A Different Kind of Rodeo: The Privacy Law Round Up—Yeehaw!
Last year saw more than 25 states try their hand at comprehensive privacy and data protection laws—something akin to the California Consumer Privacy Act (CCPA). The year ended with five new privacy laws for 2023. The states even staggered the effective dates (California and Virginia on January 1, 2023, Colorado and Connecticut July 1, 2023, and Utah December 31, 2023) so we wouldn’t be overwhelmed with excitement. Very kind of them. In 2023, we’re already off to the races, with active bills introduced in 16 states (and another in Mississippi that is already dead in committee). But wait, there’s more! We'll also be keeping an eye out for more topic-specific privacy bills. Last year, California was the first state to pass a law specifically addressing children’s personal data—we’ve seen 15 other states follow suit to introduce similar bills already in 2023. Businesses should pay close attention to biometric privacy updates, among others.
[#Data/Privacy #CCPA #California #Utah #Colorado #Virginia #Connecticut #Mississippi]
These privacy laws can be overwhelming when we’re constantly seeing new bills pop up across the U.S., each one of them different in a way that’s hard to understand even for skilled practitioners. With each state having the ability to introduce its own law, in addition to industry- and sector-specific laws, the privacy landscape can look drastically different from one year to the next. If you imagine what it would look like to be exactly a year in the future, with 25 new privacy laws to comply with instead of five, you might start to get some heartburn. But the best way to start is just to start. Look at the laws that apply now, the common denominators, and what is and will be required, and make a plan (and let us know if we can help!). The folks whose personal data you’re handling will thank you for it (or at least, hopefully, be thankful), and you’ll be thanking yourself if you end up with an inquiry from a regulator.
Biometrics Beware
Speaking of biometrics, the Illinois Supreme Court ruled on February 17 that claims accrue under Illinois’ Biometric Information Privacy Act (BIPA) every time biometric data is collected and disclosed unlawfully, not just the first time. As you can imagine, this ruling adds a big multiplier to companies calculating the risks of collecting, using, and disclosing biometric data (consider the White Castle ruling, with the defendant potentially facing billions in damages). For example, if a company improperly captures an employee’s fingerprint when the employee clocks in and out or accesses a pay stub, damages could be assessed for every single scan, not just once for every employee whose biometric data was improperly captured.
[#Illinois #Biometrics #Data/Privacy]
For those following along at home, this damages framework can add up: BIPA provides for statutory damages of $1,000 or $5,000 for each violation. With multiple employees scanning their fingerprints every day they work, the potential for damage awards in the billions becomes a reality. The Court assured interested readers that BIPA’s language doesn’t suggest legislative intent to “authorize a damages award that would result in the financial destruction of a business,” but we won’t be surprised to see companies flocking to evaluate their compliance with BIPA’s requirements.
Covering Your Contracts: New Privacy Contract Requirements in the U.S.
As noted above, by the end of this year, five new state privacy laws will be effective (California, Colorado, Virginia, Utah, Connecticut), all requiring that specific privacy terms and disclosures be included in contracts involving personal information. California now extends these requirements to employers’ information about their employees and B2B personal data (such as business contact information). So, be prepared for another flurry of privacy amendments to both your vendor and customer contracts. Oh, yeah, the contract requirements, like the other parts of the privacy laws, vary from state to state. For example, California removed the obligation for service providers to “certify” they understand their obligations with regard to privacy of personal information; however, the contract now must include a prohibition on combining personal data processed under the contract with personal data collected from other sources (including directly from the consumer)—unless otherwise permitted by the CCPA, of course. Where California played musical chairs with its privacy contract requirements, Colorado, Connecticut, Virginia, and Utah went with a more GDPR-esque route: contracts must, among other things, explicitly describe the processing activities and rights of each party under the agreement. In one area of agreement, all five states cover de-identified data with their privacy protections.
[#Data/Privacy #CCPA #California #Utah #Colorado #Virginia #Connecticut]
If it has been a while (realistically, more than six months) since you dusted off your vendor agreements or updated your templates for your customer agreements, now is the time. For companies with dozens, hundreds, or thousands of vendors and/or customers, the process can seem insurmountable to complete, or even to figure out where to start. Having a good strategy is key. For example, updating your standard terms first (and training people on the new requirements) can slow the bleeding while you filter out contracts that aren’t in scope (e.g., no personal data is processed), prioritize which ones to tackle immediately (e.g., highly sensitive personal data or large volumes of personal data), and decide on a blanket or targeted approach to amending your current contracts. It’s also a good time to consider what you can change about current practices to help make things more manageable in the future. It's just a matter of time until other state privacy laws are enacted, each with additional nuances requiring a rinse, wash, and repeat. Also, many financial institutions rely on GLBA exemptions when assessing state-specific privacy laws, which is sensible. But, it's imperative to remember state privacy laws may still apply to non-GLBA matters (e.g., employment matters) within a financial institution.
CFPB Prevails (For Now) in Prepaid Row with PayPal
In early February, the DC Circuit ruled in favor of the CFPB in a long-running dispute about the application of its Prepaid Accounts Rule in Regulations E and Z to PayPal's mobile wallet products. PayPal sued in 2019, arguing the Prepaid Rule exceeded the CFPB's authority under EFTA and TILA, among other things. In late 2020, the DC District Court agreed the CFPB exceeded its EFTA authority by mandating prepaid providers use the short form disclosure. It further held that the rule's 30-day waiting period before a prepaid provider can offer a credit feature exceeded the CFPB's TILA authority. The CFPB appealed only the EFTA holding. On appeal, the DC Circuit disagreed that the CFPB had exceeded its EFTA authority. Instead, in a 3-0 opinion authored by Trump appointee and former OIRA director Neomi Rao, the DC Circuit held the short form was squarely within the agency's EFTA authority because the form does not require use of specific language—providers can use the CFPB's model clause or substantially similar language. The DC Circuit did not, however, reach the question of whether the CFPB can mandate formatting requirements, nor did it reach the APA or First Amendment challenges raised by PayPal in its initial complaint. The case has been remanded to the DC District Court and it remains to be seen whether PayPal will press the remaining issues on remand.
[#CFPB #TILA #EFTA #Reg. E #Reg. Z #PayPal #Prepaid Rule #DC Circuit #APA #Federal]
While not a total victory for the CFPB, this decision is an important reaffirmation of the agency's ability to regulate via disclosure. One of the CFPB's primary tools is to mandate disclosures and, had it lost, that authority could have been severely curtailed. As the agency contemplates future Regulation E rulemakings involving overdraft and remittances, expect it to continue to focus on requiring providers deliver specific disclosures. Also, the 30-day waiting period, while not yet removed from Regulation Z, will formally be invalidated when the DC Circuit Court issues a final order.
Victory for the Likes of Vandelay Industries? New York Adopts Rules to Protect Small Business Borrowers
Completing a years-long process, the New York Department of Financial Services finalized in February its commercial financing disclosure rules. These rules, when they take effect later in 2023, mandate providers of six types of commercial financing (closed- and open-end loans, sales-based financing, factoring, lease financing, and general asset-based financing) deliver specific disclosures to their customers whose businesses are principally managed or directed from New York. The specifics of the required disclosure are unique to the product offered, but generally require disclosure of the amount of the financing or credit line, the finance charge (or discount for factoring transactions) and other applicable fees, the annual percentage rate, and repayment information including early payment penalties. The rule specifies the formatting requirements for each type of financing. The rule also requires the recipient of financing to sign the disclosure in order to acknowledge receipt. In certain cases, providers who estimate APRs will have to submit annual reports regarding the accuracy of their estimates to DFS. The rules apply to financings of up to $2.5 million and take effect six months after a notice of adoption is published in the New York State Register.
[#NYDFS #New York #Commercial Disclosure Rule]
New York is now the fourth state (joining California, Virginia, and Utah) to require commercial lenders and financing providers to deliver disclosures to their customers. Importantly, like the other states, this applies to recourse and non-recourse products. These rules appeared due to concerns that small businesses, which typically do not receive TILA disclosures, did not understand the terms of the financing products they were using. It remains to be seen whether these disclosures will be beneficial to small business owners or, given the range of financing products on the market, complicate these loan offerings. (Do you think George Costanza would have read loan disclosures?) Either way, expect continued focus on how providers offer lending products to commercial customers.
CFPB on Credit Card Late Fees: Eight is Enough
As you might remember from Episode 1 of this newsletter, the CFPB has been hinting for a while that it planned to use its authority under TILA to change the rules for credit card late fees. Earlier in February, the CFPB made good on those hints and proposed to amend Regulation Z (which implements TILA) to "rein in" these late fees. Both President Biden and Director Chopra have referred to credit card late fees as "junk fees." Under the current rules, card issuers can charge a late fee that is "reasonable and proportional" to the costs incurred when consumers pay late. Or, issuers can avoid that complicated cost analysis by charging a late fee below a specified "safe harbor" dollar amount. The proposal would lower the existing safe harbor amount from $30 to $8 and cap the amount of any late fee at 25 percent of the consumer's minimum payment due. The proposal would also end the current practice of increasing the safe harbor amount yearly for inflation. If finalized, the changes to Regulation Z could become effective as early as next year. Comments on the proposal will be due April 3, or thirty days from the date of publication in the Federal Register.
[#CFPB #CreditCards #TILA #Fees #Federal]
It is hardly news that the CFPB under Rohit Chopra opposes "back-end fees" charged to consumers after they are already committed to a particular financial product. It was a surprise, though, that the CFPB took such a hatchet to the current late fee safe harbor, proposing to reduce it by nearly 75 percent. And how did CFPB come up with the magic number of $8? Were they watching late-night reruns of '70s sit-coms ? No, they relied on non-public data that banks submit to the Federal Reserve about how much they spend to collect credit card debt. According to the CFPB's math, issuers' revenue from late fees is around four times higher than their collection costs. The CFPB therefore proposed a three-quarters reduction in the current $30 safe harbor amount. We think the unusually data-driven proposal may be ripe for data-driven challenges. Is the CFPB's data on collection costs accurate? Is it even possible to determine whether the data is accurate when it isn't public? Perhaps more critically, how much did the CFPB even rely on the data when Director Chopra (and President Biden!) obviously decided long ago that credit card late fees were too high? Expect lots of comments from industry and consumer groups and eventually a legal challenge if the CFPB finalizes anything close to what it just proposed.
In Case You Missed the FTC's Noncompete Potluck
Last week, the FTC held a public forum to address its recently proposed rule prohibiting competition, err noncompete clauses. The proposed rule, coming under Section 5 of the FTC Act, is unprecedented in scope and would apply to all employees of any company subject to FTC oversight, including independent contractors, externs, interns, and volunteers. With very limited exception, the rule would label noncompete clauses unfair methods of competition and disappear them from our collective experience (that's right, employers would actually tell employees and contractors their noncompetes are no more). FTC Chair Lina Kahn opened the forum with introductory remarks. She was followed by prepared comments from other FTC officials and a fairly balanced speaker panel. The public comments session was also quite balanced with a plethora of public comments, from those offering total support to those asking, "What does the FTC do, again?" Somewhere in all that, Chair Kahn reminded, or, better yet, reassured everyone the rule was "just a proposal." Perhaps the least surprising takeaway from the forum: Commissioner Christine Wilson wasn't in attendance (she announced her resignation earlier this month in protest over Chair Kahn's "abuses of power").
[#FTC #Noncompete #FTCA #Federal]
Speaking of reassuring, don't we traditionally rely on "the best court system this side of the moon" and the states to address our noncompete jurisprudence? In any event, the mood during the public comment session ebbed and flowed like the tide—plenty of comments in support of and against the proposed rule. Supporters relayed poignant stories about un- or under-employment, little or no mobility, and terrible working conditions. Others assessed the potential negative impact the proposed rule would have on different industries and questioned why such a broad approach is needed and if the rule exceeds the FTC's authority to begin with. To this latter point, if the proposed rule becomes a final rule, it likely won't take effect before some significant winnowing. And who stands to benefit from the winnowing? Not sure, but it's probably not going to be the suite of employees Chair Kahn believes she's protecting.
