FYI: 6th Cir Holds EFTA Does Not Provide Indemnification or Contribution Right for Financial Institutions

The U.S. Court of Appeals for the Sixth Circuit recently upheld the dismissal of a financial institution's putative class action lawsuit against a cellular service provider arising from a "SIM swap" scam, holding that the financial institution had no claim for indemnification or contribution under the EFTA or state law.

 

A copy of the opinion is available at:  Link to Opinion

 

Certain customers of a financial institution became victims of a "SIM swap" scam whereby their cell phone numbers were hijacked through their cellular phone service company, and two-factor authentication codes allowing account access were intercepted.  The scam resulted in numerous unauthorized electronic transfers being made from the customers' accounts at the financial institution.

 

As you may recall, the federal Electronic Fund Transfer Act (EFTA) requires financial institutions to "reimburse their customers for unauthorized electronic transfers of money from the customers' accounts," except in certain limited circumstances not relevant here.  The plaintiff financial institution reimbursed its customers for the unauthorized transactions as mandated by the EFTA.

 

The plaintiff financial institution filed a putative class action for indemnification or contribution from the affected cellular phone service company, alleging that the cellular service provider's failure to prevent the scam constituted grounds for recovery.  More specifically, the plaintiff financial institution sought indemnification and contribution from the cellular service provider under the EFTA and its implementing regulation (Regulation E), the Michigan Electronic Funds Transfer Act (MEFTA), and state common law.

 

The trial court dismissed the financial institution's complaint, concluding that the financial institution failed to establish a claim for indemnification or contribution under the EFTA and state law. The financial institution appealed, arguing that the EFTA implicitly provides a right to indemnification or contribution, that the MMEFTA is not preempted by the EFTA, and that their state common-law indemnification claim was also not preempted by the EFTA.

 

On appeal, the Sixth Circuit noted that "[c]laims for indemnification or contribution under a federal statute may be created in two different ways: (1) through action by Congress, either expressly or implicitly; or (2) by federal common law through the exercise of judicial power to fashion appropriate remedies for unlawful conduct." 

 

The Court held that the EFTA does not imply a right to indemnification or contribution for financial institutions, as "[t]he  EFTA provides a comprehensive framework governing the rights, liabilities, and responsibilities of both consumers and financial institutions" without providing any express right to indemnification or contribution, its primary purpose is consumer protection, and "none  of  the  relevant  factors weighs in favor of finding an implied right to indemnification or contribution for financial institutions under the EFTA."

 

For similar reasons, the Sixth Circuit also rejected the plaintiff financial institution's invitation to provide a "federal common law" right to indemnification or contribution in an EFTA action. 

 

The Court also ruled that the EFTA preempts MEFTA and any state common-law claims for indemnification or contribution, as such claims would interfere with the EFTA's comprehensive regulatory framework designed to protect consumers from unauthorized electronic fund transfers.

 

In so ruling, the Court noted that "[t]he EFTA empowers the Consumer Financial Protection Bureau (CFPB) to preempt state laws that are inconsistent with the Act's provisions," and that "[i]f the CFPB declares a state law inconsistent with the EFTA, financial institutions incur no liability for a good faith failure to comply with that state law".  15 U.S.C. § 1693q.  The Federal Reserve Board (FRB) was originally provided with the power to make preemption determinations under the EFTA, and the FRB made such a determination as to the MEFTA in 1981.  "After Congress assigned to the CFPB the responsibility of determining "whether  a  State  requirement  is  inconsistent  or  affords  great  protection"  than  the  EFTA, 15U.S.C. § 1693q, the CFPB adopted the Federal Reserve Board's decision, see 12  C.F.R.  pt. 1005, supp. I, cmt. 12(b)(2)." 

 

Similarly, the Sixth Circuit held that the financial institution's state common law claims were also preempted.  The Court held that allowing the financial institution "to pursue a state-law claim for liability it incurred under federal law would not only frustrate the EFTA's purpose, but it would also contradict the text of the statute and interfere with its existing comprehensive scheme."

 

Accordingly, the Sixth Circuit affirmed the dismissal of the financial institution's putative class action lawsuit against the cellular service provider.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog™

 

and

 

Webinars

  

 

 

 

 

FYI: 7th Cir Upholds Rejection of Borrower's FCRA and FDCPA Claims Arising from Collection and Reporting Post-Bankruptcy

The U.S. Court of Appeals for the Seventh Circuit recently upheld a trial court's rejection of a borrower's allegations that a mortgagee and its servicer violated the federal Fair Credit Reporting Act (FCRA) and the federal Fair Debt Collection Practices Act (FDCPA) by allegedly inaccurately reporting her loan as delinquent following the borrower's successful completion of her bankruptcy plan, allegedly rejecting her subsequent monthly payments, and filing a foreclosure action based on the supposed post-bankruptcy defaults.

 

A copy of the opinion is available at:  Link to Opinion

 

The plaintiff borrower obtained a loan to purchase her home.  After falling behind on her mortgage payments, the mortgagee initiated a foreclosure action. The plaintiff borrower filed for bankruptcy and eventually cured her pre-petition mortgage default through her bankruptcy plan payments.

 

Unfortunately, after the successful completion of her bankruptcy plan, the servicer allegedly inaccurately reported her loan as delinquent and began rejecting her subsequent monthly payments, leading the mortgagee to file a second foreclosure action, which was later dismissed.

 

The plaintiff borrower sued the mortgagee and the servicer alleging violations of the FCRA and the FDCPA. The trial court dismissed the borrower's FCRA claim as the borrower failed to identify the consumer reporting agency (CRA) that she supposedly notified of her credit dispute.  The trial court also granted summary judgment against the borrower on her FDCPA claim, citing lack of standing. This appeal followed.

 

On appeal, the plaintiff borrower argued that the trial court "abused its discretion in denying her leave to amend to cure deficiencies in her FCRA claim", and that the servicer violated the FCRA by failing to conduct a reasonable investigation after being notified by CRAs of her dispute over the delinquent loan reporting.  She also argued that the servicer's allegedly erroneous reporting and collection practices caused her various injuries sufficient to confer standing.

 

The Seventh Circuit affirmed the trial court's dismissal of the FCRA claim, finding that the plaintiff borrower failed to specify which CRA she notified, thus not providing the servicer with fair notice of the claim.

 

The Seventh Circuit also upheld summary judgment in favor of the servicer on the borrower's FDCPA claim, concluding that the borrower lacked standing. The Court determined that the borrower did not provide sufficient evidence of concrete injuries, such as monetary harm or intangible injuries closely related to common law analogues like defamation or invasion of privacy.

 

In so ruling, the Seventh Circuit noted its prior rulings that "[s]eeking legal advice in response to a communication concerning a disputed debt does not amount to an injury in fact," and that "hiring a lawyer to resolve confusion about the proper course of action is also insufficient to confer standing."  Moreover, the trial court excluded evidence of the borrower's supposed attorney's fees payments as a discovery sanction.

 

In addition, the Court held that the borrower's self-serving declarations about the claimed reasons for her denial of credit supposedly due to the alleged inaccurate reporting did not amount "to specific facts establishing that [the servicer] disseminated the inaccurate reporting to a third party, such as [one of the CRAs], who understood the defamatory significance of the inaccurate reporting."

 

Lastly, the Seventh Circuit rejected the borrower's claims of emotional and reputational injury arising from the foreclosure action, reiterating its prior rulings "that anxiety, embarrassment, and stress are not concrete injuries in fact."  Similarly, the Court held that the fact that the servicer "called her 12 times in a month and completed numerous door knocks" was insufficient, as "it is not enough for a plaintiff to be 'annoyed' or 'intimidated' by an FDCPA violation," and mere "stress by itself with no physical manifestations and no qualified medical diagnosis does not amount to a concrete harm."

 

Accordingly, the Seventh Circuit affirmed both the trial court's dismissal of the plaintiff borrower's FCRA allegations, and its entry of summary judgment in favor of the defendants on the plaintiff borrower's FDCPA claim.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog™

 

and

 

Webinars

  

 

 

 

 

FYI: Pennsylvania Amends Data Breach Notification Law

Pennsylvania Gov. Josh Shapiro recently approved Senate Bill 824, which amends Pennsylvania's data breach notification law, 73 Pa. Stat. Ann. § 2301, et seq.

 

The amendments will go into effect Sept. 26, 2024.

 

Among other things, the amendments:

 

• Require concurrent notification to the Attorney General if notification must be given to more than 500 individuals
• Require the notice to the Attorney General include:

The organization name and location

The date of the breach

A summary of the incident

An estimated number of individuals affected

An estimated number of individuals in Pennsylvania affected

• Reduce the threshold for reporting an incident to consumer reporting agencies from more than 1,000 affected individuals to more than 500
• Require entities that are required to report the incident to consumer reporting agencies to assume the costs of providing the affected individuals with:

Access to one credit report if an individual is not eligible for a free report

Access to credit monitoring services for one year

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog™

 

and

 

Webinars

  

 

 

 

 

FYI: Rhode Island Enacts Haphazard Customer Data Privacy Law

The "Rhode Island Data Transparency and Privacy Protection Act" (Rhode Island Senate Bill 2500, the "Act") was enacted on June 28, 2024 without Governor Dan McKee's signature. The new Act will go into effect Jan. 1, 2026.

 

A copy of the legislation is available at:  Link to the Rhode Island Data Transparency and Privacy Protection Act

 

This makes Rhode Island the 19th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, and Minnesota.

 

INFORMATION SHARING PRACTICES

 

The Act begins with a section titled "Information Sharing Practices," which broadly applies to any commercial website (undefined) or internet service provider conducting business in Rhode Island or with customers in the state.

 

Despite the title, this section has little to do with "sharing."  If such an entity collects, stores and sells customers' "personally identifiable information" (undefined), its controller must, in its customer agreement or on its website, "identify all third parties to whom the controller has sold or may sell customers' personally identifiable information," among other things.

 

This poses several problems. First, it would be almost impossible for a controller to predict every specific third party to whom it may sell personally identifiable information at any time in the future.

 

Second, and moreover, the term "personally identifiable information," is undefined yet referred to 10 times in the Act, plus one reference to undefined "personally identifiable data."  While "personal data" is defined, it is not clear that these are all one in the same.

 

Curiously, this section contains a lengthy list of entities and information that are exempt from the Act that differs from the shorter list provided in a separate section titled "Construction" summarized below, though there is some overlap.

 

APPLICABILITY

 

Apart from the "Information Sharing Practices" section, the Act applies to for-profit entities that conduct business in Rhode Island or that produce products or services that are targeted to residents of Rhode Island and that during the preceding calendar year did any of the following:

 

    > Controlled or processed the personal data of not less than 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

    > Controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

 

Oddly, these same thresholds are repeated in the sections titled "Customer Rights," "Exercising Customer Rights," and "Controller and Processor Responsibilities."

 

EXEMPTIONS

 

In addition to the list of exemptions contained in the "Information Sharing Practices" section, the "Construction" section provides the Act does not apply to:

 

    > A financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act and its implementing regulations;

 

    > Information or data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);

 

    > Personally identifiable information or any other information collected, used, processed, or disclosed by or for a customer reporting agency as defined by 15 U.S.C. § 1681a(f);

 

    > Any entity recognized as a tax exempt organization under the Internal Revenue Code;

 

    > A contractor, subcontractor, or agent of a state agency or local unit of government when working for that state agency or local unit of government.

 

Additionally, the definition of "customer" excludes "an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency."

 

CUSTOMER RIGHTS

 

The Act provides a customer with the right to:

 

    > Confirm whether their personal data is being processed;

    > Correct inaccuracies;

    > Delete personal data provided by, or obtained about, the consumer;

    > Obtain a portable copy of the personal data processed;

    > Opt out of the processing of their personal data if for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

 

SENSITIVE DATA

 

A controller is prohibited from processing sensitive data without a customer's consent.

 

"Sensitive data" is defined as "personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise  geolocation data."

 

CONTRACT REQUIREMENTS

 

A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

 

It must also require that the processor:

 

    > Ensure that each person processing personal data is subject to a duty of confidentiality;

    > At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

    > Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of the Act;

    > After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;

    > Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of the Act.

 

DATA PROTECTION ASSESSMENTS

 

A controller must conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a customer, including:

 

    > The processing of personal data for purposes of targeted advertising;

    > The sale of personal data;

    > The processing of personal data for purposes of profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, customers, financial, physical or reputational injury to customers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such intrusion would be offensive to a reasonable person, or other substantial injury to customers;

    > The processing of sensitive data.

 

ENFORCEMENT

 

A violation constitutes a deceptive trade practice, and an intentional disclosure of personal data in violation of the Act may result in a fine of not less than $100 and no more than $500 for each such disclosure. The Attorney General has sole authority to enforce the Act, which contains no cure provision.

 

IMPRESSION

 

While similar in many respects to some of the post-California comprehensive data privacy laws, this legislation appears to have been cobbled together in a hasty and haphazard fashion, which may create compliance issues for those trying to align its compliance requirements with those of other states. Like California, it is anticipated that this Rhode Island Act will undergo numerous corrective amendments in the next legislative session.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog™

 

and

 

Webinars

  

 

 

 

 

FYI: 11th Cir Holds Anti-Modification Provision in Bankruptcy Code Applies to Mixed-Use Real Properties

The U.S. Court of Appeals for the Eleventh Circuit Court recently held that the anti-modification provision in the federal Bankruptcy Code applies to loans secured by mixed-use real properties, such as the large parcel at issue here which functioned both for commercial use and as the debtor's principal residence.

 

A copy of the opinion is available at:  Link to Opinion

 

The debtor defaulted on her mortgage loan for a 43-acre property in Georgia, which served as her principal residence and was also leased to a farming company. In an effort to restructure her debts, Lee filed a voluntary bankruptcy petition and proposed a reorganization plan that included payments to the mortgagee.

 

The mortgagee sought relief from the automatic stay, arguing that the anti-modification provision barred the court from approving a plan that altered the mortgagee's claim. The bankruptcy court agreed, holding that the anti-modification provision applied because the property was the debtor's principal residence, despite its additional use as farmland. Consequently, the bankruptcy court granted the mortgagee's motion for relief from the automatic stay, allowing the mortgagee to proceed with foreclosure.

 

The debtor appealed, but the district court affirmed the bankruptcy court's ruling. The debtor then appealed to the Eleventh Circuit.

 

The Eleventh Circuit first noted that the Bankruptcy Code generally allows debtors to modify or restructure their debts, subject to certain limits.  For example, the Court continued, a Chapter 11 restructuring plan may "modify the rights of holders of secured claims, but, under the anti-modification provision, it cannot modify those rights if a creditor's claim is "secured only by a security interest in real property that is the debtor's principal residence." 11. U.S.C. § 1123(b)(5).  The Court also noted that the Chapter 11 anti-modification provision in "section 1123(b)(5) is identical to section 1322(b)(2) — the anti-modification provision in chapter 13."

 

Agreeing with similar rulings of Sixth and Ninth Circuits, the Eleventh Circuit held that the text of the anti-modification provision, when read together with the statutory definition of a "debtor's principal residence", has "three distinct requirements." In re Wages, 508 B.R. 161, 165 (B.A.P. 9th Cir. 2014). First, "the security interest must be in real property."  Second, "the real property must be the only security for the debt."  Lastly, "the real property must be the debtor's principal residence."

 

The debtor argued that the approach taken by the First and Third Circuits should be followed. The Eleventh Circuit noted that First and Third Circuits "read the anti-modification provision to require that the debtor use her real property only or exclusively as her principal residence and for no other purpose."  See  In re Scarborough, 461 F.3d 406, 411 (3d Cir. 2006); Lomas Mortg., Inc. v. Louis, 82 F.3d 1, 4–7 (1st Cir. 1996)

 

However, the majority of the Eleventh Circuit disagreed.  Examining the plain language of the anti-modification provision, and standard dictionary definitions, the Eleventh Circuit majority held that the anti-modification provision's requirements were clear: the debt must be secured by real property, which must be the debtor's principal residence and the sole security for the debt.

 

The debtor also urged the adoption of a "second, case-by-case, totality-of-the-circumstances approach that focuses heavily on the parties' subjective intentions" that "was first set out in In re Brunson, 201 B.R. 351 (Bankr. W.D.N.Y. 1996)," such as "whether the property is used 'for significant commercial purposes' rather than as the debtor's principal residence."  However, the Eleventh Circuit held that this approach was not grounded in the text of the anti-modification provision.

 

The Eleventh Circuit thus rejected the debtor's argument that the property's additional use as farmland should exempt it from the anti-modification provision. and affirmed the rulings of the lower courts.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog™

 

and

 

Webinars

  

 

 

 

 

FYI: Minnesota Becomes 18th State to Enact Comprehensive Consumer Data Privacy Law

Minnesota Governor Tim Walz recently signed into law HF 4757, the Minnesota Consumer Data Privacy Act, making Minnesota the 18th state to enact a comprehensive consumer data privacy law.

 

The Minnesota law will go into effect July 31, 2025.

 

There were a number of consumer data privacy bills in play during the state's legislative session that never made it to the finish line. Ultimately, the Minnesota Act hitched a ride in a bill related to appropriations, cannabis policy, and commerce policy.

 

Minnesota joins the following states to have enacted privacy laws: California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware, New Jersey, New Hampshire,  Kentucky, Nebraska, and Maryland.

 

APPLICABILITY

 

The Minnesota Consumer Data Privacy Act applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

 

·        During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

·        Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

 

EXEMPTIONS

 

Exemptions include, but are not limited to:

 

·        Personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and implementing regulations if the collection, processing, sale, or disclosure is in compliance with that law;

·        Protected health information under the Health Insurance Portability and Accountability Act of 1996;

·        The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;

·        Data collected or maintained in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role.

 

CONSUMER RIGHTS

 

Consumers have the right to:

 

·        Confirm whether a controller is processing their personal data;

·        Correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data;

·        Delete personal data concerning the consumer;

·        Obtain a portable copy of their personal data to the extent technically feasible, in a readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;

·        Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects or similarly significant effects concerning the consumer;

·        Question the results of profiling if the personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects;

·        Obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data or, if the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data.

 

SENSITIVE DATA

 

A controller may not process sensitive data concerning a consumer without obtaining the consumer's consent.

 

"Sensitive data" is:

 

·        Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;

·        The processing of biometric data or genetic information for the purpose of uniquely identifying an individual;

·        The personal data of a known child; or

·        Specific geolocation data.

 

CONTRACT REQUIREMENTS

 

A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. It must also require that the processor:

 

·        Ensure that each person processing personal data is subject to a duty of confidentiality;

·        Engage a subcontractor only (a) after providing the controller with an opportunity to object, and (b) pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;

·        Establish, implement, and maintain reasonable data security practices;

·        Upon request, delete or return all personal data to the controller as requested at the end of the provision of services;

·        Upon request, make available to the controller all information necessary to demonstrate compliance with the Act;

·        Allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor.

 

DATA PROTECTION ASSESSMENTS

 

A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data:

 

·        The processing of personal data for purposes of targeted advertising;

·        The sale of personal data;

·        The processing of sensitive data;

·        Any processing activities involving personal data that present a heightened risk of harm to consumers; and

·        The processing of personal data for purposes of certain profiling.

 

ENFORCEMENT

 

The Attorney General has exclusive authority to enforce the Act and may seek a civil penalty of not more than $7,500 per violation. The Act provides a 30-day cure provision that expires Jan. 31, 2026.

 

IMPRESSION

 

While similar in many respects to some of the post-California comprehensive data privacy laws, the Minnesota Act ventures farther in some respects, including providing consumers the right to question the results of profiling and to obtain a list of the specific third parties with whom the controller disclosed their personal data. For those aligning compliance with this act with other state laws, careful attention is warranted given the originality of some of the provisions.

 

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog™

 

and

 

Webinars

  

 

 

 

 

FYI: SCOTUS Rules CFPB Funding Mechanism is Constitutional

The Supreme Court of the United States ruled that the federal Consumer Financial Protection Bureau's funding mechanism complies with the United States Constitution's Appropriations Clause.

 

A copy of the opinion is available at:  Link to Opinion

 

This is the second time in four years the Supreme Court has rejected a constitutional attack on the CFPB's authority.

 

This most recent challenge attacked the Bureau's funding structure which the U.S. Court of Appeals for the Fifth Circuit ruled as unconstitutional.

 

Justice Clarance Thomas, writing for the seven-justice majority, disagreed with the lower court. "Under the Appropriations Clause, an appropriation is simply a law that authorizes expenditures from a specified source of public money for designated purposes. The statute that provides the Bureau's funding meets these requirements. We therefore conclude that the Bureau's funding mechanism does not violate the Appropriations Clause."

 

Unlike most other federal agencies, the Bureau does not ask Congress for funding. Instead, it obtains its funds by making a request to the Federal Reserve, and that request may not exceed 12% of the Federal Reserve's "total operating expenses."

 

The Fifth Circuit held this scheme violated the Appropriations Clause which grants Congress exclusive control over "the federal purse." The Fifth Circuit reasoned Congress' funding control is a necessary apparatus to the checks and balances between the three branches of the federal government. The Appropriations Clause prevents "the executive [branch] . . . from unilaterally spending funds," by allowing Congress to retain control of the purse strings. The CFPB, in the end, holds the strings to the purse, not Congress, and so it is constitutionally defective, according to the Fifth Circuit's opinion.

 

Justice Thomas saw it differently. "Based on the Constitution's text, the history against which that text was enacted, and congressional practice immediately following ratification, we conclude that appropriations need only identify a source of public funds and authorize the expenditure of those funds for designated purposes to satisfy the Appropriations Clause."

 

Justice Samuel Alito delivered a dissent, joined by Justice Gorsuch. The dissent criticized the majority opinion as undermining the checks and balances protection afforded by the Appropriations Clause, causing it to be nothing more than "a minor vestige."

 

A concurring opinion was delivered by Justice Kagan, which was joined by Justices Sotomayor, Kavanaugh and Barrett. Justice Jackson filed a separate concurring opinion.

 

The CFPB issued a statement Thursday applauding the decision. "This ruling upholds the fact that the CFPB's funding structure is not novel or unusual, but in fact an essential part of the nation's financial regulatory system, providing stability and continuity for the agencies and the system as a whole. As we have done since our inception, the CFPB will continue carrying out the vital consumer protection work Congress charged us to perform for the American people."

 

The Chairman of the House Financial Services Committee, Patrick McHenry (NC-10), on Thursday said, "Despite the setback from today's ruling, Republicans will continue the fight to rein in the rogue CFPB. To be clear, this Supreme Court opinion yet again emphasizes that Congress has exclusive authority and discretion over federal agencies' funding structures. The House must urgently take up Congressman Andy Barr's CFPB Transparency and Accountability Reform Act. This commonsense legislation will fix the mistakes of Dodd-Frank which set the dangerous precedent of tapping the central bank to fund partisan political objectives. It's past time the CFPB is held accountable to the American people through their elected representatives."

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog™

 

and

 

Webinars