California

California AG Proposes Regulatory Changes to CCPA

December 22, 2020 By Consumer Finance Team

On December 10, the California Attorney General’s office provided “Notice of Fourth Set of Modifications” to regulations under the California Consumer Privacy Act. The new proposed regulatory text would modify the current regulations which took effect in August. The latest proposal responds to comments on a prior draft and primarily addresses the presentation of the right to opt out of sales of personal data. The California AG has provided a web page with full details on this latest rulemaking effort.

Alston & Bird Analyzes New California Privacy Rights Act in Client Alert

November 9, 2020 By Consumer Finance Team

On November 3, California voters approved a ballot initiative containing the California Privacy Rights Act of 2020. The ballot initiative significantly revises the existing California Consumer Privacy Act to create arguably the most comprehensive state privacy law in the United States.

Alston & Bird has now issued a client alert explaining key impacts of this law. The client alert outlines essential steps for compliance, explains impacts on existing law, and outlines the operation of a dedicated new privacy regulator and enforcement authority, the California Privacy Protection Agency. You can read the client alert here.

California Enacts Debt Collector Licensure Law

November 2, 2020 By Nanci Weissgold, Anoush Garakani

A&B Abstract:

On September 25, California Governor Gavin Newsom signed into law Senate Bill 908, which, in part, enacts the California Debt Collection Licensing Act (“Act”). Effective January 1, 2022, the Act will require the licensure of persons that engage in debt collection in California with California residents. Notably, the Act also applies to entities collecting debt on their own behalf. The Act’s requirements are in addition to those arising under the California Rosenthal Fair Debt Collection Practices Act (the “Rosenthal Act”), which regulates the practices of debt collectors.

A New Licensing Obligation

The Act provides that “[n]o person shall engage in the business of debt collection in this state without first obtaining a license [from the California Department of Financial Protection and Innovation (“DFPI”), which succeeds the Department of Business Oversight effective January 1, 2021].”

What is debt collection and who is a debt collector?

The Act defines “debt collection” as “any act or practice in connection with the collection of consumer debt.”

“Consumer debt” is defined as “money, property, or their equivalent, due or owning, or alleged to be due or owing, or alleged to be due or owing, from a natural person by reason of a consumer credit transaction,” and specifically includes mortgage debt and “charged-off consumer debt” as defined in Section 1788.50 of the California Civil Code.

“Debt collector” means any person who, “in the ordinary course of business, regularly, on the person’s own behalf or on behalf of others, engages in debt collection.” The term includes any person, “who composes and sells, or offers to compose and sell, forms, letters and other collection media used or intended to be used for debt collection.” The term also includes a “debt buyer” as defined in Section 1788.50 of the California Civil Code.

Exclusions

The Act contains several exclusions from both its licensing obligation and the Act’s substantive provisions. Notably, the Act excludes from its scope, depository institutions, which is defined to include FDIC-insured out-of-state state-chartered banks, licensees under the California Financing Law, licensees under the California Residential Mortgage Lending Act, licensees under the California Real Estate Law, and a trustee performing acts in connection with a nonjudicial foreclosure, among others. Additionally, the Act does not apply to debt collection regulated by California’s Student Loan Servicing Act (Cal. Fin. Code §§ 28000 et seq.).

However, it should be noted that the Act authorizes the Commissioner of the DFPI to take action against those exempt from the Act, for violations of the Rosenthal Act (Cal. Civ. Code §§ 1788 et seq.) or the California Fair Debt Buying Practices Act (Cal. Civ. Code §§ 1788.50 et seq.). Such actions may include, after notice and an opportunity for a hearing, ordering the person to (1) desist and refrain from engaging in the business of further continuing the violation, or (2) pay ancillary relief, which may include refunds, restitution, disgorgement, and payment of damages, as appropriate, on behalf of a person injured by the conduct or practice that constitutes the subject matter of the assessment.

California Debt Collector Application

Persons wishing to obtain a California Debt Collector License must submit an application to the DFPI. Among other requirements under the Act, applicants must submit:

A completed license application signed under the penalty of perjury;
An application and an investigation fee; and
A sample of the initial consumer debt validation letter required by 15 U.S.C. § 1692g that the licensee will use in correspondence with California consumers.

The DFPI has not yet released an application for this license. However, the Act authorizes the DFPI to require that applications be submitted through the NMLS. We anticipate the DFPI will require that applications be submitted and processed through the NMLS.

Duties of Debt Collector Licensees

The Act imposes express duties on licensed debt collectors. Specifically, all licensed debt collectors must: (1) develop policies and procedures reasonably intended to promote compliance with the Act; (2) file any required reports with the Commissioner; (3) comply with the provisions of the Act and any regulation or order of the Commissioner; and (4) submit to periodic examination by the DFPI as required by the Act and any regulations promulgated thereunder.

Licensees must also maintain a surety bond in a minimum amount of $25,000. The Commissioner is authorized to require licensees to submit bonds, riders, and endorsements electronically through the NMLS’s electronic surety bond function.

Additionally, each licensee will be required to pay an annual fee, representing the debt collector’s “pro rata share of all costs and expenses reasonably incurred in the administration of [the Act], as estimated by the commissioner, for the ensuing year and any deficit actually incurred or anticipated in the administration of [the Act] in the year in which the annual fee is levied.”

Licensees are also required to file an annual report with the Commissioner, on or before March 15, that contains all relevant information that the Commissioner reasonably requires concerning the business and operations conducted by the licensee in California during the preceding calendar year, including information regarding collection activity. The report must, at minimum, require disclosure of all of the following:

The total number of California debtor accounts purchased or collected on in the preceding year;
The total dollar amount of California debtor accounts purchased in the preceding year;
The face value dollar amount of California debtor accounts in the licensee’s portfolio in the preceding year;
The total dollar amount of California debtor accounts collected in the preceding year, and the total dollar amount of outstanding debt that remains uncollected;
The total dollar amount of net proceeds generated by California debtor accounts in the preceding year;
Whether or not the licensee is acting as a debt collector, debt buyer, or both; and
The case number of any action in which the licensee was held liable by final judgment under the Rosenthal Act (Cal. Civ. Code §§ 1788 et seq.) or the California Fair Debt Buying Practices Act (Cal. Civ. Code §§ 1788.50 et seq.).

Notably, these individual annual reports will be made available to the public for inspection.

DFPI Authority Under the Act

As noted above, the Act grants the Commissioner with broad authority to administer the Act, through investigations and examinations, and to adopt rules and regulations consistent with that authority.

If the Commissioner determines that a person who is required to be licensed under the Act is engaged in business as a debt collector without a license, or a person or licensee has violated any provision of the Act, the Commissioner may, after notice and an opportunity for a hearing, order such person to (1) desist and refrain from engaging in the business of further continuing the violation, or (2) pay ancillary relief, which may include refunds, restitution, disgorgement, and payment of damages, as appropriate, on behalf of a person injured by the conduct or practice that constitutes the subject matter of the assessment. In addition, the Commissioner has the authority to suspend or revoke licenses issued under the Act.

Takeaway

Effective January 1, 2022, California will require “debt collectors” engaged in the business of debt collection in the state to obtain a debt collection license. The Act also authorizes the DFPI to enforce the provisions of the Rosenthal Act against “debt collectors,” which the Act defines consistent with the Rosenthal Act.

The Act should be of particular note for persons that service and collect on their own debt, as California joins a growing list of states that require a license for first-party collection activity. Unlike other state debt collection laws, certain licensees in California may avail themselves of an exemption from the Act’s licensing obligation. Those currently acting as debt collectors in California that do not qualify for an exemption should closely monitor DFPI guidance for the release of application procedures.

California Department of Justice Releases Post-Finalization Modifications to CCPA Regulations

October 13, 2020 By Dan Felz

On October 12, 2020, the California Department of Justice (“Department”) released its first set of proposed post-finalization modifications to the California Consumer Privacy Act Regulations (the “CCPA Regulations”).

As many businesses know, the CCPA Regulations were finalized on August 14, 2020. The Department styled these new modifications as a “Third Set of Proposed Modifications” to the CCPA Regulations, suggesting that it sees them as related to the two rounds of modifications it proposed before the Regulations were finalized. (You can read our summaries of the key impacts of these prior modifications here (first round of modification) and here (second round of modifications)).

While the Department’s new proposed modifications are modest in volume, they contain potentially significant impacts for businesses. If passed in their current form, the modifications would modify the CCPA Regulations as follows:

(1) Required Offline Opt-Out Notices Would Return: Pre-finalization drafts of the Regulations required businesses that “substantially interact[] with consumers offline” to provide an offline notice to consumers about their right to opt-out of data sales. However, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

The Department’s new proposed modifications would reintroduce the requirement to provide offline opt-out notices whenever a “business … collects personal information in the course of interactions with consumers offline.”
As illustrations of how this required offline notice can be provided, the modifications state that “brick-and-mortar store[s]” may provide notice by (a) “printing the notice on the paper forms that collect the personal information” or by (b) posting signage in “the area where the personal information is collected.” Likewise, businesses that collect personal information over the phone may provide notice orally “during the phone call where such personal information is collected.”

(2) The Requirement for “Easy” Opt-Outs Would Return – with Specified Prohibited Practices: Pre-finalization draft of the Regulations required businesses’ methods enabling consumer to make Opt-Out requests to be “easy for consumers to execute and [] require minimal steps.” Again, however, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

The Department’s new proposed modifications would reintroduce verbatim the requirements that (a) “[a] business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps,” and (b) opt-out submission methods cannot “subvert[] or substantially impair[]” consumers’ choice to opt-out.
The new proposed modifications contain a list of prohibited opt-out practices, potentially derived from the California Attorney General’s initial experience enforcing the CCPA. For example, businesses cannot:
- Use confusing double-negative language (e.g., “Don’t Not Sell My Personal Information”),
- Require consumers to click through or listen to reasons why they should not submit an opt-out request;
- Require consumers to provide personal information not necessary for the opt-out request; or
- If a consumer has already clicked on “Do Not Sell My Personal Information,” require the consumer to scroll through a Privacy Policy to locate the opt-out submission form.

(3) Businesses Could Ask Authorized Agents for Proof of their Authority (and Would Not Need to Go to the Consumer): The new proposed modifications would clarify that, when businesses receive a CCPA request from an individual purporting to act as a consumer’s authorized agent, they can require the authorized agent to provide proof it has written permission to act for the consumer. Under the current Regulations, businesses would have to go to the consumer to obtain this proof.

(4) All Notices to Consumers Under 16 Years of Age Would Require Additional Disclosures: The modifications would clarify that any privacy policy directed towards individuals under the age of 16 must meet the CCPA Regulations’ additional information requirements. Currently, the Regulations imply that these additional information requirements only apply to privacy policies directed at children that are both under 13 (regulated under § 999.330 Regulations) as well as age 13-15 (regulated under § 999.331). The modifications would clarify that any privacy policy that is directed at any individual under 16 – irrespective of under 13 or age 13-15 – must contain the additional content required under the CCPA Regulations.

A redline showing the proposed changes based on the currently effective regulations is available here. The proposed modifications are open for public comment until Wednesday, October 28, 2020.

California Passes Bill Extending Exemptions for Employment and Business-to-Business Information Under the CCPA

September 2, 2020 By Dorian Simmons

On Friday, August 28, the California state legislature passed Assembly Bill 1281 (“AB 1281”), potentially extending until January 1, 2022 the partial exemptions for employment and business-to-business data under the California Consumer Privacy Act (the “CCPA”). AB 1281 only takes effect if the California Privacy Rights Act of 2020 (the “CPRA”), an initiative to amend the CCPA, is not approved in the statewide general election on November 3. If the CPRA is not approved, the exemptions will expire on January 1, 2022. If the CPRA is approved, the exemptions will expire on January 1, 2023.

Before the passage of AB 1281, there was more uncertainty regarding when businesses would have to fully incorporate employment and business-to-business data into their CCPA compliance programs. The exemptions were previously set to expire on January 1 of the coming year unless the CPRA were to pass in November. Businesses now have until at least January 1, 2022 to fully incorporate employment and business-to-business information into their CCPA compliance programs.

For more information on AB 1281 and its impact on a business’s decision to fully extend its compliance program to employment and business-to-business data, please visit our previous blog post here. A summary of the CPRA’s key business impacts may be found here.