On October 10, 2019, the California Attorney General issued proposed regulations under the California Consumer Privacy Act (CCPA). The Attorney General will hold four public hearings, on December 2 through December 5, 2019, during which statements or comments may be presented, orally or in writing. Written comments in addition to those submitted at the public hearing also may be mailed or emailed to the Attorney General’s office until 5:00 p.m. on December 6, 2019.Read More
The D.C. Circuit Court of Appeals recently reaffirmed its position that a plaintiff can establish Article III standing (federal court subject matter jurisdiction) based solely on the risk of potential future harm following a data breach involving his or her personal information. The decision continues the split between the federal circuit courts of appeals regarding the issue.
In re Office of Personnel Management arose out of an alleged 2014 data breach of the eponymous office (the “OPM”). The plaintiffs, current and former federal employees and their unions, sought to represent a putative class of individuals whose personal information, including social security numbers, addresses, and birth dates, was allegedly exposed in the breach. The plaintiffs asserted that certain putative class members had experienced financial fraud or identity theft as a result of the breach and that other members faced the “ongoing risk that they … will become victims of financial fraud and identity theft in the future.” The district court ruled that the plaintiffs lacked standing to sue, holding that the putative class members who had allegedly experienced financial fraud had not pleaded facts demonstrating that the fraud was traceable to the OPM, and that the members who had only pleaded risk of future injury did not plausibly allege that such injury was either substantial or clearly impending.Read More
On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”). CCPA grants new privacy rights to Californian residents and applies a notice and consent framework to most businesses operating in California that collect personal information from those residents.
Recent activity in Congress suggests that the return from the July 4th recess will see a continued push to reform the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”) before year’s end. This alert provides an overview of the current state of play and the most likely outcome.
By Judith E. Rinearson, Rizwan Qayyum
The debate surrounding “screen-scraping” continues as Member States of the European Union are preparing for the impending Second Payment Services Directive (“PSD2”). Screen scraping is the practice in which third-party Payment Initiation Service Providers (“PISPs”) and Account Information Service Providers (“AISPs”) are granted access to bank accounts of a client utilising their credentials to perform a service. As heralded in our discussion in July identifying the problem, the European Banking Authority (“EBA”) maintained their stance of outlawing the practice in the final draft Regulatory Technical Standards (“RTS”) on secure communication and Strong Customer Authentication (“SCA”). Consistent industry pressure has led the European Commission (“EC”) to request of the EBA to permit AISPs and PISPs to utilise screen scraping as a “fallback option”.
Last week, a bi-partisan coalition of political groups and the federal government completed briefing cross motions for summary judgment in American Association of Political Consultants, Inc., et al. v. Sessions, Case No. 5:16-cv-00252-D (E.D.N.C.). The case challenges the constitutionality of a portion of the Telephone Consumer Protection Act (“TCPA”). The plaintiffs contend that the TCPA’s prohibition on making auto-dialed calls or texts to cell phones without the requisite consent, 47 U.S.C. § 227(b)(1)(A)(iii) (the “cell phone ban”), imposes a content-based restriction on speech that fails to pass strict scrutiny and is unconstitutionally under-inclusive (the plaintiffs’ complaint is discussed here). The government is defending the statute’s constitutionality (previously discussed here).
On remand from the Eighth Circuit, the United States District Court for the District of Minnesota recently recertified a data breach settlement class over an objector’s assertion of an intraclass conflict. Specifically, the objector asserted that a conflict existed between class members who purportedly had suffered loss and were guaranteed a payout under the proposed settlement, and those who had not suffered loss and were not guaranteed a payout. See In re Target Customer Data Security Breach Litig., No. 14-2522 (PAM), 2017 WL 2178306 (D. Minn. May 17, 2017). In rejecting the objector’s alleged conflict, the Court emphasized that “the question is not whether there is any potential or theoretical conflict among class members, it is whether class members’ different interests are antagonistic to each other.” Id. at *3.
By Soyong Cho
Yesterday, the FDIC hosted a day-long Economic Inclusion Summit that brought together stakeholders in private industry, the government, and non-profit organizations to discuss strategies to expand credit to under-served communities. Speakers stressed the need to understand the personal and financial challenges facing low- and moderate-income (“LMI”) populations in order to more effectively design products and marketing channels to reach LMI communities. Leveraging big data and technology were identified as key factors to reducing costs and profitably serving LMI customers.
Banks are of course rated on their outreach initiatives to under-served communities under the Community Reinvestment Act (“CRA”), but profitably expanding their customer base is also good business. The FDIC’s Summit serves as a reminder of the established programs, partnerships, and networks that exist to assist banks to meet their CRA obligations. However, it is also a good reminder that banks must be sensitive to the regulatory compliance and other risks attendant with marketing to and servicing LMI communities in particular, as even the best intentions can be undermined by flawed implementation or unclear regulatory guidance. Among others, UDAAP, fair lending, and privacy issues should be considered in all phases of product development and delivery. In the coming months, K&L Gates will be hosting a series of webinars focused on the nuts and bolts of consumer protection compliance.
The Federal Communications Commission unanimously voted at its March 23, 2017, “open meeting” to begin the process for adopting rules allowing carriers to block “spoofed” number calls. These are calls that use a reputable or commonly-known telephone number to mask the actual originating number. The proposed rules would allow carriers to block calls purporting to originate from telephone numbers that (1) are not assigned to a subscriber, (2) are invalid, or (3) are assigned to a subscriber expressly requesting that its number not be spoofed. In his remarks, Chairman Ajit Pai indicated that the proposed rules are needed to target scammers impersonating federal agencies, such as the Internal Revenue Service, and to protect consumers from unwanted solicitations. Commissioner Michael O’Rielly indicated that the proposed rules aim to address illegal “robocalls” in a manner that does not affect legitimate businesses, as opposed to prior efforts to regulate such calls under the Telephone Consumer Protection Act, 47 U.S.C. § 227. The proposed rules and accompanying comments suggest an effort by the now Republican-controlled FCC to issue rules specifically intended to block unwanted robocalls, often from overseas, intended to defraud consumers.
The FCC approved both a Notice of Proposed Rulemaking and a Notice of Inquiry to solicit feedback from consumers and other parties with an interest in the proposed rules. Comments on the proposed rules will be due within forty-five (45) days after publication in the Federal Register. Final rules are unlikely to take effect earlier than late 2017.
A North Carolina federal district court recently denied a motion by the federal government to dismiss claims raising a First Amendment challenge to a portion of the Telephone Consumer Protection Act (“TCPA”). See American Ass’n of Political Consultants v. Lynch, Case No. 5:16-00252-D (E.D.N.C.). At this early stage of the case, the government did not address the substance of the constitutional challenge. Rather, the government asserted that the court did not have jurisdiction over the case and that the political organizations which filed the suit did not have standing to maintain suit. The court, however, rejected the government’s arguments and allowed the case to proceed.