 |
|
 |
|
New Earned Wage Access Law—We Have Seen This Movie Before!
Last month, Wisconsin became the third state to enact a regulatory regime for earned wage access (EWA) products with Act 131, which takes effect in October. Similar to laws Nevada and Missouri enacted last year (see Episode 7), Wisconsin will require EWA providers to obtain a state license. Wisconsin will not deem EWA products to be loans, and state usury caps will not apply to EWA offered in the state. The new law also imposes substantive restrictions, including consumer disclosures about fees and, if applicable, the impact of voluntary tips. The Wisconsin law also requires providers to permit consumers to cancel EWA transactions at any time without a fee, refund overdraft or NSF fees incurred as a result of collection activities from the consumer's bank account, and refrain from lending-like activities such as negative credit reporting and imposing late fees. Finally, the law requires providers to offer and disclose at least one "reasonable" means of accessing earned wages for free.
Increasingly, EWA regulation is following one of two approaches. First, Wisconsin, Nevada, and Missouri do not consider EWA subject to existing laws governing loans, but still demand regulatory oversight and consumer protections. Second, Connecticut, Maryland (see Episode 9), and other states where bills have been introduced attempt to shoehorn EWA into the lending space. These latter states would apply existing usury laws and other restrictions on lending to EWA, which could all but prevent providers from offering the product in these states. Some of these state bills also attempt to distinguish between employer-integrated and direct-to-consumer products.
One of this year's most talked-about films is Dune: Part Two, the second part of Denis Villeneuve's adaptation of Frank Herbert's best-selling novel Dune. Some may not know this film is only the latest of numerous attempts to bring the book to life—yeah, we have seen this movie before! If you're reading this and asking yourself "what could Dune possibly have to do with EWA," the answer is simple: nothing! The same that lending has to do with EWA. We think Wisconsin took the right approach in creating a regulatory regime for EWA that is distinct from loans. As we have argued here and here, it simply makes no sense to regulate EWA as a loan because the products are vastly different and doing so would remove its consumer-friendly benefits. There are strong policy reasons to treat EWA as its own product and treating it as a loan could be its death knell. That said, the most likely outcome of the state legislative process is a patchwork of laws that differ across the states. Even CFPB guidance, if it ever comes, is not likely to change this. From a compliance perspective, EWA providers should be prepared for a world that requires maneuverability and adaptability to manage myriad risks, not unlike Arrakis.
Eight Is Definitely Enough for Credit Card Late Fees
Last month, the CFPB finalized its rule to reduce the safe harbor amount for credit card late fees in Regulation Z (which implements TILA) from $32 to $8. Reg Z permits credit card penalty fees that are "reasonable and proportional to the costs" of the violation for the card issuer (the "cost-analysis" provisions). The rule also provides a safe harbor amount, which permits issuers to charge a specified fee that complies with the rule.
The rule was finalized largely as proposed back in February of last year, with one major change: it now exempts small banks from the rule—banks with fewer than one million active credit card accounts. The final rule no longer requires the CFPB to update the safe harbor amount annually to keep pace with changes to the Consumer Price Index. For issuers relying on the cost analysis provisions, rather than the safe harbor, to set late fees, the final rule prohibits including post-charge-off losses in that analysis.
The rule is scheduled to take effect this May. A coalition of trade associations has already filed a federal lawsuit challenging the validity of the rule. Courts often delay the effective date for regulations that are subject to lawsuit, so large banks may have a reprieve of the rule's impact while the lawsuit is resolved.
Explainer Things readers may remember the beloved 70s sitcom Eight Is Enough, about the fictional Bradford family with eight children. Maybe that show lingered in the minds of CFPB leaders who chose $8 as the safe harbor amount for late fees? It does seem like a rather arbitrary—one might even say arbitrary and capricious—number. The CFPB based the figure on non-public data about the costs of late payments to credit card issuers. The lawsuit over the rule rests in large part on the fact that the data was "secret" and thus industry commenters had no ability to check the CFPB's analysis or challenge its conclusions. There are so many lawsuits pending over CFPB rules that it is becoming hard to keep track of them all. Is that how the Bradfords felt about all those kids?
Got 99 Problems and Telemarketing Is Most of Them
So much has happened in the telemarketing space over the last couple months that we would be remiss in discussing just one development. Instead, we created the below list of the key recent developments for your reading enjoyment! Here goes...
- The FTC issued a final rule amending the Telemarketing Sales Rule so its prohibitions against misrepresentations and false/misleading statements now apply to business-to-business telemarketing calls. The rule also enhances record-keeping requirements by expecting telemarketers to, among other things, keep campaign-specific call detail records, copies of each prerecorded message, records of service providers used by the telemarketer, opt-in/out information, and copies of the Do Not Call registry used to scrub for compliance with Do Not Call rules.
- The FCC adopted new rules governing revocation of consent to receive automated calls, which takes effect in April. The new rules allow callers to send one-time confirmation texts opting out of consent to receive calls. If a called party is enrolled in multiple call campaigns, the caller may send a clarification text confirming the scope of the called party's revocation. The FCC has delayed "indefinitely" two other provisions—confirming revocation can be done in any reasonable manner and shortening the time for honoring revocation to 10 business days.
- The FCC adopted a Declaratory Ruling clarifying that calls made with AI-generated voices qualify as "artificial voices" under the TCPA.
- Congressman Frank Pallone proposed the "Do Not Disturb Act" that broadens the TCPA to include "robocalls," which would include calls or texts to stored phone numbers in addition to numbers produced using a random or sequential number generator. Senator Dick Durbin then introduced a new bill that proposes to expand the "Do Not Call" rules to cover any phone number, not just "residential" numbers. The bill also proposes two changes to rules affecting a called party's private right of action: (1) revisions to the Do Not Call rules to apply even where a called party receives only a single call in a 12-month period (currently it has to be "more than one") and (2) removal of the "up to" language from the damages provision, thereby eliminating a court's discretion to award less than $500 per call.
- West Virginia may become the most recent state to adopt a new state mini-TCPA.
We're not the first lawyers to use Jay-Z's lyrics as the inspiration for a nerdy legal analysis and we probably won't be the last. As it applies to telemarketing laws right now, 99 problems may be an understatement. People really hate unwanted robocalls and the flurry of activity over the past few months is evidence of that. Keeping up to date with compliance has always been important, but it is even more important now. This is not the time to become complacent. And to those of you thinking, "Telemarketing is too hard, I'll just go back to sending marketing emails instead," please don't forget about CAN-SPAM.
U.S. Privacy Laws—The Forever Rodeo
State legislatures started off strong in 2024, continuing their efforts to pass comprehensive privacy laws. Already this year we’ve seen New Hampshire, New Jersey and Kentucky pass comprehensive legislation. Maryland also just passed legislation that has been sent to the governor’s desk.
New Hampshire's law will apply to businesses that produce products or services targeted to that state's residents, if the business also: (1) processes the personal data of at least 35,000 consumers annually or (2) processes the personal data of at least 10,000 consumers annually and derives more than 25 percent of its gross revenue from selling personal data. Like other states' laws, New Hampshire's bill does not apply to financial institutions or data subject to the Gramm-Leach-Bliley Act, and also contains data-level exemptions for PHI under HIPAA, among others. The New Jersey Privacy Act will apply to companies conducting business in that state, if the business also: (1) processes the personal data of at least 100,000 consumers annually or (2) processes the personal data of at least 25,000 consumers annually and derives any of its revenue from selling personal data.
These two laws are similar in many ways, including the privacy rights afforded to consumers, which allow consumers to appeal the outcome of denied requests, and requiring detailed consumer privacy notices. Both laws have specific requirements for targeted advertising, among which are the requirement to obtain affirmative consent for targeted advertising to children and requiring companies' websites to recognize a universal opt-out mechanism/opt-out preference signal for consumers who want to opt out of targeted advertising, sale, or significant profiling. Neither law allows for a private right of action.
The applicability thresholds for the New Hampshire and New Jersey laws are similar to those in other states, but notably New Hampshire's lower thresholds reflect the relative size of the state's population. Also, neither law has a revenue threshold, so small businesses might find themselves subject to these laws even if they are not in scope for other state privacy laws. If your business hasn't already done so, you need to audit the cookies placed on your website (not the tasty kind). Properly implementing these technologies can also help reduce risk of lawsuits targeting certain cookie uses as violations of statutes like the Video Privacy Protection Act and the California Invasion of Privacy Act, which have seen a significant spike in recent months.
