Technology

On August 28, the CFPB announced a proposed settlement with Utah-based credit repair telemarketing company and its affiliates for allegedly committing deceptive acts and practices in violation of the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA) by collecting illegal “advance fees.” The CFPB alleged the defendants charged consumers a fee for telemarketed credit repair services when they signed up for the services, and then monthly thereafter, without (i) waiting for the timeframe in which they represented their services would be provided to expire; and (ii) demonstrating that the promised results have been achieved, in the form
Continue Reading CFPB Reaches $2.6 Billion Settlement with Credit Repair Company

On September 8, a Texas federal judge ruled that the CFPB exceeded its authority by adopting a sweeping anti-discrimination policy last year. The CFPB adopted the policy in March 2022, via an update to its exam manual, stating that discrimination in any financial product is an “unfair” practice that can trigger liability under the federal prohibition against “unfair, deceptive or abusive acts or practices” or UDAAPs (we discussed this policy in previous posts here and here). The CFPB offered examples of practices that may be unfair because they are discriminatory, including offering one set of products or services to
Continue Reading Texas Court Strikes Down CFPB UDAAP Policy

On September 14, U.S. District Court for the Eastern District of Kentucky granted a motion brought by the Kentucky Bankers Association (KBA) and eight Kentucky-based banks (plaintiffs), seeking a preliminary injunction enjoining the CFPB from enforcing the Small Business Lending Rule (the Rule) against the plaintiffs and their members. In granting the motion, the court agreed to halt the rule until the Supreme Court rules on the CFPB’s funding structure in Consumer Financial Protection Bureau et al. v. Community Financial Services Association of America Ltd. The court also noted that the banks are incurring expenses related to “training programs, seminar fees, staff
Continue Reading Kentucky Court Grants Injunction on Small Business Lending Rule

The CPPA, the California regulatory body charged with enforcing CCPA, has now issued draft regulations on risk assessments and cybersecurity audits. The draft was released ahead of a public board meeting to discuss those topics (among other things).
Continue Reading What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?

After some delay, Delaware’s governor has at last signed into law the thirteenth state comprehensive privacy law. This is the seventh law passed in 2023, joining Iowa, Indiana, Tennessee, Montana, Florida, and Oregon. The law takes effect on January 1, 2025. The bill was passed by Delaware’s congress at the end of June and was sent to the governor’s office for signature on June 30, 2023. He did not sign it, though, until this week.
Continue Reading The “First State” Officially Becomes the Thirteenth State with a Comprehensive Data Privacy Law

The SEC has, in rapid fire, announced enforcements against two NFT projects for allegedly violating securities laws. The first action announced August 28, 2023 was against Impact Theory and the second action announced September 13, 2023 was against Stoner Cats. In both cases, two SEC Commissioners dissented. The SEC has taken these actions despite not first offering specific guidance on the applicability of securities law to NFTs. While these actions have come as a surprise to many in the NFT industry, we have been cautioning NFT projects about these issues for some time. And in our NFT Regulatory Issues – a
Continue Reading SEC Enforcements Against NFTs – Are You Next?

The rapid growth of generative AI (GAI) has taken the world by storm. The uses of GAI are many as are the legal issues. If your employees are using GAI, they may be subjecting your company to many unwanted and potentially unnecessary legal issues. Some companies are just saying no to employee use of AI. That is reminiscent of how some companies “managed” open source software use by employees years ago. Banning use of valuable technology is a “safer” approach, but prevents a company from obtaining the many benefits of that technology. For many of the GAI-related legal issues, there
Continue Reading Microsoft to Indemnity Users of Copilot AI Software – Leveraging Indemnity to Help Manage Generative AI Legal Risk

It’s been a busy summer for US state privacy laws, and companies now need to keep track of a growing list of requirements from these laws. These include many we have written about in the past, including notice, vendor contract provisions, and offering consumers rights and choices. The laws also impose certain record keeping requirements, which we discuss here.
Continue Reading The Comprehensive Privacy Law Deluge: Record-Keeping and Related Requirements

On August 28, 2023, the Securities and Exchange Commission (“SEC”) instituted cease-and-desist proceedings under Section 8A of the Securities Act against Impact Theory, a Los Angeles media and entertainment company, alleging that the company’s sale of non-fungible tokens (“NFTs”) violated the registration requirements under the Securities Act of 1933 (the “Act”). 
Continue Reading The SEC’s Sudden Impact on NFTs!

Now that the EU has adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), many companies are assessing whether participation makes sense. Participation by a US entity is a mechanism -but not the only mechanism- for two parties (one EU and one US) to transfer personal data from the EU to the US. Other transfer methods include Binding Corporate Rules or Standard Contractual Clauses. As we wrote recently, when the EU determined that the program was “adequate,” it noted that the safeguards developed by the US for the DPF applied to all methods of transfer. In other
Continue Reading Considerations for Participation in the EU-US Data Privacy Framework

Texas has joined Arkansas and Utah as the third state to impose requirements on social media accounts for those under 18. Namely, with the Securing Children Online through Parental Empowerment Act (“SCOPE Act”), Texas will place requirements on “digital service providers.” The law goes into effect September 1, 2024. It does not provide for a private right of action. Instead, enforcement will be by the Texas attorney general.
Continue Reading Texas’ SCOPE Act Puts Focus on Social Media and Minors

On August 22, the CFPB filed a lawsuit against an installment lending company and several of its subsidiaries in South Carolina federal court, alleging that the company engaged in illegal “loan-churning” practices that generated hundreds of millions of dollars in loan costs and fees. The CFPB’s complaint alleges that many of the installment lender’s “loan-churning” practices constituted unfair, deceptive, and abusive acts or practices (“UDAAPs”) in violation of the CFPA. Specifically, the CFPB alleges that the installment lender harmed consumers by:
Continue Reading CFPB Sues Installment Lender for Alleged Loan Churning Operation

Recently, the California Department of Financial Protection and Innovation (DFPI) approved the final rule implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) that prohibit persons from engaging in unfair, deceptive, or abusive acts or practices (UDAAP) related to commercial financial products and services and establishes data collection and reporting requirements.
Continue Reading California DFPI Finalizes Small Business UDAAP Rule

The Federal Reserve Board recently issued two Supervision and Regulation Letters that provide guidance on the agency’s supervision of novel activities and the process such as fintech partnerships, crypto-related activities, and activities using distributed ledger or blockchain technology. 
Continue Reading Federal Reserve Issues Guidance on Supervision of “Novel Activities” by Banks, Impacts Bank-Fintech Partnerships

X Corp., the company formerly known as Twitter, recently sued Bright Data over its site scraping activities. Bright Data is a data collection company and advertises—among other services—its “website scraping” solutions. Scraping is not new, nor are lawsuits attempting to stop the activity. We may, though, see a rise in these suits with the rise in companies using them in conjunction with generative AI tools.
Continue Reading Scraping the Bottom of the Barrel: X Corp. Sues Bright Data Over Site Scraping

Texas recently enacted an amendment to its data breach notification law. As of September 1, 2023, there are two changes to the requirements when notifying the Texas Attorney General. In Texas, breaches of 250 residents or more must be reported to the Attorney General. Now, as amended, this will need to be done so as soon as practicable, and not later than 30 days from determination of the breach (previously, it was 60 days). Texas joins Colorado, Florida, and Washington in requiring notice within a 30-day time frame. Notification in Texas must also be submitted electronically using a form on
Continue Reading Texas Amends Data Breach Notification Law, Updates Effective September 1