A fact of business today is that customers – both consumers and other businesses – and employees expect to transact digitally. To remain competitive, companies find themselves increasing their efforts to digitally transform their businesses.
Successfully implementing this transformation requires careful planning to ensure regulatory compliance, a smooth integration with existing business technology and a positive customer experience.
This is our first bulletin for 2020, again aiming to help companies identify important and significant news and legal developments impacting digital offerings. Each issue will feature in-depth insight on a timely and important current topic.
In this issue, we discuss the impact of the newly effective California Consumer Privacy Act on commercial websites and mobile applications. In addition, we cover recently enacted federal and state laws, federal and state regulatory activities, fresh judicial precedent and other important news.
For related information regarding blockchain and digital assets, please see our monthly bulletin Blockchain and Digital Assets News and Trends.
Complying with the CCPA online: web and mobile applications
By Margo H.K. Tank, R. David Whitaker, Andrew W. Grant and Liz Caires
As of January 1, 2020, companies must be in compliance with the California Consumer Privacy Act (CCPA) and its complex mix of requirements for covered companies, including providing up-front disclosures regarding data collection and use practices, responding to California residents’ requests to access and delete personal information, and providing California residents with the ability to limit the "sale" of personal information to third parties. However, companies looking to comply with the CCPA online will need to look to other laws, because the CCPA does not directly address website or mobile application compliance. Failing to comply with these laws may open companies to additional legal risks related to their attempts at complying with the CCPA. Read more.
- CFPB issues policy statement on "abusive" prong of UDAAP. On January 24, 2020, the Consumer Finance Protection Bureau (CFPB) issued a policy statement that provides a framework for how it intends to apply the "abusiveness" standard in supervision and enforcement matters. The CFPB intends to apply the following principles:
- Focusing on citing or challenging conduct as abusive in supervision and enforcement matters only when the harm to consumers outweighs the benefit
- Generally avoiding "dual pleading" of abusiveness and unfairness or deception violations arising from all or nearly all the same facts, and alleging "stand alone" abusiveness violations that demonstrate clearly the nexus between cited facts and the Bureau’s legal analysis
- Seeking monetary relief for abusiveness only when there has been a lack of a good-faith effort to comply with the law, except the Bureau will continue to seek restitution for injured consumers regardless of whether a company acted in good faith or bad faith.
- CFPB issues report on EFTA and TILA compliance. On December 18, 2019, the CFPB issued an annual report covering 2016 and 2017 that provides an overview on the public enforcement actions, assessment of compliance and common violations, and outreach related to the Electronic Fund Transfer Act (EFTA), the Truth in Lending Act, the Credit Card Accountability Responsibility and Disclosure Act, and their implementing regulations. Regarding electronic funds transfers, the CFPB noted that consumers overwhelmingly use electronic payments, making 80 billion debit, EBT and prepaid card payments annually, and that there is an "emerging and fast-growing category" of P2P transactions for electronic funds transfers. While the CFPB noted that the EFTA’s costs and benefits were difficult to quantify and report, it would continue to monitor and "evaluate the adequacy of consumer protection under EFTA." The CFPB added that the most frequently cited violations for Regulation E related to the requirements regarding error notices and resolving errors.
- Federal Reserve Board issues bulletin regarding observations and risks associated with fintech. In December 2019, the Federal Reserve Board’s Division of Consumer and Community Affairs issued its latest Consumer Compliance Supervision Bulletin, which provided observations of fintech and emerging potential risks to financial organizations. The bulletin highlighted strategies for banks to apply existing compliance requirements and risk management methodologies to mitigate the new risks associated with adoption of fintech in areas such as online and mobile banking and targeted Internet-based marketing.
- OCC and FDIC release joint statement on heightened cybersecurity risk. On January 16, 2020, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) issued a joint statement on heightened cybersecurity risk reminding supervised financial institutions of sound cybersecurity risk management principles. These principles elaborate on earlier standards laid out in the Interagency Guidelines Establishing Information Security Standards and in resources provided by the Federal Financial Institutions Examination Council (FFIEC) members, such as the joint statement on destructive malware issued in March 2015. The joint statement notes that sound risk management for cybersecurity includes the following:
- Response and resilience capabilities: review, update, and test incident response and business continuity plans.
- Authentication: protect against unauthorized access.
- System configuration: securely configure systems and services.
- DBO denies lending license to fintech entity which had engaged in illegal lending activity. On December 30, 2019, the California Department of Business Oversight denied an application by a point-of-sale lender to make loans under the California Financing Law (CFL) after determining that the fintech company had engaged in illegal unlicensed lending. The fintech company provided financing to consumers who were unable to qualify for traditional financing options, like credit cards, and allowed them to pay 25 percent of the purchase price at the time of purchase and the remainder in three equal installments due every two weeks. The DBO concluded that the purported credit sales made by merchant partners were not bona fide – the fintech company purchased from merchants already-consummated credit sale contracts, which may not be subject to the CFL. The DBO determined that the fintech company was not only making unregulated loans to California consumers in violation of the CFL, but also was designed and structured to evade otherwise applicable consumer protections in California and federal law. Applying the factors outlined in the DBO’s December 20, 2019 opinion letter, the DBO found that the fintech company’s extensive role in its merchants’ transactions and pre-existing relationship with some consumers who were parties to the purported credit sales showed that the fintech company was making loans under California law.
- NYDFS to create new consumer protection task force; California governor proposes enacting a new California Consumer Protection Law: On January 9, 2020, the New York Department of Financial Services announced that it will create a consumer protection task force. One of the task forces first priorities will be to help the NYDFS implement the consumer protection proposals that Governor Cuomo set out in his 2020 State of the State agenda, such as strengthening regulatory oversight of debt collectors, cracking down on elder financial abuse, increasing access to affordable banking services, and strengthening the state’s consumer protection laws to protect New Yorkers against unfair, deceptive, and abusive practices. Additionally, Governor Newsom of California proposed in his 2020-2021 budget proposal that California enact a new "California Consumer Protection Law," which would rename the California Department of Business Oversight to the Department of Financial Protection and Innovation. These developments may impact fintech and online financial transaction offerings, and indicate that states are looking to be more proactive in these areas.
- Members of the House Financial Services Committee request information on the role of alternative data in expanding access to credit: On January 16, 2020, Maxine Waters (D-CA), Chairwoman of the House Financial Services Committee, Al Green (D-TX), Chair of the Subcommittee on Oversight and Investigations, Bill Foster (D-IL), Chair of the Task Force on Artificial Intelligence, Stephen Lynch (D-MA), Chair of the Task Force on Financial Technology, and Josh Gottheimer (D-NJ), sent a letter to the Government Accountability Office requesting information about the benefits and drawbacks of alternative data in mortgage lending and the role of the federal government in overseeing the use of alternative data by credit reporting agencies and lenders. The members of the House Financial Services Committee asked the GAO to address four questions, with a particular focus on mortgage credit, including how different entities within the credit industry used alternative data to expand access to mortgage credit.
- House Financial Services Committee February schedule includes hearings on rent-a-bank programs and AI bias in financial services. On January 28, 2020, Congresswoman Maxine Waters (D-CA), the Chairwoman of the House Financial Services Committee, announced hearings for February. These include two full committee hearings on rent-a-bank programs, one on February 5 and one on February 26, and one hearing led by the Task Force on Artificial Intelligence on February 12 entitled, "Equitable Algorithms: Examining Ways to Reduce AI Bias in Financial Services."
- Michigan adds "distributed ledger technology" to law prohibiting forgery of certain records. On December 31, 2019, the governor of Michigan approved HB4106, which makes it a crime to falsely make, alter, forge, or counterfeit certain public records made utilizing distributed ledger technology.
Remote Online Notarization
- Regulatory update:
- To date, these states have enacted regulations or issued guidance supporting their enactment of laws permitting RON in the state: Arizona, Florida, Idaho, Kentucky, Michigan, Montana, Nevada, Ohio, Oklahoma, Tennessee, Texas, Utah, and Virginia
- RON regulations have not yet been enacted in: Indiana, Iowa, Maryland, Nebraska, North Dakota, Vermont and Washington
- These states’ laws on RON do not require regulations: Minnesota and South Dakota
- These state legislatures are considering RON legislation for adoption in 2020: Arkansas, California, Colorado, Georgia, Hawaii, Louisiana, Missouri, New York, South Carolina and Wisconsin
- CSBS releases report on initiatives to streamline state licensing and supervision of fintech companies. On January 7, 2020, the Conference of State Bank Supervisors (CSBS) released an accountability report charting the progress that has been made on initiatives to streamline state licensing and supervision of fintech companies. The CSBS made 11 distinct commitments that basically fit into four categories: (1) using CSBS regtech for licensing and exams; (2) driving for consistency among states; (3) creating uniform definitions and practices; and (4) increasing regulatory transparency.
- Courts uphold electronically signed arbitration agreements:
- In Pruteanu v. Team Select Home Care of Missouri, Inc., 2019 WL 7195086 (E.D. Mo. Dec. 26, 2019), the court upheld an electronically signed arbitration agreement and compelled arbitration, reasoning that the plaintiff had both electronically signed the agreement and attested that the electronic signature corresponded to her signature, requiring no further evidence of signature. Additionally, the court found that an error on the signature date for the defendant was not material, therefore not impacting the validity of the agreement. Last, the court found that the second defendant, who did not electronically sign the arbitration agreement, may compel arbitration with the plaintiff due to the interrelated relationship between the parties and the claims.
- In Gonzales v. Sitel Operating Corp., 2020 WL 96900 (D. Nev. Jan. 07, 2020), the court upheld an electronically signed arbitration agreement where the defendant produced evidence of online business procedures, including a system requirement for each employee to create a PIN as a prerequisite to signing the arbitration agreement document and matching time stamps on all employee onboarding materials, among them the arbitration agreement; the defendant also showed that the plaintiff had signed that agreement.
- In Mitchell v. Cambridge Franchise Holdings, 2020 WL 234659 (W.D. Ky. Jan. 15, 2020), the court upheld an electronically signed arbitration agreement in part due to the defendant producing evidence of e-mail and human resource information system procedures to prove the plaintiff signed the agreement, including e-mails sent to her email address about the agreement, a system requirement to have a plaintiff-created PIN entered as a prerequisite to signing the document, her name and time stamp posted on the bottom of the agreement, and matching time stamps on several employee documents, including the agreement.
Online contract formation
- Court affirms lower court dismissal of motion to compel arbitration.
- In Cummings v. Eureka Restaurant Group, LLC, 2020 WL 63211 (Jan. 7, 2020), the court upheld a lower court’s denial of a petition to compel arbitration because the plaintiff claimed the defendant’s manager obtained the plaintiff’s user name and password and used them to affix his electronic signature without the plaintiff’s knowledge or consent to the arbitration agreement. The defendant countered by providing an electronically executed copy as well as a description of the relevant software. The court noted that it could not reassess witness credibility or reweigh evidence on appeal and that the plaintiff’s declaration was sufficient to prove that he did not sign the agreement.
- In Theroff v. Dollar Tree Stores, Inc., 2020 WL 203121 (Mo. Jan. 14, 2020), the court affirmed a lower court’s denial of a motion to compel arbitration, in part due to insufficient evidence that the plaintiff assented to the signed arbitration agreement. The plaintiff declared that she did not see the agreement because she is legally blind, could not read the agreement because she did not have her assistive device with her, and the manager who assisted the plaintiff in completing and signing the electronic forms did not inform her that an arbitration agreement was included in the documentation. Without proof that she assented to the document, there was no agreement to arbitrate. The court noted that "[n]othing suggests the order [from the lower court] overruling the motion to compel arbitration was not supported by substantial evidence, was against the weight of the evidence, or was the result of an erroneous application of the law."
The MBA Compliance Essentials Remote Online Notarization State Surveys prepared by DLA Piper provide a comprehensive look at RON requirements in each state that has enacted RON legislation. These fully editable surveys are organized by category of requirements, including registration, technology, seal and signature, certificates of RON acts, journal, authentication, session, recording, and additional requirements. Companies can purchase the full package which includes surveys for all states that have enacted RON legislation along with a matrix summarizing state requirements, or companies can purchase information about individual states as needed. Read more.