Alston & Bird Consumer Finance Blog

#California

California Attorney General Targets Location Data in New Investigative Sweep

By ,

This week California Attorney General Rob Bonta announced a new investigative sweep under the California Consumer Privacy Act (CCPA). We have anticipated this sweep for some time based on the focus and the direction of a number of inquiries, investigations, and enforcement proceedings initiated by Attorney General Bonta’s office over the past 12-24 months.

The Notices of Violation issued by the Attorney General’s office will give rise to meaningful risks for many of the receiving businesses. We anticipate the Attorney General’s team will focus on granular technical details of data collection via mobile apps including through the third-party SDKs[1] that are ubiquitous across digital mobile products. How these and other digital analytics tools collect and transfer data, including precise location data, is often not well understood even by the internal digital marketing, data analytics, and product development teams that deploy and use the tools. This blind spot has created a zone of risk for many businesses that would not consider themselves a part of the “location data industry” referenced in the Attorney General’s announcement.

The interactions with the Attorney General’s office in these investigations and in enforcement proceedings can also change focus when the Attorney General’s staff suspects compliance gaps in other sensitive areas, such as use of mobile apps by children or in connection with healthcare or other sensitive activities. Careful and detailed internal legal/technical data flow analyses are therefore critical to quickly identifying the full scope of potential risk and framing the strategy for engaging with the Attorney General. For those businesses that have not received notices, this is another opportunity to close the gap between digital advertising, data analytics, and mobile app development and these emerging and increasingly clear legal privacy standards relating to precise location data and use of third-party SDKs in mobile apps.

Alston & Bird’s Privacy, Cyber & Data Strategy Team has extensive experience advising and defending clients who receive inquiries and violation notices from California’s privacy regulators.  We will continue to monitor developments in privacy regulatory enforcement in California and other states.

[1] “SDK” refers to a software development kit. These tools, many of which are free, are commonly used by mobile app teams to shorten app development timelines and quickly add features and functions to mobile apps.

_______________________________
Originally published March 12, 2025 on Alston & Bird’s Privacy, Cyber & Data Strategy Blog.

A Friendly Reminder of the Importance of Robust Consumer Complaint Handling Processes

By ,

What Happened?

On February 27, 2024, the California Department of Financial Protection and Innovation (the Department) entered into a public consent order with a company that provides consumer financial services to California residents. The consent order alleges that between January 2020 and September 2022, the Department received complaints from consumers raising concerns about their accounts and customer service interactions with the company, which the Department forwarded to the company for investigation and response. The Department also investigated the company’s handling of those consumer complaints.

The Department found that the company’s complaint handling was deficient in that “occasional mistakes” that occurred in the Company’s responsiveness to consumer complaints were substantial enough to have violated the California Consumer Financial Protection Law (CCFPL). The Department alleged that as between the company and the consumer, the company was in the better position to accurately evaluate the available information in most cases and to respond to consumers’ complaints in a timely manner and while the number of mistakes during the Department’s investigation period was relatively small in comparison to the overall number of consumer complaints received, the Department concluded that the mistakes were important to the affected consumers.

To resolve these allegations, the company agreed to (1) desist and refrain from violating the CCFPL through its complaint handling processes, (2) pay a penalty of $ 2.5 million, (3) enhance existing customer service procedures or processes, (4) establish, implement, enhance, and maintain testing policies, procedures, and standards reasonably designed to, at a minimum, ensure compliance with the law, and (5) report to the Department annually for two years on these standards. These standards require the company to:

  • Ensure customer service support 24 hours a day, seven days a week;
  • Ensure sufficient customer service support staffing;
  • Ensure sufficient customer service support training; and
  • Investigate and implement policies and procedures to maintain the accurate, prompt and proper handling of consumer complaints.

Why is it Important?

The CCFPL was enacted in September 2020 and grants the Department expanded authority over persons engaged in offering or providing a consumer financial product or service in California and their affiliated service providers. Notably, under the CCFPL, it is unlawful for a “covered person” or “service provider,” to do any of the following:

  • Engage, have engaged, or propose to engage in any unlawful, unfair, deceptive, or abusive act or practice (UDAAP) with respect to consumer financial products or services.
  • Offer or provide to a consumer any financial product or service not in conformity with any consumer financial law or otherwise commit any act or omission in violation of a consumer financial law.
  • Fail or refuse, as required by a consumer financial law or any rule or order issued by the Department thereunder, to do any of the following:
    • Permit the Department access to or copying of records.
    • Establish or maintain records.
    • Make reports or provide information to the Department.

The CCFPL defines a “covered person” to mean, to the extent not preempted by federal law, any of the following:

  • Any person that engages in offering or providing a consumer financial product or service to a resident of California.
  • Any affiliate of a person described above if the affiliate acts as a service provider to the person.
  • Any service provider to the extent that the person engages in the offering or provision of its own consumer financial product or service.

A “servicer provider” includes any person that provides a material service to a covered person in connection with the offering or provision by that covered person of a consumer financial product or service, including a person that either:

  • Participates in designing, operating, or maintaining the consumer financial product or service.
  • Processes transactions relating to the consumer financial product or service, other than unknowingly or incidentally transmitting or processing financial data in a manner that the data is undifferentiated from other types of data of the same form as the person transmits or processes.

The term “service provider” does not include a person solely by virtue of that person offering or providing to a covered person either a support service of a type provided to businesses generally or a similar ministerial service, or time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.

Notwithstanding the broad definition of “covered person,” the CCFPL contains numerous exemptions, including for banks; licensed escrow agents; licensees under the California Financing Law; licensed broker-dealers or investment advisers; licensees under the Residential Mortgage Lending Act; licensed check sellers, bill payers, or proraters; and licensed money transmitters, among others.

The Department is authorized to impose civil money penalties for any violation of the CCFPL, rule or final order, or condition imposed in writing by the Department in an amount not to exceed the greater of $5,000 for each day during which a violation or failure to pay continues, or $2,500 for each act or omission. Reckless violations are subject to increased penalties not to exceed the greater of $25,000 for each day during which the violation continues, or $10,000 for each act or omission. For knowing violations, the Department is authorized to assess penalties not to exceed the lesser of one percent of the person’s total assets, $1 million for each day during which the violation continues, or $25,000 for each act or omission.

What Do You Need to Do?

It is always important to take consumer complaints seriously and to respond timely and accurately. Now is the time to review your company’s complaint management procedures to make sure they are robust. It is always important to mine your consumer complaints so that you can learn from them and correct errors timely to ensure mistakes don’t recur, and the Department’s latest settlement is a reminder that companies subject to the CCFPL also have a legal obligation to do so.

CFPB Issues Preemption Determination that State Commercial Financing Disclosure Laws Are Not Preempted By TILA

By ,

A&B Abstract:

The Consumer Financial Protection Bureau (CFPB) recently announced that it issued a final preemption determination concluding that certain state disclosure laws applicable to commercial financing transactions in California, New York, Utah, and Virginia are not preempted by the federal Truth in Lending Act (TILA). As covered in a previous post, we note that the California, Utah, and Virginia laws have already gone into effect, and New York’s is set to become effective on August 1, 2023.

State Commercial Lending Laws

After examining the state disclosure laws in California, New York, Utah, and Virginia, the CFPB recently affirmed that there is no conflict with TILA because the state laws extend disclosure protections to businesses seeking commercial financing, which are beyond the scope of TILA’s statutory consumer credit protections.  Specifically, the CFPB determined that TILA only preempts state laws under conflict preemption, which the CFPB interprets to mean that TILA preempts state laws only if they are “inconsistent” with TILA.

In California, New York, and Utah, state laws require lenders to issue disclosures in certain commercial financing transactions, the purpose of which is generally defined to mean primarily for other than personal, family, or household purposes.  This is in contrast to TILA’s application to consumer credit, which is extended primarily for personal, family, or household purposes.  In December 2022, the CFPB made a preliminary determination that New York’s commercial financing disclosure law was not preempted by TILA because the state law regulates commercial financial transactions rather than consumer-purpose transactions.

In Virginia, disclosures are required in connection with “sales-based financing,” which is defined generally as a transaction in which the financing is repaid by the recipient based on a percentage of sales or revenue.  “Recipient” means a person whose principal place of business is in Virginia and that applies for sales-based financing and is made a specific offer of sales-based financing by a sales-based financing provider.  Based on these definitions, it appears that the Virginia law would not apply to a consumer credit transaction.  However, the CFPB generally noted that, to the extent state law could apply to a consumer credit transaction, there would still be no inconsistency with TILA.

Accordingly, the CFPB found that the four states’ commercial financing disclosure laws are not inconsistent with and, therefore, not preempted by the federal TILA.

Takeaway

As states continue to propose and enact similar laws requiring disclosures in commercial financing transactions, an argument that federal law preempts such state laws is unlikely to succeed.  Thus, companies should monitor ongoing state regulatory trends in commercial financing transactions to ensure compliance with the consumer-style disclosure requirements that may apply.

California DFPI Digital Asset Lending Regulatory Year in Review

By ,

A&B ABstract:

In December of 2022 California released an interagency progress report (“Report”) analyzing the current regulatory status of Web3, Crypto Assets, and Blockchain. The report was prepared pursuant to Executive Order N-9-22 (the “Order”) issued by California Governor Gavin Newsome on May 4, 2022, which declared California’s intent to regulate blockchain, including crypto assets and related financial technologies, and directed California state agencies, including the Governor’s Office of Business and Economic Development (“GO-Biz”), the Government Operations Agency, the Business, Consumer Service and Housing Agency, and the Department of Financial Protection and Innovation (“DFPI”) to collect feedback from various stakeholders to understand the risks and explore opportunities for the state. The Order, among other directives, advises these California agencies, led by DFPI, in consultation with GO-Biz, to create a regulatory framework for crypto assets in coordination with federal and state authorities, with the goals of ensuring equity, regulatory clarity, consumer protection, innovation, and job growth. Although these new technologies present some novel questions, for entities engaging in lending backed by digital assets, the DFPI has made clear that the California Financing Law and similar regulatory burdens apply.

Current Registration Requirements

The Report follows earlier requests for public comment, including from the DFPI, which published a request for public comment (the “Request”) stating an intent to develop a comprehensive state regulatory framework for the offering of digital asset related financial products and services in California. Within the previous request for comment, the DFPI states that it possesses the authority to develop comprehensive regulations under the California Consumer Financial Protection Law (CCFPL), which authorizes the DFPI to “prescribe rules regarding registration requirements applicable to a covered person engaged in the business of offering or providing a consumer financial product or service.” Accordingly, the DFPI has put forth that it currently has the authority to require licensing and regulation of crypto asset-related financial products. In the Order issued by Governor Newsom “crypto assets” is defined as “a digital asset, which may be a medium of exchange, for which generation or ownership records are supported through a blockchain technology.” Given this backdrop, we can expect the DFPI to issue regulations without further legislative input.

Public Feedback

Responses to the request for comment and other opportunities to provide public input resulted in several key suggestions for regulation, including the following:

  • Provide regulatory clarity—including by basing regulations on specific types of activities, products, and services (rather than specific entities).
  • Harmonize with federal guidelines—including by modeling key terms and requirements on those used by federal regulators.
  • Avoid over-regulation—including by minimizing compliance costs.

CCFPL Regulation and Supervision

The Report states that DFPI has issued licenses to 10 crypto asset related companies that engage in lending activities under California financial licensing laws. Some make consumer loans that are secured by crypto assets, while others make commercial loans to crypto asset-related companies. In addition to licensing and other compliance activity, the Report further notes that enforcement actions were also underway. The highlighted enforcement actions within the report related to companies allegedly operating crypto deposit accounts that qualified as unregistered securities as well as investment schemes. The Report did not highlight any enforcement actions related to loans secured by crypto assets or other licensing violations.

However, on November 18, 2022 and November 22, 2022, the DFPI suspended California Financing Law licenses for two entities in connection with their crypto asset platforms. In both instances, the entities paused activity on their platforms. The investigation of one entity remains ongoing while the other entered into an agreement to pause collection of repayments and interest on loans belonging to California residents while its CFL License is suspended or as further agreed to between the DFPI and the entity.

Takeaway

While many aspects of Web3, Crypto Assets, and Blockchain regulation remain unclear, it is clear that those engaging in lending activities collateralized or otherwise related to such assets are regulated under the CCFPL and other California law, and must abide by the same strictures as any other lender.

California Settlement Offers Reminder that Buy Now Pay Later Participants are Subject to California Financing Law

By ,

In August 2022, the California Department of Financial Protection and Innovation (“Department” or “DFPI”) entered into a consent order with a company offering point of sale financing products that the DFPI deemed to be buy now, pay later (“BNPL”) financing, for which a California Financing Law (“CFL”) license is required. The company is required to pay a penalty, refund previously collected fees from California residents, and obtain a CFL license.

The settlement follows an annual report released in October of 2021 in which the DFPI noted a sharp increase in BNPL “consumer loans.” In the accompanying press release to that report, the DFPI stated:

BNPL loans are an increasingly common type of short-term financing that allows consumers to make purchases and pay for them at a future date, often interest-free. Sometimes referred to as point-of-sale installment loans, BNPL products are becoming a popular payment option. The report shows a surge in BNPL unsecured consumer loans reported to the DFPI. This product has grown in recent years and has come under the DFPI regulatory umbrella.

The press release also noted that the Department had rendered prior legal opinions and entered into settlements with three separate BNPL / point-of-sale financers in 2019 and 2020 that were deemed to be structuring their BNPL products in a manner designed to evade regulation under the CFL. These companies had agreed to refund fees to consumers and obtain CFL licenses, and among other requirements, must: (i) consider consumers’ ability to repay loans, (ii) comply with rate and fee caps, and (iii) respond to consumer complaints

In one of those prior opinions, the DFPI (formerly, the Department of Business Oversight) asserted that the CFL applies to making consumer loans and noted that the CFL defines “consumer loan” as a loan “the proceeds of which are intended by the borrower for use primarily for personal, family, or household purposes.” (Note that loans in the principal amount of $5,000 or less for other than personal, family, or household purposes are also included in the definition, bringing certain commercial or business-purpose loans within the scope of the CFL). The Department further stated that the CFL incorporates certain aspects of the common law, including that merchants may sell goods in exchange for cash or in exchange for a consumer’s promise to pay later (a “credit sale”) and that a merchant may charge a premium for credit sales without the transaction being subject to the state’s loan laws and without the premium being subject to the state’s usury limit. The DFPI concluded, however, that “[e]xtensive third-party involvement may cause transactions to be deemed loans even if the underlying credit sale is bona fide.”

Taken together, the Department’s prior statements, opinions, and enforcement actions signal a broad interpretation of the CFL that could potentially apply to many lenders and third parties involved in point-of-sale financing, including the offering of buy now, pay later products. In the press release accompanying the most recent enforcement action, the DFPI concluded that it “continues investigating other companies offering Buy Now, Pay Later products.”