Financial Services Law Developments: 7/23/23

Thursday, July 27, 2023

FYI: Oregon Enacts Comprehensive Consumer Data Privacy Act with Limited GLBA Exemption

Oregon Governor Tina Kotek signed into law Senate Bill 619, making Oregon the 11th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, and Texas.

The new law will go into effect July 1, 2024.

APPLICABILITY

The new law applies to any person that conducts business in Oregon, or that provides products or services to its residents, and that during a calendar year, controls or processes:

The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
The personal data of 25,000 or more consumers, while deriving 25% or more of the person's annual gross revenue from selling personal data.

EXEMPTIONS

Exemptions include, but are not limited to:

-1 Information collected, processed, or disclosed under and in accordance with the Gramm-Leach-Bliley Act;

-2 Information that originates from, or is intermingled so as to be indistinguishable from, information described in paragraph (k)(A) [Gramm-Leach-Bliley Act] of this subsection and that a licensee, as defined in Or. Rev. Stat. Ann. § 725.010, collects, processes, uses or maintains in the same manner as is required under the laws and regulations specified in paragraph (k)(A) [Gramm-Leach-Bliley Act] of this subsection;

-3 Financial Institutions as defined in Or. Rev. Stat. Ann. § 706.008, or a financial institution's affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k);

-4 Activities regulated by the Fair Credit Reporting Act;

-5 Protected health information under the Health Insurance Portability and Accountability Act.

Or. Rev. Stat. Ann. § 725.010 (Oregon Consumer Finance Act) defines a "licensee" as a person licensed to make consumer finance loans of $50,000 or less.

Or. Rev. Stat. Ann. § 706.008(9) (Oregon Bank Act) defines a "financial institution" as "an [FDIC] insured institution, an extranational institution, a credit union as defined in ORS 723.006, an out-of-state credit union under ORS 723.042 or a federal credit union."

CONSUMER RIGHTS

Consumers have the right to:

confirm processing of their personal data and access such data;
correct inaccuracies;
delete personal data;
obtain personal data provided by the consumer in a portable and readily usable format, if stored digitally;
opt out of processing if for the purpose of targeted advertising, sale, or profiling.

SENSITIVE PERSONAL INFORMATION

Sensitive personal data may not be processed without the consumer's consent or, in the case of a known child, pursuant to the Children's Online Privacy Protection Act.

Sensitive data means personal data that:

-1 Reveals a consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime or citizenship or immigration status;

-2 Is a child's personal data;

-3 Accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or

-4 Is genetic or biometric data.

CONTRACT REQUIREMENTS

A contract between a controller and processor must be valid and binding and:

-1 Set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing and the duration of the processing;

-2 Specify the rights and obligations of both parties with respect to the subject matter of the contract;

-3 Ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data;

-4 Require the processor to delete the personal data or return the personal data to the controller at the controller's direction or at the end of the provision of services, unless a law requires the processor to retain the personal data;

-5 Require the processor to make available to the controller, at the controller's request, all information the controller needs to verify that the processor has complied with all obligations the processor has under the Act;

-6 Require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller's behalf and in the subcontract require the subcontractor to meet the processor's obligations under the processor's contract with the controller; and

-7 Allow the controller, in accordance with an appropriate and accepted control standard, framework or procedure, to assess the processor's policies and technical and organizational measures for complying with the processor's obligations, and require the processor to cooperate with the assessment and, at the controller's request, report the results of the assessment to the controller.

DATA PROTECTION ASSESSMENTS

Controllers must conduct and document a data protection assessment for processing that presents a heightened risk of harm, including:

Processing personal data for the purpose of targeted advertising;
Processing sensitive data;
Selling personal data; and
Using the personal data for purposes of profiling.

ENFORCEMENT

The Act does not create a private right of action. Provided a person cannot cure a violation within 30 days, the attorney general may seek injunctive relief and a civil penalty of not more than $7,500 for each violation.

IMPRESSION

Although this Act is similar to other data privacy laws recently enacted, it takes a turn by limiting the GLBA exemption to information and omitting the entity-level exemption that every state has included since California.

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6^th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

Tuesday, July 25, 2023

FYI: 2nd Cir Holds "Legal Inaccuracy" May Trigger FCRA Liability

The U.S. Court of Appeals for the Second Circuit recently vacated a trial court's summary judgment in favor of a credit reporting agency in a lawsuit alleging violations of the federal Fair Credit Reporting Act (FCRA) in connection with the reporting of a "balloon payment" that was not in fact required.

In so ruling, the Second Circuit held that the FCRA does not incorporate a threshold inquiry as to whether an alleged inaccuracy on a credit report is "legal" or "factual" in nature. The Court therefore determined that the trial court erred by ending its analysis after it found that the accuracy of the reported balloon payment amounted to a legal dispute that was not actionable under the FCRA.

A copy of the opinion is available at: Link to Opinion

A consumer leased a vehicle, and a credit reporting agency received certain information about the lease and reported that information on the consumer's credit report. In particular, the agency reported that the consumer owed a "balloon payment" at the end of the lease term -- a payment that the terms of the lease did not, in fact, require.

The consumer sued the agency under section 1681e(b) of the FCRA, which requires credit reporting agencies ("CRAs") to "follow reasonable procedures to assure maximum possible accuracy of the information" in a consumer's credit report. 15 U.S.C. § 1681e(b).

The trial court granted the CRA summary judgment, reasoning that the consumer's credit report could not be considered "inaccurate" under section 1681e(b) because the question of whether the consumer owed a balloon payment amounted to a legal, rather than a factual, dispute. The consumer timely appealed.

To prevail against a CRA in an action brought under section 1681e(b), the plaintiff must establish that the challenged report is inaccurate. See Shimon v. Equifax Info. Servs. LLC, 994 F.3d 88, 92 (2d Cir. 2021). Here, the Second Circuit observed that the trial court focused entirely on whether the information reported was inaccurate and never addressed the question of whether the agency followed reasonable procedures.

The Second Circuit also noted that, after the trial court issued its decision, the Second Circuit decided Mader v. Experian Information Solutions, Inc., 56 F.4th 264 (2d Cir. 2023). Mader held that the definition of "accuracy" under the FCRA "requires a focus on objectively and readily verifiable information." Id. at 269. Thus, reported information is actionably "inaccurate" only if that information is objectively and readily verifiable by the CRA.

The trial court, without the benefit of Mader, held that the FCRA incorporates a threshold inquiry as to whether a claimed error is factual or legal in nature. The Second Circuit determined that this holding was erroneous, and instead held that the question of whether a debt is objectively and readily verifiable will sometimes, as it did in Mader, involve an inquiry into whether the debt is the subject of a legal dispute. However, the Second Circuit also made clear that other disputes that might arguably turn on a question of law could be cognizable under the FCRA.

In sum, the Second Circuit concluded that there is no bright-line rule providing that only purely factual or transcription errors are actionable under the FCRA. Rather, in determining whether a claimed inaccuracy is potentially actionable under section 1681e(b), a court must determine, among other factors, whether the information in dispute is "objectively and readily verifiable." Id. at 269.

The Court also held that section 1681e(b) is violated only when a CRA has failed to "follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates." 15 U.S.C. §1681e(b).

Accordingly, the Second Circuit vacated the trial court's summary judgment and remanded for further proceedings consistent with its decision.

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6^th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

PLEASE NOTE:

The editor and sponsoring law firm of this blog represent and serve banks, lenders, loan buyers, loan servicers, debt collectors, and other financial services companies. We do not represent consumers.

Any communications or information obtained may be provided to our clients, including for the purpose of debt collection.

The information in this blog and related updates is general in nature, and should not be considered legal advice.

Legal advice requires a full and complete understanding of a particular situation. Your situation may involve material facts that prevent the direct application of the information in this blog and related updates.

You will not become a client of the editor or sponsoring law firm simply by reading this blog.

In order to become a client of the editor or sponsoring law firm, the editor or sponsoring law firm must agree to represent you in writing.

Until we agree to represent you in writing, we are not prevented from representing any other party.

Until you are a client of the editor or sponsoring law firm, any communications with us will not be confidential.

The Editor's Bio

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, 33rd Floor
Chicago, Illinois 60602
Direct: (312) 493-0874
RWutscher@MauriceWutscher.com
https://www.MauriceWutscher.com/

Ralph Wutscher's practice focuses primarily on representing depository and non-depository mortgage lenders and servicers, as well as mortgage loan investors, distressed asset buyers and sellers, loss mitigation companies, automobile and other personal property secured lenders and finance companies, credit card and other unsecured lenders, and other consumer financial services providers. He represents the consumer lending industry as a litigator, and as regulatory compliance counsel.

Ralph has substantial experience in defending private consumer finance lawsuits, including cases ranging from large interstate putative class actions to localized single-asset cases, as well as in responding to regulatory investigations and other governmental proceedings. His litigation successes include not only victories at the trial court level, but also on appeal, and in various jurisdictions. He has successfully defended numerous putative class actions asserting violations of a wide range of federal and state consumer protection statutes. He is frequently consulted to assist other law firms in developing or improving litigation strategies in cases filed around the country.

Ralph also has substantial experience in counseling clients regarding their compliance with federal laws, and with state and local laws primarily of the Midwestern United States. For example, he regularly provides assistance in connection with portfolio or program audits, consumer lending disclosure issues, the design and implementation of marketing and advertising campaigns, licensing and reporting issues, compliance with usury laws and other limitations on pricing, compliance with state and local “predatory lending” laws, drafting or obtaining opinion letters on a single- or multi-state basis, interstate branching and loan production office licensing, evaluations and modifications of new or existing products and procedures, debt collection and servicing practices, proper methods of responding to consumer inquiries and furnishing consumer information, as well as proposed or existing arrangements with settlement service providers and other vendors, and the implementation of procedural or other operational changes following developments in the law.

Ralph is a member of the Governing Committee of the Conference on Consumer Finance Law. He is also the immediate past Chair of the Preemption and Federalism Subcommittee for the ABA's Consumer Financial Services Committee. He served on the Law Committee for the former National Home Equity Mortgage Association, and completed two terms as Co-Chair of the Consumer Credit Committee of the Chicago Bar Association.

Ralph received his Juris Doctor from the University of Illinois College of Law, and his undergraduate degree from the University of California at Los Angeles (UCLA). He is a member of the national Mortgage Bankers Association, the American Bankers Association, the Conference on Consumer Finance Law, DBA International, the ACA International Members Attorney Program, as well as the American and Chicago Bar Associations.

Ralph is admitted to practice in Illinois, as well as in the United States Court of Appeals for the Seventh Circuit, the United States District Courts for the Northern and Southern Districts of Illinois, and the United States District Court for the Eastern District of Wisconsin, and has been admitted pro hac vice in various jurisdictions around the country.