The recently-passed California Privacy Rights Act (CPRA) augments and supplements California’s existing privacy law, the California Consumer Privacy Act (CCPA).  We are sure many practitioners are wondering how it stacks up with the European Union’s General Data Protection Regulation (GDPR). See below for Part I of our two part series comparing the CPRA and the GDPR (and see Part II here).

HOW DOES THE CPRA CHANGE THE CCPA?

The CPRA makes several significant changes to the CCPA:

  • It introduces the concept of “sensitive personal data”;
  • It introduces new obligations on businesses, and GDPR-style “principles”;
  • It introduces new rights for consumers; and
  • It creates a new supervisory authority for data protection and privacy in California — the California Privacy Protection Agency.

These changes are very significant – but do they represent a move closer to GDPR, or a move away?

New York, California and six other States filed a widely expected lawsuit on January 5 seeking to invalidate the “True Lender” Rule recently issued by the Office of the Comptroller of the Currency (“OCC”).  As we previously reported, the OCC’s True Lender Rule — finalized in October and effective since December 29 —provides bright-line tests for determining, in the context of a lending partnership between a national bank (or federal thrift) and a third-party (often a FinTech or other non-bank firm), which entity actually “made” the loan, i.e., which entity was the “true lender.”

On December 30, 2020, the Consumer Financial Protection Bureau (“CFPB”) granted approval to Payactiv, Inc. (“Payactiv”) to offer its earned wage access (“EWA”) program under the CFPB’s Policy on the Compliance Assistance Sandbox, among the first approvals under the CFPB’s regulatory sandbox.

In its approval order, the CFPB granted approval to various aspects of Payactiv’s EWA program and grants Payactiv a safe harbor from liability under the Truth in Lending Act (“TILA”) and Regulation Z.

On December 10, 2020, FinCEN Director Kenneth Blanco delivered prepared remarks at the ABA’s annual Financial Crimes Enforcement Conference. At the outset, Director Blanco addressed the importance of U.S. national security amidst the unprecedented environment created by the COVID-19 pandemic. In his remarks, Director Blanco announced “important guidance” and “much needed clarity” concerning FinCEN’s voluntary Section 314(b) information sharing program.

Section 314(b) of the USA PATRIOT Act provides financial institutions safe harbor from civil liability when sharing with another financial institution information regarding customers suspected of possible terrorist financing or money laundering activities. 31 C.F.R. § 1010.540(b)(1). Financial institutions share information under this provision to facilitate investigations of suspicious activity and assist in preparing more complete Suspicious Activity Reports (“SARs”).

The November 2020 election left a lot of questions.  Among them, companies doing business in California are now asking about compliance with yet another California data privacy law, this time the California Privacy Rights and Enforcement Act of 2020 (the “CPRA”).  This article gives an overview addressing the what, when, and how of the CPRA.  (We won’t hazard a guess as to the why—we leave that to the backers of the new law.)

What is the CPRA?

The CPRA builds on the California Consumer Privacy Act of 2018 (the “CCPA”) in a number of key ways.  It includes: new consumer rights, new requirements for businesses, and a number of other miscellaneous changes.  Some parts of the CCPA will remain in effect, and others are rephrased or clarified.  We provide below a high-level overview of topics we believe businesses should be thinking about now as they look ahead to building-out their CPRA compliance programs.

In an earlier article, we provided an overview of the Consumer Financial Protection Bureau’s (“CFPB”) earned wage access (“EWA”) advisory opinion.  In the opinion, the CFPB identified seven requirements for a “Covered EWA Program,” i.e., an EWA program that would “not involve the offering or extension of ‘credit’” under the Truth In Lending Act (“TILA”) and its Regulation Z.

On December 3, 2020, the SEC announced that FinHub (the Strategic Hub for Innovation and Financial Technology) was being upgraded to an independent office. Acknowledging the importance of the all things fintech (emerging technologies and innovation in financial services), the SEC stated that creating a stand-alone office:
“[S]trengthens the SEC’s ability to continue fostering innovation in emerging technologies in our markets consistent with investor protection. The office will continue to lead the agency’s work to identify and analyze emerging financial technologies affecting the future of the securities industry, and engage with market participants, as technologies develop.”

As we previously explained, the Consumer Financial Protection Bureau’s (“CFPB”) recently finalized Advisory Opinion Policy allows any person or entity to request an advisory opinion from the agency.  When the CFPB finalized that Policy on November 30, 2020, it concurrently issued its first two advisory opinions: one addressing earned wage access (“EWA”) programs, and one concerning private education loan products.  This article specifically comments on the important EWA advisory opinion.

EWA programs generally allow employees to access wages they have already worked for and accrued, but have not yet been paid.  In its EWA advisory opinion, the CFPB stated that EWA programs incorporating several specific features do “not involve the offering or extension of ‘credit,’” and thus, do not fall under the purview of Regulation Z, which implements the Truth In Lending Act (“TILA”).

The Consumer Financial Protection Bureau (“CFPB”) announced in March 2020 that it would develop a new advisory opinion program under which it would publish in the Federal Register responses to questions seeking clarification of ambiguities in federal consumer financial law.  On November 30, 2020, the CFPB issued a final Advisory Opinion Policy (“AO Policy”) setting forth specific procedures for its Advisory Opinion Program.

Opinions issued under the AO Policy will be interpretive rules under the Administrative Procedure Act that respond to a specific need for clarity on a statutory or regulatory interpretive question.  See 5 U.S.C. § 553(b).  Each advisory opinion will include a summary of the material facts or covered products, and the CFPB’s legal analysis of the issue.  The CFPB expects that its advisory opinions will apply not only to the requestor, but also “to similarly situated parties to the extent that their situations conform to the summary of material facts or coverage in the advisory opinion.”

On November 9, 2020 the FTC entered into a consent agreement with Zoom Video Communications, Inc. to address concerns over the videoconferencing platform’s security practices. With the onset of the COVID-19 pandemic, the need for a reliable, online videoconferencing and meeting platform skyrocketed. Zoom met that need. It advertised its platform as a secure space with various safety measures to protect user data, including “end-to-end” 256-bit encryption. In short order, individuals, businesses, and organizations quickly flocked to the user-friendly communications platform; and, by the end of April 2020 Zoom’s user base was booming.

Then came a backlash of sorts. The FTC began investigating Zoom’s security practices, and private plaintiffs brought class-action lawsuits alleging violations of the California Consumer Privacy Act and failure to adhere to Zoom’s terms of service. The FTC’s complaint alleged several concerns with Zoom’s advertising and security promises, concluding that Zoom made misleading claims about the strength of its encryption and security of its platform that gave customers a false sense of security. The five-count complaint alleged that Zoom: