centers for Disease Control and Prevention’s eviction moratorium expired on July 31, after the Biden administration announced it would allow the eviction moratorium to expire and asked Congress to authorize an extension. For more information, click here and here.
  • On July 30, the Federal Reserve Board announced that it is seeking individuals with a diverse set of expert insurance perspectives in life, property and casualty, and reinsurance issues to serve on its Insurance Policy Advisory Committee (IPAC). Established by the Economic Growth, Regulatory Relief, and Consumer Protection Act, IPAC consists of 21 members, who serve staggered three-year terms and bring professional backgrounds in insurance accounting, actuarial science, academia, insurance regulation, and policyholder advocacy. For more information, click here.
  • On July 30, the Consumer Financial Protection Bureau (CFPB) announced that two final rules issued under the Fair Debt Collection Practices Act will take effect as planned, on November 30. The CFPB issued a proposal in April 2021 that, if finalized, would have extended the effective dates of Regulation F to January 29, 2022. The CFPB has now determined that such an extension is unnecessary. Following this announcement, the CFPB will publish a formal notice in the Federal Register withdrawing the April 2021 proposal. For more information, click here.
  • On July 29, the CFPB and the Federal Housing Finance Agency published updated loan-level data for public use collected through the National Survey of Mortgage Originations. The data provides insights into borrowers’ experiences obtaining residential mortgages. For more information, click here.
  • On July 29, the Federal Trade Commission (FTC) announced that it will send refund checks, totaling nearly $2.3 million, to people who lost money to credit card debt relief schemes. For more information, click here.
  • On July 28, the CFPB released an online tool to help renters and landlords impacted by the pandemic easily find and apply for payment assistance for rent, utilities, and other expenses. The Rental Assistance Finder connects renters and landlords with the state and local programs distributing billions of dollars in federal assistance nationwide to help renters stay housed during the pandemic. For more information, click here.
  • On July 27, the CFPB published an issue brief, showing that consumer applications for auto loans, new mortgages, and revolving credit cards had mostly returned to pre-pandemic levels by May 2021. Prime and near-prime consumers are driving this recovery as applications remain down from borrowers with subprime and deep subprime for all types of credit. For borrowers with superprime credit scores, applications are down for all types of credit but mortgages. For more information, click here.
  • On July 23, the CFPB issued consumer advisory “Know Your Rights Under the Servicemember Civil Relief Act (SCRA).” The CFPB amended the SCRA to make it easier for servicemembers and veterans to terminate residential housing and automobile leases without penalty. The SCRA also advises servicemembers and veterans to perform the necessary due diligence before waiving their SCRA rights. For more information, click here.

State Activities:

  • On August 1, New York Governor Andrew Cuomo announced the CUNY Comeback Program, a plan to eliminate up to $125 million in unpaid debt for at least 50,000 students who attended CUNY and suffered financial hardships during the COVID-19 pandemic. Additionally, students who did not accrue unpaid tuition and fee balances during the period, but experienced financial hardship stemming from the pandemic, will receive relief in the form of enhanced Student Emergency Grants. For more information, click here.
  • On July 29, Virginia Attorney General Mark Herring announced that he joined a multistate amicus brief, advocating for the rights of federal student loan borrowers. According to the press release, the brief challenges “action taken by the Trump administration’s Department of Education that unlawfully repealed and replaced federal ‘borrower defense’ regulations.” Attorney General Herring stated, “The current, Trump-era Borrower Defense Rule does nothing to protect Virginia student loan borrowers and leaves them optionless if they are defrauded by a for-profit college.” For more information, click here.
  • On July 26, Georgia Attorney General Chris Carr announced Georgia’s top consumer complaints for 2020. The report, available here, listed as its top three complaints: (1) debt issues, (2) used car sales, and (3) price gouging/public health state of emergency. For more information, click here.
  • On July 23, Washington, D.C.’s debt collection legislation was transmitted to Mayor Bowser for her signature. The legislation — the Protecting Consumers from Unjust Debt Collection Practices Emergency and Temporary Acts — would, among other obligations, (1) require debt collectors to provide itemized statements and account numbers for debts owed; (2) limit the information that can be provided about a consumer’s employers or family members; (3) increase statutory damages to $4,000 per harmed individual; and (4) limit debt collectors to three calls in a seven-day period. For more information, click here.
  • On July 15, the Connecticut Department of Banking fined a collection agency, after finding it had allegedly operated without proper licensing for about seven years. The collection agency filed an application through the Nationwide Multistate Licensing System and Registry with the state to act as a consumer collection agency in Connecticut. As part of the application process, the state conducted an investigation into the agency’s activities, which led to the Department of Banking’s finding. For more information, click here.

Privacy and Cybersecurity Activities:

  • On July 28, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory, highlighting the top Common Vulnerabilities and Exposures (CVEs) that threaten actors use in 2021. CISA’s key findings, it shared, was that “four of the most targeted vulnerabilities in 2020 involved remote work, VPNs, or cloud-based technologies.” CISA states that many of the “VPN gateway devices remained unpatched during 2020, with the growth of remote work options due to the COVID-19 pandemic challenging the ability of organizations to conduct rigorous patch management.” To read the complete advisory, click here.
  • On July 27, the FTC held PrivacyCon 2021 as an online event this year due to the pandemic. Topics covered algorithms, advertising, the Internet of Things (IoT), and COVID-19-related privacy matters. For additional information, click here.
  • On July 26, The New York Times reported that the pandemic significantly increased the use of quick response (QR) codes at full-service U.S. restaurants, growing restaurants’ abilities to track individuals. The report describes that this tracking has “allowed some restaurants to build a database of their customers’ order histories and contact information.” For those interested in learning more, click here.

In Watts v. Emergency Twenty Four, Inc. (No. 20-cv-1820 (N.D. Ill. June 21, 2021), the Northern District of Illinois granted a motion to dismiss claims asserted against a security company under the Telephone Consumer Protection Act (TCPA), finding that dialing system at issue did not qualify as an automatic telephone dialing system (ATDS).

The defendant in Watts, Emergency Twenty Four, Inc. (Emergency 24), provides burglar and fire alarm services to businesses throughout Illinois and the United States. The plaintiff, Preston Watts, is a former employee of one of Emergency 24’s customers. Although he has not worked for this business for several years and claims to have repeatedly asked not to be contacted, Watts alleges that Emergency 24 called his cell phone every time his former employer’s alarm was tripped. Based on this, he asserted claims for violation of the TCPA, alleging that the calls were placed using an ATDS. Watts further sought to certify a nationwide class of similarly situated individuals who received automated calls on their cell phones from Emergency 24 even though they had not provided consent.

In granting Emergency 24’s motion to dismiss, the court held that, under the U.S. Supreme Court’s decision in Facebook, Inc. v. Duguid, 141 S. Ct. 1163, 1173 (2021), a dialing system only qualifies as an ATDS if it has “the capacity to use a random or sequential number generator to either store or produce phone numbers to be called.” The court noted that Watts did not allege that the system at issue uses a random or sequential number generator. Rather, the facts alleged show that Emergency 24’s equipment stored Watts’s number in a database and dialed that stored number because he was an employee at a business that used Emergency 24’s alarm notification system.

Further, the court rejected Watts’s argument that the case should not be resolved on a motion to dismiss because it is not possible for him to know the precise capabilities of Emergency 24’s dialing system without the benefit of discovery. Although a plaintiff is not required to plead specific facts regarding the technical specifications of the call system at issue, the court held a complaint must contain more that conclusory allegations that an ATDS was used. Nevertheless, the court granted Watts the opportunity to file an amended complaint and attempt to allege additional supporting facts.

This case reaffirms that a system cannot qualify as an ATDS if there are no facts to show that it has the capacity to dial randomly or sequentially generated numbers. Merely having an automated system does not, by itself, give rise to liability under the TCPA. This is particularly true when, as here, a call is placed by some external triggering event, such as the tripping of an alarm.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

Our bank and loan servicing clients also face novel challenges affecting their industry due to COVID-19, particularly the ever-changing rules and regulations concerning evictions and foreclosures. We closely track these updates and have assembled an interactive tracker containing state orders and guidance documents regarding residential foreclosure and eviction moratoriums.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On June 18, the Federal Housing Administration (FHA) announced updates to its student loan monthly payment calculations to help provide greater access to affordable single-family FHA-insured mortgage financing for creditworthy individuals with student loan debt, which has a disproportionate impact on people of color. According to the FHA release, the updated policy more closely aligns student loan debt calculation policies with other housing agencies, helping to streamline and simplify originations for borrowers with student loan debt obligations. For more information, click here.
  • On June 17, the Federal Financial Institutions Examination Council (FFIEC) announced the availability of data on 2020 mortgage lending transactions at 4,475 U.S. financial institutions reported under the Home Mortgage Disclosure Act (HMDA). Covered institutions include banks, savings associations, credit unions, and mortgage companies. The data products released by the FFIEC provide comprehensive information on mortgage market activity used by industry, consumer groups, regulators, and others to assess potential fair lending risks and for other purposes. For more information, click here.
  • On June 16, the Consumer Financial Protection Bureau (CFPB) issued an interpretive rule, setting forth the basis for its authority to examine supervised financial institutions for risks to active duty servicemembers and their dependents from conduct that violates the Military Lending Act (MLA). For more information, click here.
  • On June 16, the U.S. Department of Education announced the approval of 18,000 borrower defense to repayment (borrower defense) claims for individuals who attended ITT Technical Institute. These borrowers will receive 100% loan discharges, resulting in approximately $500 million in relief. This brings total loan cancellation under the Biden-Harris administration borrower defense to $1.5 billion for approximately 90,000 borrowers. For more information, click here.
  • On June 16, the CFPB updated a report it first released last year that detailed the delinquency rates on major types of credit to illustrate the financial effect of the COVID-19 pandemic on consumers. Now looking at data through the end of April 2021, the CFPB’s data indicates that delinquency rates on auto loans, student loans, credit cards, and mortgages are still below pre-pandemic levels, but “time will tell whether delinquencies begin to rise again through the summer and fall of 2021.” For more information, click here.
  • On June 15, the Federal Communications Commission (FCC) announced that its reassigned numbers database (RND) will undergo a beta test from July 1 through September 30, during which callers and caller agents may use the database without charge. The FCC has worked on the RND — which is intended to be used by callers to determine if a cell phone number has been reassigned to someone other than the individual seeking to be contacted — for over three years. Knowing that a phone number has been reassigned can tell a company not to contact that number. For more information on the RND and participating in the FCC’s beta testing, click here.
  • On June 14, the CFPB released a report analyzing the differences in lending patterns for lenders below and above the 100-loan, closed-end threshold set by the 2020 Home Mortgage Disclosure Act (HDMA). While the CFPB’s analysis is preliminary, the report shows some differences in lending patterns for lenders above and below the threshold. For more information on the report and the background on HDMA data collection, reporting, and disclosure processes, click here.
  • On June 14, the CFPB issued consumer guidance on what to do ahead of the Centers for Disease Control’s (CDC) eviction moratorium June 31 expiration. According to a recent housing study published by Harvard University, more than two million homeowners are behind on their mortgages and risk being forced out of their homes. For more information, click here.
  • On June 11, the CFPB published the Spring 2021 Agenda as part of its 2021 Unified Agenda of Federal Regulatory and Deregulatory Actions, which is coordinated by the Office of Management and Budget under Executive Order 12866. The Spring 2021 Agenda lists the regulatory matters currently pursued by CFPB interim leadership, pending appointment and confirmation of a permanent director. The Fall 2021 Unified Agenda will reflect the permanent director’s changes to the CFPB regulatory agenda. For more information, click here.
  • On June 10, a Wisconsin federal judge ordered a temporary halt to a $4 billion federal loan relief program intended to address longstanding inequities for farmers of color after a legal challenge by white farmers, who argued the policy discriminates against them. The plaintiffs in the case — 12 farmers from nine states — filed suit against the U.S. Department of Agriculture (USDA) over the roughly $4 billion set aside for loan forgiveness for socially disadvantaged farmers and ranchers in the $1.9 trillion American Rescue Plan. For more information, click here.

State Activities:

  • On June 16, the New Jersey Assembly Community and Development and Affairs Committee advanced Senate Bill 3584, which establishes immunity related to the COVID-19 spread in planned real estate developments. S.B. 3584 would “prohibit any causes of action for damages arising from a COVID-19 exposure or transmission on the premises of a planned real estate development,” but it “would not apply to acts or omissions constituting a crime, actual fraud, actual malice, gross negligence, recklessness, or willful misconduct.” For more information, click here.
  • On June 15, New York Attorney General Letitia James issued an alert to New Yorkers to remain vigilant against a surge in telephone scams seeking to take advantage of consumers. As part of the fraud, scammers put pressure on customers to pay immediately or else have their services cut off instantly. “As New Yorkers continue to suffer the economic impacts of the COVID-19 public health crisis, scammers have seen this as an opportunity to take advantage of the economic anxiety that many New Yorkers feel and the additional time some have needed to pay their bills,” said Attorney General James. For more information, click here.
  • On June 15, the Supreme Court of Virginia issued its twenty-third order, extending the declaration of judicial emergency for the COVID-19 pandemic through July 11. Under the terms of the order, courts continue to have authorization to accept electronically signed pleadings, orders, and other documents. For more information, click here.
  • On June 15, Vermont ended its state of emergency. As a result, Vermont’s eviction moratorium for nonpayment of rent or no-cause evictions can proceed on July 15 under S. 333 — Vermont’s eviction moratorium. For more information, click here.
  • On June 17, the Richmond Times Dispatch reported that Virginia Governor Ralph Northam will not exercise executive authority to extend eviction protections imposed during the COVID-19 pandemic. Absent any action by the governor and starting July 1, landlords will no longer be required to notify tenants about how to apply for rent relief through a state program or abate from proceeding from eviction for 45 days while waiting for a relief application approval. For more information, click here.
  • On June 14 Texas Governor Greg Abbott signed HB 3510. Effective September 1, the new law will allow employees of companies licensed by the Texas Finance Commission — which include vehicle finance companies, traditional installment lenders, and mortgage lenders — to work remotely from licensed locations, provided certain requirements are met. For more information, click here.
  • On June 11, Illinois Governor J.B. Pritzker issued an order to rescind Executive Order 2020-25 on June 25. Executive Order 2020-25 suspended the “provisions of the Illinois Code of Civil Procedure that permit the service of a garnishment summons, wage deduction summons, and a citation to discover assets on a consumer debtor or consumer garnishee.” For more information, click here.
  • The Appellate Court of Illinois, First District recently ruled that the Illinois Rent Control Preemption Act (IRCPA) preempted the tenant’s claims against the lender under Chicago’s Keep Chicago Renting Ordinance (KCRO). Specifically, the court found that the KCRO requirement to “offer qualified tenants either a $10,600 relocation fee or extend the tenant’s lease with an annual rental rate that does not exceed 102% of their current rental rate” is preempted and this provision is not severable from the remainder of the ordinance. For more information, click here.
  • On June 14, the Eleventh Circuit Court of Appeals issued an order withholding issuance of a mandate in the Hunstein v. Preferred Collection and Management Services, Inc. For more information, click here.
  • On June 16, CNBC reported that eight states — Alabama, Idaho, Indiana, Nebraska, New Hampshire, North Dakota, West Virginia, and Wyoming — are opting out of federal unemployment benefit programs. This brings the total to 25 states turning down federal funds prior to the program’s official expiration on September 6. Further, Indiana residents are suing Governor Eric Holcomb in state court to maintain aid programs, arguing the decision to stop benefits violates the state’s unemployment statute. For more information, click here.

Privacy and Cybersecurity Activities:

  • On June 17, U.S. Senator Kirsten Gillibrand announced the revival of the Data Protection Act of 2021, which seeks to create a Data Protection Agency that would “protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent.” Due to the COVID-19 pandemic, more and more people are providing their personal information to companies and “companies are free to sell individuals’ data to the highest bidder without fear of real consequences, posing a severe threat to modern-day privacy and civil rights,” Senator Gillibrand said. This new legislation would include:
    • Supervision of Data Aggregators
    • Office of Civil Rights
    • Enforcement Powers
    • Penalties and Fines
    • Defines Key Terms for Transparency

To read more about this new legislation, click here.

  • On June 16, CyberScoop reported that “health passes, sometimes known as vaccine passports [may be used] as a means to securely reopen businesses and borders as COVID-19 cases drop and vaccination rates rise.” In addition, businesses or airports can utilize scannable codes to access patient health data instead of relying on physical records. Data protection experts anticipate that health passes and digital IDs are here to stay. Digital IDs offers a convenient way to authenticate and verify individuals. For example, IBM is working on a digital ID with New York state that would collect vaccine status, driver’s licenses, and other personal records. More on IBM’s move can be read here. However, privacy experts warn that tech companies embracing this new technology should consider assessing risks to data. Both the Biden administration and the Department of Homeland Security are beginning to provide guidelines on privacy best practices as they relate to digital IDs. To read CyberScoop’s report, click here. For those interested in learning more about vaccine certificates and the potential implications of using them, check out Troutman Pepper’s Law360 article by clicking here.
  • On June 15, the Federal Trade Commission (FTC) warned companies of the danger of various business-to-business (B2B) scams as employees begin to return to the workplace. “[C]on artists were already using the coronavirus as a hook for swindlers and scams … . Now that many companies are returning to an in-person workplace, some fraudsters will try to take advantage of the transition.” As a result, the FTC urges companies to keep their guard up against various forms of B2B deception by:
    • Spotting the signs of an imposter scam;
    • Sticking with suppliers they know or recommended by people they trust; and
    • Alerting their staff to unemployment benefits fraud.

To read the FTC’s complete list of tips to protect against workplace B2B scams, click here.

  • On June 14, the FTC stressed to companies the importance of staying in control of sensitive information as many corporations shift back to an in-person workplace following over a year of remote work due to the COVID-19 pandemic. In an effort to ease the transition back to the office and “reduce the risk that COVID-19 scammers, data thieves, and financial fraudsters will follow [companies] there,” the FTC reminds companies they should:
    • Update their data inventory;
    • Double check security on new platforms and software;
    • Consider an in-house security refresher; and
    • Evaluate and adjust their practices in light of their COVID-19 experience.

To read the FTC’s full list of tips on maintaining appropriate data security standards, click here.

Five federal banking regulatory agencies are gathering information and comments on financial institutions’ use of artificial intelligence (AI), including machine learning. On March 29, the Federal Reserve Board, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency issued a request for information (RFI) seeking information on the following topics:

  • financial institutions’ risk management practices related to the use of AI;
  • barriers or challenges facing financial institutions when developing, adopting, and managing AI and its risks;
  • benefits to financial institutions and their customers from the use of AI; and
  • whether any clarifications from the agencies would be helpful for financial institutions’ use of AI in a safe and sound manner and in compliance with applicable laws.

The RFI notes that financial institutions have been and are exploring AI-based applications for a variety of purposes. For example, financial institutions use chatbots and virtual assistants to mimic live employees and automate routine customer interactions. AI also can inform credit decisions by analyzing traditional data (i.e., data typically found in a consumers’ credit files) and alternative data. Financial institutions may use cybersecurity applications to detect threats and malicious activity, to conduct real-time investigations of potential attacks, and to block ransomware and other attacks.

Not surprisingly, regulators are paying close attention to the presence of AI in the financial services industry, as the industry’s use of AI shows no signs of slowing down. In October 2020, Mastercard introduced an AI-powered suite of tools that allows banks to assess cyber risk and prevent potential breaches. In February of this year, Google Cloud and European-based BBVA announced a strategic partnership that includes an agreement to collaborate in the development of new AI and machine learning models to prevent cyberattacks. Jumio, a California-based Junio provider of AI-powered identify verification and “know your customer” solutions, closed a $150 million round of funding just last month. A few days later, California-based Feedzia raised $200 million for its AI-based ID verification and anti-money laundering platform.

Although the potential benefits of AI are apparent, the RFI cautions that financial institutions should implement processes for identifying and managing potential risks, especially those that could affect an institution’s safety and soundness. Such risks include potential “operational vulnerabilities, such as internal process or control breakdowns, cyber threats, information technology lapses, risks associated with the use of third parties, and model risk.” The RFI also warns of certain consumer protection risks, such as unlawful discrimination, UDAAP and UDAP violations, and privacy concerns.

The RFI’s broad inquiry into financial institutions’ use of AI may give rise to some trepidation by financial institutions, but they should consider using the RFI as an opportunity to educate regulators about the benefits of AI and to seek clarification on how their use of AI could raise compliance concerns when using AI in their respective businesses.

Comments are due 60 days after publication in the Federal Register.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

Our bank and loan servicing clients also face novel challenges affecting their industry due to COVID-19, particularly the ever-changing rules and regulations concerning evictions and foreclosures. We closely track these updates and have assembled an interactive tracker containing state orders and guidance documents regarding residential foreclosure and eviction moratoriums.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On January 5, the Consumer Financial Protection Bureau Taskforce on Federal Consumer Financial Law (Taskforce) released a report with recommendations on how to improve consumer protection in the financial marketplace. In its report, the Taskforce makes approximately 100 recommendations to the CFPB, Congress, and state and federal regulators to strengthen consumer protection. Some of the Taskforce recommendations include the following:
    • Clarify obligations of consumer reporting agencies and furnishers with respect to consumer credit disputes;
    • Authorize the Bureau to issue licenses to non-depository institutions that provide lending, money transmission, and payments services;
    • Expand access to the payment system by unbanked and underbanked consumers and ensure consistent treatment by applying the same rules to similar financial products;
    • Identify competitive barriers and make appropriate recommendations to policymakers and regulators for expanding access to the payments systems by nonbank providers; and
    • Research and develop policies tailored to the unique challenges of formerly incarcerated people, and work with state and federal authorities to improve the protection of this population.

For more information, click here.

  • On January 8, the Small Business Administration and the Treasury Department announced that the Paycheck Protection Program (PPP) will re-open the week of January 11 for new borrowers and certain existing PPP borrowers. To promote access to capital, initially, only community financial institutions can make First Draw PPP Loans on Monday, January 11, and Second Draw PPP Loans on Wednesday, January 13. The PPP will open to all participating lenders shortly thereafter. Updated PPP guidance outlining program changes to enhance its effectiveness and accessibility was released on January 6, according to the Economic Aid to Hard-Hit Small Businesses, Non-Profits, and Venues Act. For more information, click here.
  • On January 7, the Treasury Department and Internal Revenue Service started distributing approximately 8 million Economic Impact Payments (EIPs) by prepaid debit card. Distribution of EIP cards follows the millions of payments already made by direct deposit, and the ongoing mailing of paper checks are part of the Treasury’s and IRS’s plan to deliver EIPs as rapidly as possible. For more information, click here.
  • On January 7, the Treasury Department launched the $25 billion Emergency Rental Assistance Program (ERAP) established by the Consolidated Appropriations Act, 2021. The ERAP assists households unable to pay rent and utilities due to the COVID-19 pandemic, with funds provided directly to states and other eligible grantees. Eligible grantees must use the funds to help eligible households through existing or newly created rental assistance programs. For more information, click here.

State Activities:

  • On January 8, Connecticut Attorney General William Tong and Connecticut Department of Consumer Protection Commissioner Michelle H. Seagull issued a joint press release to warn residents of potential scams as the IRS begins sending many consumers a second round of pandemic relief funds, which follows the federal government’s $900 billion economic stimulus package, and represents the second in response to the COVID-19 outbreak. For more information, click here.
  • On January 7, New York Attorney General Letitia James issued guidance to the New York State Sheriff’ Association about evictions during the COVID-19 pandemic. Under the December 28, 2020 COVID-19 Emergency Evictions and Foreclosure Prevention Act of 2020, tenants are entitled to an automatic stay of eviction in all cases through May 1, 2021 by completing and sending a hardship declaration to their landlord, the court, a sheriff, marshal, or city constable. “As the financial instability spurred by the coronavirus continues, it is imperative for the state to enforce laws that protect New Yorkers from unlawfully losing their homes,” said Attorney General James. For more information, click here.
  • On January 7, Massachusetts Attorney General Maura Healey issued an advisory to ensure tenants facing financial hardship and at risk of eviction know how to access state assistance programs. “Families across the state are continuing to suffer financial hardship from this pandemic and we want to ensure those who may be at risk of losing their homes know their rights,” AG Healey said. “If you’ve received an eviction notice, you do not have to move out immediately and you are entitled to a court hearing. This advisory helps tenants and landlords understand the resources available to them, including financial and legal assistance.” For more information, click here.
  • On January 7, New Jersey Governor Phil Murphy issued a press release reminding Garden State residents that the COVID-19 vaccine will be made available without cost-sharing barriers. All group and individual comprehensive health insurance plans whether obtained directly through an open market or an employer must cover the vaccine. Health care providers participating in the Center for Disease Control (CDC) COVID-19 Vaccination Program must agree to administer a COVID-19 immunization regardless of an individual’s ability to pay or health insurance coverage status, and they may not seek reimbursement from the immunization recipient. For more information, click here.
  • On January 7, Ohio officials updated the state’s COVID-19 Travel Advisory List, and for the sixth straight week, Ohio remained on its own travel advisory. The list includes states reporting positive testing rates of 15% or higher for COVID-19 and is intended for both leisure and business travel, according to the Department of Health, which recommends individuals entering Ohio self-quarantine for at least 14 days following travel to the 18 states on the advisory list other than Ohio. As of January 6, 2021, the advisory list includes Idaho, Alabama, Iowa, Pennsylvania, South Dakota, Kansas, Tennessee, Arkansas, Utah, Mississippi, Oklahoma, Georgia, Texas, Kentucky, Missouri, South Carolina, Arizona, and Nevada. For more information, click here.
  • On January 5, the Washington State Collection Agency Board (CAB) held a public hearing to hear comment on the proposed permanent rule allowing employees of licensed collection agencies to work remotely with proper procedures in place and accepted written comments until that date. The CAB received numerous written comments but there were no verbal comments during the hearing. A temporary rule, created in response to COVID-19, has been in place since June 2020 and is set to expire on February 17, 2021. The permanent rule could be released as early as the week of January 11 and is expected to take effect prior to the temporary rule expiring. The CAB is meeting on January 12 to further consider the rule, according to a meeting notice.
  • On January 4, Virginia Attorney General Mark Herring warned consumers against government imposter scams. Scammers take advantage of the coming federal pandemic relief payments to get personal or bank information to steal money. “Just remember that no action should be required on your part in order to receive the assistance. It should either be directly deposited into your bank account, or mailed directly to your house. If you get a call, email, text, or other communication asking for personal or bank account information, hang up, delete the message, and don’t provide any information because it’s probably a scam,” said Attorney General Herring. For more information, click here.

Privacy and Cybersecurity Activities:

  • On January 8, the National Security Agency’s Central Security Service released its 2020 NSA Cybersecurity Year in Review. While recognizing there is still work to be done, the review details essential steps the agency took to protect the nation’s sensitive systems and critical infrastructure. Several of the agency’s highlights include its support of Operation Warp Speed to facilitate and accelerate the distribution of COVID-19 vaccines and its support in transitioning the Department of Defense into working remotely. To read the full announcement, click here.
  • On January 5, Tennessee Governor Bill Lee announced the release of a new digital tool to help Tennesseans determine when they will be eligible to receive the COVID-19 vaccine. The state’s eligibility tool requires users to opt in to receive updates and notifications about their vaccine phase and provides risk-based and age-based phase information at the county level. For more information, click here.
  • On January 5, the Brookings Institution highlighted the increased use of employee surveillance, especially as 2020 required much of the world to go digital due to the COVID-19 pandemic. The article introduces readers to several methods that employers may use to track their workforce, such as via keylogger software (a computer program that records every keystroke made by a user), video surveillance, attention tracking, geolocation tracking, web browsing, email and social media monitoring, and through the use of productivity metrics. The article also shares tips with employers to better protect worker privacy, such as by providing them with more accurate notifications and clarification of data collection rules. To read the full story, click here.
  • On January 5, the Associated Press reported that the Kansas legislature is looking to “rewrite a law that allows people exposed to COVID-19 to refuse to disclose their close contacts to health officials.” Governor Laura Kelly argued that the law (as currently written) has “served no purpose.” Some health officials say the law hinders efforts to investigate COVID-19 cases because residents who tested positive may refuse to cooperate in the investigation. However, other public health officials say, “the law hasn’t hurt contact tracing efforts[,]” because few people decline to cooperate. With the current law set to expire May 1, Kansas’ legislature expects to review any updates in the coming weeks. To read the full report, click here.
  • On January 5, the Federal News Network reported that the National Institute of Standards and Technology (NIST) plans to update its guidance on facial recognition algorithms due to new challenges raised by the COVID-19 pandemic. One of NIST’s questions covers whether facial recognition can work when somebody wears a protective face mask, citing that error rates tend to increase with partial facial visibility. To read the full report, click here.
  • The County of Santa Clara’s Privacy Office began accepting registrations for its upcoming County of Santa Clara Privacy Office Data Privacy Day 2021, scheduled for January 28, 9:30 a.m. – 12:00 noon PST. The event will focus on “Modern Contact Tracing for Future Pandemics: Balancing Utility & Privacy.” Experts from government, industry, and academia will come together to discuss modern contact-tracing techniques and the potential privacy concerns involved moving forward. The event consists of two separate panels. The first panel will provide participants with a “contact tracing technology primer [benefiting] beginners and experts[,]” while the second panel “will take on a forward-looking perspective that aims to improve outcomes through leveraging the utility contract tracing apps may provide[.]” To register for this free virtual event, click here.

California voters passed Proposition 24 in last week’s general election to adopt the California Privacy Rights Act of 2020 (CPRA), which amends the California Consumer Privacy Act of 2018 (CCPA) in several ways intended to enhance consumer privacy protections. The CPRA becomes effective on January 1, 2023, except for certain provisions that will take effect on January 1, 2021. In the interim, the CCPA will remain in full force and in effect.

At a high level, the CPRA brings California’s landmark privacy law closer to the E.U.’s General Data Protection Regulation (GDPR). For instance, the CPRA introduces GDPR-like principles, requiring that a business’s collection, use, retention, and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” The CPRA also creates new consumer privacy rights, new obligations for businesses and service providers, and the first state regulatory agency dedicated to enforcing privacy laws.

The CPRA also:

  • redefines “business” under the CCPA to those that, alone or in combination, annually buy or sell or share the personal information of 100,000 (instead of 50,000) or more consumers or households, or derive 50% or more of their annual revenues from selling or sharing consumers’ personal information, in addition to for-profit entities with annual gross revenues of $25 million;
  • creates a new right to correct inaccurate personal information (similar to that of the GDPR’s right to rectification);
  • creates a new right to limit the use of “sensitive personal information” (e.g., social security numbers, financial and health information, racial or ethnic origin, sexual orientation, precise geolocation, genetic data, and other biometric information), and requires businesses to provide a new, separate link titled, “Limit the Use of My Sensitive Personal Information”;
  • creates the right to opt out of the sharing of personal information for cross-context behavioral advertising;
  • requires, upon receipt of a verifiable request to delete, businesses to notify service providers and all third parties to whom the business has sold or shared personal information to delete such personal information, subject to certain exceptions;
  • imposes certain obligations directly on “service providers” and newly defined “contractors” (in contrast to the CCPA, where vendor obligations exist primarily through contract), including requiring service providers and contractors to (1) notify businesses of any engagement with a sub-service provider or subcontractor and to bind those parties to the same written contract that is otherwise arranged between businesses and service providers or contractors; (2) cooperate and assist businesses in responding to consumer requests; and (3) prohibit combining any personal information received from a business with personal information from other sources or collected on its own behalf, subject to certain exceptions;
  • expands the CCPA’s private right of action for breaches of nonencrypted, nonredacted personal information to the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security;
  • includes heightened administrative fines for mishandling children’s data, coupled with the clarification that individuals under 16 must opt in for a business to sell “or share” their personal information; and
  • makes the 30-day cure period discretionary for administrative enforcement actions. Instituting reasonable security procedures will not constitute a cure.

Like the CCPA, there will be a six-month delay between the CPRA’s effective date and its enforcement, with enforcement actions commencing on July 1, 2023. With the exception of a business’s right-to-know obligations, the CPRA only applies to personal information collected by a business on or after January 1, 2022. However, the following CPRA provisions go into effect on January 1, 2021:

  • Employee and B2B Exemptions: The CCPA was amended in October of 2019 to exempt certain personal information related to employment and business-to-business (B2B) communications and transactions. With those limited exemptions set to expire on January 1, 2021, the governor signed AB 1281 into law on September 29, extending the exemptions to January 1, 2022. However, since AB 1281 would only take effect if California voters did not approve the CPRA, now with the CPRA’s approval, the CPRA employment and B2B exemptions will now extend until January 1, 2023.
  • New Enforcement Agency: The CPRA establishes the California Privacy Protection Agency (CPPA), a five-member board appointed by California’s governor, attorney general, Senate Rules Committee, and speaker of the assembly, to implement and enforce the CCPA and CPRA through administrative action, including audits and fines, while leaving civil enforcement in the courts to the attorney general.
  • Rulemaking: The CPRA requires the CPPA to adopt, amend, and rescind regulations on 22 topics — relating to definitions, exemptions, technical specifications for opt-out preference signals, automated decision-making, cybersecurity audits and risk assessments, and monetary thresholds for “business” eligibility — to carry out the purposes and provisions of the CCPA, including specifying record keeping requirements for businesses to ensure CPRA compliance. Final regulations must be adopted by July 1, 2022 or within six months of the CPPA, providing the attorney general with notice that it is prepared to assume rulemaking responsibilities.

In the meantime, businesses should focus on complying with the CCPA, including building in flexibilities to modify and clarify proposed enforcement regulations for example. For example, on October 12, 2020, Attorney General Xavier Becerra released a third set of Proposed Modifications (Proposed Modifications) to the regulations implementing the CCPA. For additional information on the Proposed Modifications, see Troutman Pepper’s article here. Businesses should also closely monitor any CPRA developments, as things may change between now and January 1, 2023.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you stay abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On October 30, the Federal Reserve Board adjusted the terms of the Main Street Lending Program to direct support to smaller businesses that employ millions of workers and face continued revenue shortfalls due to the pandemic. In particular, the minimum loan size for three Main Street facilities available to for-profit and nonprofit borrowers was reduced from $250,000 to $100,000, and the fees were adjusted to encourage the provision of these smaller loans. For more information, click here.
  • On October 30, the Federal Reserve Board and Department of the Treasury issued new frequently asked questions, clarifying that Paycheck Protection Program loans of up to $2 million may be excluded for purposes of determining the maximum loan size under the Main Street Lending Program, if certain requirements are met. For more information, click here.
  • On October 23, lawmakers in the House of Representatives introduced a bill to exclude Paycheck Protection Program (PPP) loans from regulators’ calculations of the asset size of smaller banks. The legislation would benefit banks and credit unions with assets under $15 billion. It requires federal regulators to exclude PPP loans from asset-size calculations for the purpose of determining capital ratios, deposit insurance premiums, and other asset thresholds at those financial institutions. PPP loans, which are administered by the Small Business Administration, would not be excluded from assets on the institutions’ quarterly call reports. For more information, click here.

State Activities:

  • On October 30, Virginia Governor Ralph Northam signed House Bill 568, which automatically exempts emergency relief payments, as defined in the bill, from the creditor process, including garnishments and liens. The bill further requires a financial institution receiving these payments to exempt them from the creditor process under certain circumstances. The new law provides that, if a financial institution does not set aside these payments as exempt, the accountholder receiving the payments must claim the exemption. For more information, click here.
  • On October 28, the Louisiana Public Service Commission, in response to a state of emergency from Tropical Storm/Hurricane Zeta, restricted telephonic solicitations into the state through November 24. For more information, click here.
  • On October 25, the administrator of Colorado’s Uniform Consumer Credit Code issued an order extending the requirements of sections (4) and (5) of SB-211 and restricting the use of extraordinary collection activities to collect debt or satisfy judgments in Colorado until February 1, 2021. For more information, click here.

Privacy and Cybersecurity Activities:

  • On October 30, the Federal Trade Commission (FTC) shared tips to consumers who may have fallen victim to identity theft. Due to COVID-19, consumers are at an increased risk of identity theft since they spend more time online for work and school. The FTC advised victims to visit gov to submit a report and acquire a personal recovery plan immediately. For those unsure whether they have been victimized, the FTC suggested that consumers obtain a free credit report at AnnualCreditReport.com. To read the FTC’s post, click here.
  • On October 29, the United Nation’s special rapporteur on the right to privacy, Joseph Cannataci, delivered his annual report on privacy implications in the fight against COVID-19. In the report, Cannataci stated the widespread use of contact tracing technology is a disturbing trend when used disproportionately. “[C]ontact tracing can be classified as a necessary measure to contain a pandemic, [but] I urgently remind States that any responses to the coronavirus must be proportionate, necessary and non-discriminatory,” Cannataci said. Cannataci reminded governments that there is plenty of guidance to “facilitate the lawful, necessary and proportionate use of health and other data to fight the spread of the virus.” To read more about Cannataci’s annual report, click here. For more information about existing privacy guidelines for COVID-19-related apps, read our primer on Law360.
  • On October 29, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) released an interim rule extending the compliance dates for information blocking and health information technology certifications under the 21st Century Cures Act. ONC stated that it “is not removing the requirements advancing patient access to their health information, [rather] providing additional time to allow everyone in the health care ecosystem to focus on COVID-19 response.” The upcoming compliance date is set for April 5, 2021, and the announcement extends and identifies new future applicability dates beyond April 2021. To read the full statement, click here.
  • On October 27, the New York State Department of Financial Services (DFS), along with the New York Department of Health (DOH), announced New York’s Health Care Administrative Simplification Workgroup members. The group is tasked to “study and evaluate methods to reduce health care administrative costs and complexities through standardization, simplification, and technology.” The group will analyze several topics, including access to electronic medical records during the COVID-19 pandemic. To read the full announcement, click here.
  • On October 26, the National Security Agency/Central Security Service (NSA/CSS) reminded individuals to recognize the changes in how we interact with technology and the internet of things (IoT). Especially as workers continue to work from home, many workers spend increasingly more time with technology. To protect personal information, the NSA/CSS reminded the public to:
    • Make sure all security features are updated and current for internet-connected devices;
    • Read information sharing and end-user license agreements for every product purchased; and
    • Make it a goal to be proactive and vigilant to protect valuable data.To read the full announcement, click here.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). In response, Troutman Pepper developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you stay abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On October 16, the U.S. Department of the Treasury released Treasury International Capital data for August 2020, with the September 2020 report scheduled for November 17. U.S. residents increased their holdings of long-term foreign securities, with net purchases of $5.7 billion. For more information, click here.
  • On October 16, U.S. Treasury Secretary Steven T. Mnuchin and White House Office of Management and Budget Director Russell Vought released the final budget results for fiscal year (FY) 2020. Year-end data from the September 2020 Monthly Treasury Statement of Receipts and Outlays of the United States Government show a $3.1 trillion the deficit for FY 2020 — $2.0 trillion higher than estimated ($1.1 trillion) in the FY 2021 budget published in February. The increase in the deficit from FY 2019 reflects the effect of COVID-19 on the economy. For more information, click here.
  • On October 15, the Vice Chair for Supervision of the Board of Governors of the Federal Reserve spoke about the lessons learned from COVID-19 stress on financial systems. These lessons include (1) several short-term funding markets proved fragile and needed support, (2) the Treasury market is not immune to the problems of short-term and dollar-funding markets, and (3) the regulatory framework for banks constructed after the global financial crisis held up well. For more information, click here.
  • On October 13, the Federal Trade Commission (FTC) warned consumers of scammers pretending to promise student loan debt relief. Due to the pandemic, people with federal student loans have some protections, but others claim to provide additional governmental protections for a fee. Check out the FTC’s video to learn how to spot these scams. To read the full warning, click here.
  • A recently filed lawsuit places renewed scrutiny on the constitutionality of the nationwide residential eviction freeze enacted by the Centers for Disease Control and Prevention (CDC) in response to the ongoing COVID-19 crisis. On September 18, an amended complaint was filed under Richard Lee Brown et al. v. Alex Azar et al. in the Northern District of Georgia, seeking to invalidate the CDC’s order that halted evictions across the country. For more information, click here.

State Activities:

  • On October 17, Massachusetts’ Eviction and Mortgage Foreclosure Moratorium Act (EMFM Act) expired. The EMFM Act was an emergency law that restricted most evictions and foreclosure activities for a period of 120 days, or until 45 days after the COVID-19 Emergency Declaration was lifted, whichever occurred sooner. For more information, click here.
  • On October 13, the Oregon Department of Revenue issued a temporary order to allow paper returns, statements, or document signing by fax due to the challenges of the COVID-19 pandemic. A facsimile signature is a signature visibly affixed to a paper return, using electronic or mechanical equipment or an electronic or mechanical device. For more information, click here.
  • On October 12, the Michigan Supreme Court issued an order finding the act authorizing the governor to issue executive orders “is incompatible with the Constitution of our state, and therefore, executive orders issued under that act are of no continuing legal effect.” House of Representatives and Senate v. Governor, No. 16197. In March 2020, the governor issued an emergency order, allowing the use of electronic signatures during the COVID-19 pandemic. As a result of the court’s order, many legally binding documents executed through electronic signatures vs traditional notarization process have now come under scrutiny as to whether they remain in effect. For more information, click here.

Privacy and Cybersecurity Activities:

  • On October 15, the National Security Agency’s (NSA) Central Security Service (CSS) reminded U.S. Government employees of steps they could take to mitigate cyber threats while working from home. While the NSA’s notice was directed toward government employees, nongovernment employees also benefit, considering many still work from home due to the COVID-19 pandemic. The NSA reminds employees that they should:
    • Update their computer software as soon as they see updates available.
    • Install virus and spyware protection on all devices and perform regular scans.
    • Navigate their email inbox with a questioning eye. Verify the email comes from a reputable source before they click the link in the message.
    • Download collaboration service or video conferencing apps directly from the manufacturer’s website.
    • Use a different password for each account and avoid using the same password they had five years ago. Change it up — add some numbers and special characters.
    • Disable the feature that allows web browsers to remember passwords — instead, secure passwords in a password manager.
    • When possible, employees should enable multi-factor authentication on sites they’re navigating and using to store documents and personal information.
    • Enable automatic updates on web browsers and disable unsafe plug-ins or extensions.

To read the complete notice, click here.

For additional tips, check out our articles: “CISA Shares 5 Ways a Business’s Staff Could Reduce Their Cyber Risks” and “CISA Shares 5 Ways Business Leaders Could Reduce Their Organizations’ Cyber Risks.” Another great resource published by the National Institute of Standards and Technology (NIST) for securing devices at home and at work can be found here.

  • On October 14, the National Association of State Chief Information Officers hosted an online conference, where Indiana Chief Privacy Officer Ted Cotterill encouraged states to adopt its privacy model to better respond to COVID-19 challenges. Cotterill’s office developed “policies and mechanisms that remove legal or technical reasons to decline data-sharing requests. Ensuring the relevant agencies were kept at the center of the decision-making process[.]” Sharing information with outside researchers brings challenges, but his office created the “Enhanced Research Environment, a data-sharing ‘sandbox’ built on Microsoft Azure that allows teams in various organizations to work together on projects without worrying about whether they’ll face a federal audit for their work.” A replay of the conference can be viewed here. To read CyberScoop’s report, click here.