April 2, 2021
Business Law Today March Month-in-Brief: Illinois "All-in" APR Calculation, CA Office of Administrative Law Approves Revisions to CCPA, VA Governor Signs VCDPA
Posts were previously published in the ABA Business Law Section's Business Law Today March Month-In-Brief.
Illinois Enacts "All-in" APR Calculation and 36% Rate Limitation, Repeal of Small Consumer Loans
By: Daniel J. Laudicina
On March 23, 2021, Illinois Governor Pritzker signed SB 1792, which includes the Illinois Predatory Loan Prevention Act, into law.
The new law imposes sweeping changes to the rate authority on consumer purpose transactions subject to Illinois law. In particular, the law limits rates on "loans" (as that term is defined by the Predatory Loan Prevention Act) to 36% and requires creditors to calculate the APR using the military APR calculation required under federal law. Any loan violating the rate cap is null and void and the lender will have no right to collect, attempt to collect, receive, or retain any principal, fee, interest, or charges related to the loan.
The law broadly defines "loan" to mean "money or credit provided to a consumer in exchange for the consumer's agreement to a certain set of terms, including, but not limited to, any finance charges, interest, or other conditions." The term "loan" expressly includes closed-end and open-end credit, retail installment sales contracts, motor vehicle retail installment sales contracts, and any transaction conducted via any medium whatsoever, including, but not limited to, paper, facsimile, Internet, or telephone. The law expressly excludes commercial loans from coverage.
Banks, savings banks, savings and loan associations, and credit unions chartered under the laws of the United States are also exempt from the rate limitations. However, the law states that it applies to the person who holds, acquires, or maintains, directly or indirectly, the predominant economic interest in the loan. The law also applies to any person or entity who markets, brokers, arranges, or facilitates the loan and holds the right, requirement, or first right of refusal to purchase loans, receivables, or interests in the loans. Finally, the law applies to any person or entity where the totality of the circumstances indicate that the person or entity is the lender and the transaction is structured to evade the requirements of the law.
Illinois also repealed provisions of the Consumer Installment Loan Act that authorized and regulated so called "small consumer loans" (loans of $4,000 or less with APRs in excess of 36%). Illinois law no longer authorizes these loans. In addition, the new law repealed authority under the Consumer Installment Loan Act for lenders to charge a documentary fee of $25 on each loan. Consumer Installment Loan Act lenders are no longer permitted to charge documentary fees or any other prepaid finance charges in connection with loans made under the Consumer Installment Loan Act.
These changes to the law are effective immediately. However, the new law applies only to loans made or renewed on and after the effective date. Loans made in accordance with Illinois law in effect prior to these changes remain valid.
California Office of Administrative Law Approves Revisions to CCPA Regulations
By: Webb McArthur
On March 15, 2021, the Office of the Attorney General of California announced that the California Office of Administrative Law approved revisions to the California Consumer Privacy Act regulations. These changes are effective immediately.
Below is a summary of these changes. Affected businesses should review the approved revisions and current version of the regulations alongside qualified counsel.
- Providing Notice of Right to Opt Out Offline. The revisions add language requiring a business selling personal information collected from consumers in the course of interacting with consumers offline to inform consumers of their right to opt out of the sale of their personal information by an offline method. The revisions also provide illustrative examples of such offline notice.
- Use of Opt-Out Button. The revisions allow businesses to use a unique button that would allow consumers to opt out of the sale of their personal information. The button is to be used in addition to, and not in lieu of, posting the notice of right to opt out. Where a business posts a "Do Not Sell My Personal Information" link, the button would need to be placed to the left of that link. Further, the button itself would need to link to the same website that the "Do Not Sell My Personal Information" link targets.
- Providing Opt-Out Methods that are Easy and Require Minimal Steps. The revisions require a business' opt-out methods to be easy for consumers to execute and involve minimal steps. The revisions also add illustrative examples, including that the method take no more steps than an opt-in process, that consumers may not be required to click through reasons why not to submit an opt-out request, and that consumers should not be required to scroll through certain material before locating the opt-out mechanism.
- Requesting Proof of Authorized Agency. The revisions clarify that a business may require an authorized agent to provide proof of its agency and permit the business to request information from the consumer.
The CCPA provides California residents with certain rights with regard to their personal information and imposes related requirements on certain businesses in California. Regulated businesses should consult the current and complete text of the law and regulations alongside knowledgeable counsel. Significant exemptions may apply to financial services businesses. The CCPA became effective on January 1, 2020, and enforceable on July 1, 2020. Regulations became effective and enforceable on August 14, 2020.
Virginia Governor Signs Nation's Second Comprehensive Consumer Data Privacy Law
By: Chris Capurso and Webb McArthur
On March 2, 2021, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act ("VCDPA"). By enacting the VCDPA, Virginia becomes the second state nationwide to implement a comprehensive consumer data privacy law, after California with the California Consumer Privacy Act ("CCPA"). While the VCDPA is similar to the CCPA in many respects, the law has a different scope and different obligations than the CCPA. Accordingly, impacted businesses must conduct a separate scope analysis, and, if subject to the VCDPA, they will need to set up different business rules to comply with the law.
The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either (i) control or process personal data of at least 100,000 consumers during a calendar year, or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. The VCDPA applies to information that is linked or reasonably linkable to an identified or identifiable person acting in an individual or household context. The law also provides special protections for sensitive data, which includes personal data including certain demographic, biometric, or location information, along with information on a known child.
However, the VCDPA does not apply to, among other things:
- financial institutions or data subject to the federal Gramm-Leach-Bliley Act;
- certain activities regulated by the Fair Credit Reporting Act;
- information on persons acting in a commercial or employment context;
- deidentified data; or
- publicly available information.
The VCDPA provides consumers with a number of rights related to their personal data, several of which are similar to rights available under the CCPA. Under the VCDPA, consumers have the right:
- to confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data;
- to access their personal data;
- to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for processing the personal data;
- to delete personal data provided by or obtained about them;
- to obtain a portable copy of personal data that they previously provided to the controller; and
- to opt out of the processing of personal data for (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The VCDPA imposes different obligations depending on whether the business is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is acting as a controller or a processor when engaging in any personal data processing.
Under the VCDPA, controllers must, among other things:
- limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such personal data is processed, as disclosed to the consumer;
- not process personal data for purposes that are not reasonably necessary or compatible with disclosed purposes, unless the controller obtains consumer consent;
- establish, implement, and maintain data security practices;
- not process personal data in violation of discrimination laws;
- not process sensitive personal data without consent; and
- clearly and conspicuously disclose if it sells personal data to third parties or processes personal data for targeted advertising and disclose the manner in which a consumer can exercise his or her opt-out rights.
Controllers must provide consumers with a privacy notice that includes certain information about personal data processed by the controller.
The VCDPA also requires controllers to conduct and document data protection assessments when engaging in the following activities:
- the processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers;
- the processing of sensitive data; and
- any processing activities involving personal data that present a heightened risk of harm to consumers.
A processor must follow a controller's instructions and must assist the controller in:
- responding to consumer rights;
- meeting breach notification obligations; and
- providing information to enable the controller to conduct and document data protection assessments.
There are also requirements for contracts between controllers and processors.
The Virginia attorney general has exclusive authority to enforce the VCDPA. The attorney general may seek civil penalties of up to $7,500 for each violation of the VCDPA, in addition to injunctive relief.
The VCDPA does not contain a private right of action.
The VCDPA will become effective on January 1, 2023.