Alston & Bird Consumer Finance Blog

Archives for May 25, 2020

CFPB Announces Two Updates Relating to COVID-19 Pandemic

By

A&B ABstract:

Last week, the Consumer Financial Protection Bureau issued two announcements of interest to servicers as they continue to respond to borrowers impacted by the COVID-19 pandemic.

Consumer Complaint Report:

On May 21, the CFPB issued a report analyzing approximately 4500 complaints relating to the COVID-19 pandemic.  Among other findings, the report indicates that approximately 22 percent of COVID-19 related complaints addressed mortgages; inability to pay appeared as the most common issue.

The report’s observations include that consumers:

  • complained about being unable to reach customer service representatives, or having access to methods other than telephone contact to discuss payment options;
  • indicated concerns about potential negative credit reporting implications of alternative payment options; and
  • indicated concerns about repayment options at the end of a forbearance period, particularly whether a lump-sum or balloon payment would be required.

No-Action Letter Template:

On May 22, the CFPB issued a No-Action Letter Template permitting mortgage servicers who are seeking to engage in loss mitigation activities with consumers.  The template, requested by Brace Software, Inc., would permit servicers to use Brace’s online platform (an online version of Fannie Mae Form 710) to implement loss mitigation efforts.  According to the CFPB’s announcement,  digitizing the loss mitigation application process may improve its operation.

The No-Action Letter is the latest example of the CFPB’s use of the No-Action Letter Policy announced in September 2019 as part of the CFPB’s effort to promote innovation and facilitate compliance.

Takeaway:

Taken together, these two announcements are indicative of the Bureau’s continued focus on the impact of COVID-19 on borrowers, and on how servicers are responding to borrower needs.

 

Proposed Federal Privacy Legislation Tackles COVID-19 Data

By

Data collection and analysis is becoming a key weapon in the fight against COVID-19 both here in the United States and around the globe.  But as governments and tech companies roll out a variety of applications and contact tracing tools, legislators from both sides of the political aisle are questioning how to handle the data being collected, analyzed, and shared. The following is a short summary of two recently-proposed pieces of federal legislation.

The COVID-19 Consumer Data Protection Act

On May 7, 2020, a group of Republicans introduced the COVID–19 Consumer Data Protection Act of 2020 (“CCDPA”).  Assigned to the Senate Committee on Commerce, Science, and Transportation, the CCDPA has several key features.

What The CCDPA Covers:
  • It covers to a wide range of organizations, including businesses under the Federal Trade Commission’s jurisdiction as well as non-profits and common carriers (“covered entities”).
  • It covers a variety of types of data, including geolocation data, proximity data, persistent identifiers such as IP addresses or device IDs, and personal health information (“covered data”).
  • It covers certain purposes or use cases, including the collection, processing, or transfer of covered data to (1) track the spread, symptoms, or signs of COVID-19; (2) measure compliance with social distancing guidelines; and (3) conduct contact tracing (“covered purposes”).
  • It does not cover, among other things, data that is already protected by HIPAA and data collected by employers to determine whether employees may enter a physical location.
What The CCDPA Requires:

It makes it unlawful for a covered entity to collect, use, or transfer covered data for a covered purpose unless three requirements are met:

  1. Individuals receive notice prior to collection, use, or transfer of the data;
  2. Individuals give affirmative express consent; and
  3. The covered entity publicly commits to not collect, use, or transfer the data for any purpose.

The CCDPA also requires covered entities to update their privacy policies, to use reasonable security to protect the covered data, to use principles of data minimization, to provide an opt-out mechanism for individuals who previously consented, and to delete the data when it is no longer needed for the covered purposes.

Who Enforces The CCDPA:

The CCDPA does not include a private right of action and would be enforced by either the Federal Trade Commission or state attorneys general.

The Public Health Emergency Privacy Act

On May 14, 2020, members of the House and Senate introduced the Public Health Emergency Privacy Act (“PHEPA”).  PHEPA has been referred to the House Energy and Commerce Committee as well as the Senate Health, Education, Labor and Pensions Committee.

What The PHEPA Covers:

Generally speaking, PHEPA would apply to certain entities that collect “emergency health data” (“EHD”).  Importantly, “EHD” means (in brief) data that concerns the public COVID-19 public health emergency, which means the “outbreak and public health response pertaining to [COVID-19], associated with the emergency declared” by HHS in January of 2020, and “any renewals” or “subsequent declarations…related to the coronavirus.”

What The PHEPA Requires:

The PHEPA imposes restrictions and compliance obligations similar to those set forth in CCDPA.  It limits the permissible purposes for collecting, using, and disclosing EHD, including reasonable safeguards to prevent unlawful discrimination based on EHD; requires reasonable security to protect EHD; requires reasonable measures to ensure EHD accuracy and a mechanism to correct inaccuracies; requires certain privacy policy disclosures and, if an organization has collected data of at least 100,000 individuals, certain additional disclosures every 90 days; and requires deletion of EHD upon the occurrence of specified events.  The PHEPA generally also requires affirmative express consent prior to the collection, use, or disclosure of EHD (subject to limited exceptions) and requires a mechanism for individuals to revoke consent.

Who Enforces the PHEPA:

PHEPA would not preempt or supersede any requirements or authorizations under applicable federal or state laws and contemplates rule making by the FTC regarding EHD collected prior to the law’s enactment.  PHEPA expressly does not apply to a covered entity or business associate under HIPAA, though PHEPA directs HHS to promulgate guidance on the applicability of similar requirements.

In addition to rule making authority, the FTC would have the authority to enforce the law along with state attorneys general.

Unlike the CCDPA, the PHEPA provides a private right of action for violations that constitute a concrete and particularized injury in fact to the individual.

The PHEPA Applies To The Government, Not Just Private Entities

Unlike the CCDPA, the PHEPA is not limited to private entities and would also regulate some governmental use, collection, and disclosure of EHD.

PHEPA also includes provisions focused on protecting voters’ rights.  It prohibits government entities from denying, restricting, or interfering with (or attempting to do so), or retaliating against someone for, voting in an election, on the basis of EHD, an individual’s medical condition, or participation or non-participation in a program to collect EHD.  PHEPA also prohibits covered organizations from knowingly facilitating such activities.