CFPB’s Latest Rulemaking Agenda

The CFPB recently released its upcoming rule making agenda, “Fall 2013 Rulemaking Agenda” that maps out what the agency will focus on in 2014.  Here’s a look at their summary:

On Mortgages: “follow-up mortgage issues, such as how to apply certain exemptions under the Dodd-Frank Act that are designed to preserve credit in “rural or underserved” areas…a proposed rule to implement Dodd-Frank Act changes to the Home Mortgage Disclosure Act, which will improve the mortgage data that is available to monitor the market and assess fair lending practices.”

On Prepaid Cards: a proposed rule with respect to prepaid card products.

On other Consumer Financial Products and Services: “actively assessing the need for regulations…on debt collection, payday loans and deposit advance products, and bank overdraft programs.”

Testing consumer disclosures in connection with prepaid products and debt collection.

Ways to streamline regulations, including issuing a proposal regarding consumer notices from financial institutions explaining information sharing practices.

For more information–the CFPB’s Agency Rule List Fall 2013.

Payments and Privacy Roundup

A quick wrap-up of a few notable happenings on Payments and Privacy, this month so far (okay, one of them happened before November):

David Lott at the Atlanta Fed asks the larger question “Is Consumer Privacy Possible?

Coinbase’s Bitcoin Wallet gets pulled by Apple

Raj Date is brought on-board to Circle’s Board of Directors

A California federal court determines email addresses are PII

$3 million settlement awarded in class action data breach case, even to those who were not victims of identity theft.

The TCPA and Payments?

text_messagingThe new rules to the TCPA (Telephone Consumer Protection Act) go into effect today.  Generally speaking, consumers should be overjoyed that their dinners will likely go uninterrupted by an automated call from a telemarketer, creditor or debt collector (provided that they did not provide express consent to have them make the call in the first place).  But in the world full of mobile phones and text messaging, entities who have been auto generating offers and rewards need to take extra caution.

These new rules have been a hot topic in the legal world since the FCC issued them last year.  Legal news and blogs have been all over the issue for months.  Two key changes include the requirement of express consent and the end of the established relationship business exception.

Since I focus largely on payments and privacy, it seems appropriate to take a look at these significant changes to the TCPA, as they relate to merchants, creditors and debt collectors.

In the money and payments chain, merchants, creditors and debt collectors will also need to take extra caution and provide “clear and conspicuous disclosures” when obtaining “express consent” from their applicants and customers.  They should make sure they have documented proof of this consent in the event that they are met with future allegations of TCPA violations, as there will likely be plenty.  The cost for violation can be very high, starting from $500 up to $1500 per call.  Just ask Papa John’s who recently had to fork over $16.5M when its affiliates had a marketer send out unwanted text messages for their pizzas.


This blog is for general information and educational purposes, not to provide legal advice. If you need legal advice, please consult with a qualified attorney.  

New additions to CA Data Breach Law


I’ll try to use this blog to sum up some of relevant results of California’s recent legislative session.  For today’s blog, which is also the inaugural post, the focus is on the expansion of California’s Data Breach Notification Law.

SB 46, which was signed by Governor Brown last week, expands the definition of personal information in California’s Data Breach Notification Law (Cal Civ Code 1798.29 and 1798.82). The law will require notice when a California resident’s username or email address is breached, or reasonably believed to have been breached, with its password or security question and answer that provides access to an online account.

There is a also a new method for how notice is to be provided for this new category of personal information:

1.  If no other personal information has been breached, notice can be provided in an electronic or other form to “direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the agency and all other online accounts for which the person uses the same user name or email address and password or security question or answer.”

2.  If the breach involves login credentials of an email account, then the notice cannot be made to the email address but rather by other methods, including “by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the agency knows the resident customarily accesses the account.”

Attorney General Harris released the office’s first report in 2012 on data breaches, with a few recommendations: 1. Encrypt personal information when moving or sending outside of the secure network 2. Review and tighten internal security controls 3. Make breach notices easier to read. 4.  Expand data breach law to include passwords. (Check)

Bottom line, if you own or license this new category of computerized unencrypted personal information, be prepared by year’s end, as SB 46 goes into effect January 1, 2014.

This blog is for general information and educational purposes, not to provide legal advice. If you need legal advice, please consult with a qualified attorney.