Does Your Organization Need to Comply with the California Consumer Privacy Act of 2018?

·        The California Consumer Privacy Act of 2018 is a comprehensive new law that stands to become the most significant and far-reaching data privacy law in the nation.

·        Most businesses, including businesses located in other states, that have or use personal information of California residents must comply with substantial new requirements or face potential civil liability from Attorney General enforcement and aggrieved California residents.

·        Companies, including mortgage originators, servicers and some vendors, doing business in California may need to update their policies, procedures, training and audit functions to comply.

----------------------------

The California Consumer Privacy Act (“CCPA”), (AB-375 (2018), as amended by SB-1121 (2018) (codified at Cal. Civ. Code § 1798.100 et. seq.) is a groundbreaking new law to protect California residents from the potential misuse of personal information.

The CCPA, signed by Governor Jerry Brown on June 28, 2018, becomes effective on January 1, 2020 and gives California residents new rights with respect to the collection of their personal information. Under the CCPA, a consumer can require businesses to disclose what information they collect about the consumer, where they collected the information from, and with whom they have shared the information. California residents may also require businesses to delete their personal information and can opt-out of the sale of their personal information to third parties. To prevent retaliation, businesses are prohibited from discriminating against California residents for exercising their rights under the CCPA. The CCPA provides for a private right of action with attention-grabbing statutory damages for each violation, as well as for enforcement by the state’s Attorney General.

The CCPA, as enacted and subsequently amended, represents a compromise between a grass-roots coalition consisting of privacy advocates that gained influence in the wake of several high-profile incidents (such as the Facebook scandal) and competing business interests that pushed for more business-friendly provisions. This far reaching legislation has much in common with the European Union’s General Data Protection Regulation (“GDPR”) that went into effect in 2018, and could serve as bellwether for other states to follow in the years to come.

Key CCPA Exemptions

It should be noted that not all businesses will be subject to the CCPA. Many, including small businesses, non-profits, consumer reporting agencies subject to the Fair Credit Reporting Act, and health care providers regulated by the Health Insurance Portability and Accountability Act, will be partially or completely exempt from the requirements of the CCPA.

Significantly, amendments to the CCPA clarified, among other things, that certain provisions of the CCPA do not apply to information that is already protected under the Graham-Leach-Bliley Act (GLBA). These exclusions-and the provisions of the CCPA they do not apply to-are very important for the financial services industry to understand. Below we discuss the scope of the law in more detail.

Delayed Enforcement and Other Limitations

The aforementioned amendments also delayed enforcement of the CCPA by the state’s Attorney General to the earlier of six months after publication of the final implementing regulations or July 1, 2020, and limited the private right of action to situations in which data breaches involved unredacted or unencrypted personal information and the breach was caused by a failure to maintain reasonable security measures.

Implementing Regulations

The California Attorney General is not required to publish final rules until July 1, 2020. The Office of the AG has begun holding public forums in January and February, 2019 as part of the CCPA rulemaking process (see: https://oag.ca.gov/privacy/ccpa). For those of you who are based in California and potentially subject to the CCPA, I would urge you to attend and be proactive on this important new law.

Scope of the CCPA

The CCPA applies to covered “businesses”, which includes any business that collects personal information from California residents and: (1) has gross revenues exceeding $25 million annually; (2) buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling personal information. It also includes entities that are controlled by or control such businesses if they share common branding.

“Personal Information” includes a person’s name, Social Security number, driver’s license number, account numbers, medical and health insurance information, browsing or search history data, biometric data and geolocation data. The definition also includes any algorithmic or other “inferences” about a consumer that are based upon the personal information. Note that information that is lawfully made available to the general public from federal, state, or local government records falls outside of this otherwise broad definition.

Significantly, the CCPA excludes “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act”, which could mean that entities subject to the GLBA will not need to comply with the CCPA for much of the consumer information they collect. But note that the CCPA states that the exemption does not apply to a new private right of action for data breaches of “nonencrypted or nonredacted personal information” that result from an entity’s “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”.

It would be prudent to analyze the extent to which this exemption applies to your organization, considering that your organization may engage in activity that is not subject to the GLBA.

New Powers for California Residents

As previously mentioned, California residents will gain broad new powers that are designed to safeguard their personal information under the CCPA. Examples of the new powers include the rights to:

·        Request that a business disclose the categories and specific pieces of personal information the business has collected, and the purposes for which it shall be used;

·        Request disclosure of certain information;

·        Have personal information deleted;

·        Prohibit a third party from selling personal information that has been sold to it unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out; and

·        Direct a business that sells personal information about the consumer to third parties not to sell that information.

In addition, minors must consent to the sale of their personal information before a business can sell it.

Anti-Discrimination Requirement

Covered businesses will be saddled with numerous requirements, including providing certain disclosures in their online privacy policy. A provision of note is the CCPA’s anti-discrimination requirement - businesses may not discriminate against a consumer because the consumer exercised their rights under the bill. Examples include denying goods or services, charging different prices (including through the use of discounts unless the difference is reasonably related to the value provided to the consumer), or providing a different level or quality of services. However, businesses may offer financial incentives and a different price, rate, level, or quality of goods or services to the consumer if it is directly related to the value provided to the consumer by the consumer’s data, and so long as the business does not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

Civil Actions and Attorney General Enforcement

The CCPA grants California residents the right to sue for violations and bestows prosecutorial powers in the state’s Attorney General. A consumer whose nonencrypted or nonredacted personal information is hacked as a result of a violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action to recover damages of $100 to $750 per occurrence or actual damages, whichever is greater. As noted above, this private right of action may apply to businesses that are subject to the GLBA exemption. The Attorney General may also seek civil penalties against violators.

Protections Afforded to Covered Businesses

Fortunately, the CCPA does provide limited carve-outs for what might be described as good-faith efforts to comply. The CCPA allows covered businesses to cure any alleged violation within 30 days if it has implemented and maintained reasonable security procedures and practices. Also note that it is possible that a failure to have such security protocols, standing alone, could give rise to violations.

Pay Attention to the CCPA

Although the CCPA provides an exemption for information subject to the GLBA, banks, mortgage lenders, mortgage brokers, mortgage servicers, and other businesses operating in the financial services industry that deal with California residents should take note of the CCPA and analyze whether any of their activities would be subject to it, including performing a comprehensive data assessment. They should compile an inventory of information that may be subject to the new law, and update their internal policies and procedures, training and audit functions to ensure compliance with any duties that are deemed not exempt. Although it is not required under the CCPA, businesses may consider creating a GDPR-like “data protection officer” position to help ensure that the mandates of the law are carried out.

Please contact us if you would like assistance with understanding or implementing your obligations under the CCPA.

The CFPB’s Proposed No Action Letter and Product Sandbox Policy: It’s Playtime!

The Consumer Financial Protection Bureau (CFPB or Bureau) on December 13, 2018 published a proposal to revise its No-Action Letters Policy issued in 2016 (2016 Policy), and also propose a new “Product Sandbox” (Proposal).  As you may know, many federal regulatory agencies, including the CFPB, the Securities and Exchange Commission, and the Commodity Futures Trading Commission, have a procedure to provide a no-action letter in response to a request from a person, in which the agency indicates it will not take a supervisory or enforcement action against the person based on a particular set of facts.  The Bureau said in the Proposal that the 2016 Policy’s application process and regulatory relief were insufficient, indicated by the fact that only one no-action letter has been issued under the policy.  The Bureau’s goal with the Proposal is to make the 2016 Policy more useful to the public.  

As I describe below, I believe the Bureau’s proposed changes to its no-action letter policy would ease the process of obtaining a no-action letter, and broaden the situations to which such a letter would be an option.  In addition, I believe the proposed “Product Sandbox” could be very useful to the industry, both existing companies and new FinTech entrants to the marketplace, in the creation of new products and services that do not fit squarely in the existing federal consumer financial protection laws.  The comment deadline is February 11, 2019. 

1.  No-Action Letter Proposal

A.  Streamlined Application Process

The Bureau’s Proposal would revise the 2016 Policy to streamline the application process and expand the regulatory relief available.  To that end, the Proposal would remove some of the required elements of an application and indicate the Bureau’s intention to grant or deny an application within 60 days of notifying the applicant that the application is complete.  The 2016 Policy provided no time frame for a response from the Bureau.

In addition, the Proposal would remove the general expectations under the 2016 Policy of a data-sharing commitment and a time limitation for the NAL.  Specifically, the 2016 Policy provides that NALs will specify the time period limitation of the NAL and places an emphasis on the sharing of data about the product in question with the Bureau, requiring discussion of this topic in the application and consideration of this issue by the Bureau.  But the Proposal states that the “default assumption” would be that NALs have no time limit.  The Proposal would also state that the data-sharing expectations would be eliminated, because it was “unduly burdensome” and inconsistent with the no-action letter policies of other federal agencies.

Further, the Proposal would remove the complex set of 10 factors that the Bureau evaluates under the 2016 Policy.  Instead, the Proposal would provide that the Bureau will more simply evaluate the “quality and persuasiveness of the application” with an emphasis on the consumer benefits, consumer risks and how the applicant intends to mitigate them, and the particular legal uncertainty cited in the application.

B.  Greater Assurance of Regulatory Relief

The Proposal would also revise the 2016 Policy to increase the assurance of regulatory relief provided by a NAL.  Under the 2016 Policy, NALs are issued by Bureau staff and only provide a statement that staff will not recommend an enforcement or supervisory action.  The Proposal would provide that NALs are issued by Bureau officials, rather than the Bureau’s staff.  The NAL would still only provide a statement that the Bureau in its discretion will not seek a supervisory or enforcement action, rather than provide a regulatory safe harbor.  But the provision of such a letter by Bureau officials rather than staff would arguably make NALs more binding on the Bureau and perhaps give them greater weight with other regulatory agencies. 

In addition, in an apparent effort to provide even greater assurances to recipients of NALs, the Proposal would also remove several disclaimers that are included in NALs under the 2016 Policy, which serve to limit the certainty and assurance of a NAL issued under that policy.  Specifically, these disclaimers under the 2016 Policy are that: (1) the letter does not constitute “a determination by the Bureau or its staff,” an interpretation, or a waiver or safe harbor for any applicable law; (2) the letter is not an “official expression of the Bureau’s views;” (3) any explanatory discussion in the letter should not be interpreted as an interpretation, waiver, or safe harbor, and is not binding on the Bureau; (4) the staff is not necessarily in agreement with any analysis, interpretation of data, or any other matter in the request; and (5) the NAL is, “not intended to be honored or deferred to in any way by any court or any other government agency or person.”

Finally, the Bureau also stated in the Proposal its intention to coordinate with other federal and state regulatory agencies on the provision of “no-action” relief.  The Proposal would require an application to the Bureau to state whether coordination with other regulators is requested and to identify those regulators.  The Bureau also stated it is interested into entering into agreements with state regulators that provide “no-action” relief, which would provide another means of applying for and obtaining an NAL from the Bureau. 

C.  Broader Scope

The Proposal also appears to be intended to expand the reach of the 2016 Policy to a greater swath of the industry and regulatory uncertainties.  The 2016 Policy contains the statement that, “No-Action Letters are not intended for either well-established products or purely hypothetical products that are not close to being able to be offered.”  In addition, the 2016 Policy requires applications to show how the new product would be “likely to provide substantial benefit to consumers differently from the present marketplace.”  These statements indicate that the 2016 Policy is very much focused on new products.  But the Proposal would eliminate these statements from the policy, which appears intended to allow NALs with respect to well-established products that are presently in the marketplace, and even hypothetical products.

Further, the Proposal’s preamble notes that the Bureau will not disfavor NALs based on UDAAP, whereas the 2016 Policy contained a warning against seeking a NAL for UDAAP issues.  Specifically, the 2016 Policy states that, “UDAAP-focused NALs will be particularly uncommon,” because of the greater level of analysis required under UDAAP and resource issues.  The Proposal would revise the policy to specify that UDAAP is one of the laws that a NAL would cover. 

In addition, the Proposal would eliminate the 2016 Policy’s requirement that an application for a NAL show a “substantial regulatory uncertainty hindering the development of the product,” and how the application of the particular laws is “substantially uncertain.”  Instead, the Proposal would only require that an applicant identify the “potential uncertainty, ambiguity, or barrier” the NAL would address.  This change would extend the availability of NALs to more general compliance uncertainties.

Finally, the Proposal would also allow for applications from trade associations, service providers, and other third parties, in addition to the actual company offering the product or service in question.  The Proposal expressly states that a trade association can apply on behalf of its members. 

2.  Product Sandbox Proposal

The Bureau’s Proposal would add an entirely new program titled a “Product Sandbox,” which is designed to give even greater regulatory relief than the proposed NAL policy.  The Product Sandbox would, in addition to the “no-action” relief provided by a NAL, provide a time-limited compliance safe harbor or exemption from certain statutory and regulatory provisions.  This would provide greater legal protection than a NAL’s discretionary protection against Bureau supervisory or enforcement actions, because it would make the recipient immune from legal actions by other regulatory agencies and private litigants.  This proposal directly addresses one of the main criticisms of the 2016 Policy, which is that it does not provide sufficient legal protection against enforcement actions or lawsuits by entities and individuals other than the Bureau.

A.  Regulatory Relief

The Bureau’s Product Sandbox would make available three different forms of regulatory relief that could be applied to the product or service accepted into the sandbox:  

1.  Safe Harbor.  A statement of Bureau approvals under three possible statutes: (i) 15 U.S.C. § 1640(f) (TILA); (ii) 15 U.S.C. § 1691e(e) (ECOA); or (iii) 15 U.S.C. § 1693m(d) (EFTA).  This approval would provide a “safe harbor” of compliance under the applicable statutes and make the recipient “immune from enforcement actions by any Federal or State authorities, as well as from lawsuits brought by private parties.”  Note that the safe harbor would only be available under these statutes.

2.  Exemption.  A Bureau order providing an exemption from certain statutory provisions that provide for such authority, and their implementing regulations, or based on the Bureau’s general regulatory authority.  The Proposal provides as examples of the statutory provisions: (i) 15 U.S.C. § 1691c-2(g)(2) (ECOA); (ii) 15 U.S.C. § 1639(p)(2) (HOEPA); and (iii) 12 U.S.C. § 1831t(d) (FDIA).  The Proposal provides as an example of the general regulatory authority the Bureau’s authority under 15 U.S.C. § 5512(b)(1), under which the Bureau can “prescribe rules and issue orders and guidance as may be necessary or appropriate to enable the Bureau to administer and carry out the purposes and objectives of the Federal consumer financial laws, and to prevent evasions thereof.” 

Like the approval described above, this relief would also make the recipient “immune from enforcement actions by any Federal or State authorities, as well as from lawsuits brought by private parties,” with respect to the applicable relevant statutory or regulatory provisions. 

3.  No Action Relief.  No action relief is essentially the same as that provided by a NAL issued under the proposed policy.  Like a NAL, this relief would not be time-limited, as would the safe harbor and exemption described above.

In addition, the Proposal indicates the Bureau’s intention to coordinate with other regulatory agencies, including entering into agreements with state sandboxes, which would provide for an alternative means of admission into the Bureau’s sandbox.  

B.  The “Catch” – Time Limitation, Data-Sharing Requirement, and Compensation

The Product Sandbox would have the important advantage of providing greater legal protection, but the protection would be time-limited.  This time period would generally be two years.  The Proposal states that the Bureau “expects that two years would be appropriate in most cases.”  But the Proposal would provide for a process to obtain extensions of this initial time-period.  The Proposal states that the Bureau intends to grant extensions, “where there is evidence of consumer benefit and an absence of consumer harm.” 

In addition, the Product Sandbox would require the sharing of data with the Bureau, unlike the NAL process.  An application must state a description of data it will share with the Bureau, which should be about the impact of the product or service on consumers, along with a proposed schedule for sharing this data with the Bureau.  Further, the Product Sandbox would require participants to report the effects of the product or service in question on “complaint patterns, default rates, or similar metrics” to enable the Bureau to determine if it is causing “material, tangible harm to consumers.” 

Finally, and significantly, the approval into the sandbox would require a commitment by the recipient to compensate consumers for, “material, quantifiable, economic harm” caused by the recipient’s product or service offered under the Product Sandbox.  The Proposal would require an application to indicate the “amount of resources available to provide restitution for material, quantifiable, economic harm to consumers.”

C.  Application Process

The Bureau’s Proposal, similar to the NAL policy, would allow for applications from the companies that offer the product or service, as well as from trade associations, service providers, and other third parties.  The Proposal expressly states that a trade association can apply on behalf of its members. 

The application requirements would be more extensive than for the proposed NAL, because the applicant would need to address the data-sharing requirement, the time limitation, and the type of relief sought.  In addition, the Bureau’s Proposal indicates an intent to coordinate with state regulators regarding the Product Sandbox and thus, the application must indicate if the applicant requests coordination with other regulators and identification of those regulators. 

The Proposal states that the Bureau intends to grant or deny an application within 60 days of notifying the applicant that the Bureau has deemed the application to be complete.  The Bureau would, similar to the NAL process, evaluate an application based on its “quality and persuasiveness,” with an emphasis on the consumer benefits, consumer risks and how the applicant intends to mitigate and compensate for them, and the particular laws and uncertainty cited in the application.

3.  Conclusion and Considerations

A.  NAL Proposal

The Proposal would greatly enhance the benefits of a NAL and expand the applicability of the policy.  It appears the Proposal would allow companies with existing products that face general compliance uncertainties to obtain NALs, unlike the current policy, which only applies to new products and “substantial” uncertainties.  There are many areas of federal consumer finance regulation that lack clarity and this NAL process could be very useful to reduce regulatory uncertainty.  The Proposal would also enhance the regulatory relief of a NAL, in part by providing that NALs would be issued by Bureau officials, rather than by staff as under the current policy.  

B.  Product Sandbox

The Proposal’s Product Sandbox could prove to be even more useful to companies, both existing companies and new FinTech entrants to the marketplace, that are developing new products and services, because of the greater legal protection afforded by the program.  Although it would have a limited time duration and require data-sharing with the Bureau, the benefits of being able to test a product in the marketplace with essentially no legal risk under certain consumer financial protection laws could greatly benefit a company in many ways, for example, in finding customers or business partners. 

C.  Issues to Consider

There are some issues to consider regarding these proposed policies and whether they may be beneficial to your organization.  For example, the extent to which a company’s participation and information provided to the Bureau may be made public.  This issue is discussed in the Proposal with respect to both the NAL and Product Sandbox policies.  Applicants can request confidential treatment of certain information, but companies should consider whether and how much information would become public before deciding to participate.  A related issue is the extent to which participation in these programs would enhance or diminish their competitive advantage in the marketplace.  This may depend on how much information may become public. 

Issues specifically with respect to the Product Sandbox include whether the cost of the resources needed to complete and submit an application, as well as to set-up and maintain the required data-sharing with the Bureau, would outweigh the benefits of the program.  In addition, the required agreement to compensate consumers in the event of harm could be problematic. 

Finally, without coordination with state or other federal regulatory agencies, the regulatory relief under the Bureau’s Proposal would be limited to federal consumer finance laws.  For this reason, these two programs may not be a panacea for all compliance concerns.  There are other FinTech programs that may be beneficial in filling in some of the gaps or provide sufficient protection without participation in the Bureau’s proposed programs, such as the Office of the Comptroller of the Currency’s new FinTech charter, which makes national bank charters available to FinTech companies.

As noted above, the comment deadline for the Bureau’s Proposal is February 11, 2019.You can find these proposed policies at: https://www.consumerfinance.gov/about-us/innovation/.Please let us know if you would like assistance with submitting a comment letter, or discuss submitting an application under these programs.

CFPB Issues ATR/QM and Mortgage Servicing Rule Dodd-Frank Assessments

Today the CFPB issued its assessments of the Ability to Repay and Qualified Mortgage (ATR/QM) Rule and the Mortgage Servicing Rule (these are also sometimes referred to as the “lookbacks”). The assessments are required under section 1022(d) of the Dodd-Frank Act, which mandates that the CFPB publish an assessment of its significant rules within five years of the effective date of the rule. These assessments are important because they contain the Bureau’s analysis of significant issues under the rules, such as the temporary GSE QM “patch” under the ATR/QM rule, which will sunset on the earlier of the end of the GSEs’ conservatorship or receivership or January 10, 2021.

Stay tuned for a post on our analysis of these assessments. You can find these assessments at: https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-publishes-assessments-ability-repay-and-mortgage-servicing-rules/.

Please contact us if you would like to discuss these assessments, the ATR/QM rule, or the Mortgage Servicing rule.

CFPB's Final Policy on Privacy Modifications of Public 2018 HMDA Data

On Dec. 21, 2018, the CFPB issued final policy guidance on how data collected under the CFPB’s HMDA rule will be modified for privacy reasons before it is made public.  This policy applies to data collected in 2018 that the Bureau intends to make public in 2019.

Under this final policy, the CFPB will exclude from the public 2018 HMDA data: (1) the ULI (or non-ULI for exempt depository institutions); (2) application date; (3) the date of action taken; (4) property address; (5) credit score; (6) NMLS number; and (7) AUS result.  The CFPB also will exclude free-form text fields for the following data: (1) race; (2) ethnicity; (3) credit scoring model; (4) denial reason; and (5) the AUS name.  The CFPB will also modify the following data fields to make them less precise (e.g., by reporting ranges) rather than the actual amount: (1) loan amount; (2) age; (3) DTI (except between 36 and 50%); (4) property value; and (5) the number of dwelling units.

The CFPB also noted that it plans to issue a rule to address the modifications of public HMDA data for privacy reasons “more definitively.”  This rulemaking will reconsider the decisions in this final policy.  As I’ve written about before, the CFPB had already announced this rulemaking in its Fall 2018 rulemaking agenda and scheduled the issuance of a proposed rule for May 2019. 

This policy finalizes a proposed policy the Bureau issued in September 2017.  See 82 FR 44586 (Sept. 25, 2017).  The final policy is available at: https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-announces-policy-guidance-disclosure-home-mortgage-data/.

Please let us know if you would like to discuss this final policy or any other HMDA compliance or fair lending issues.