Commercial Litigation Series 2023 - Teal SG (002)

In the third annual installment of Seyfarth Shaw’s Commercial Litigation Outlook, our nationally-recognized team provides insights about litigation issues and trends to expect in 2023.

Join us for the first session of our three-part webinar series, where members of our Commercial Litigation practice group will discuss key trends in the commercial litigation space.

Part 1: Commercial Litigation Outlook: Insights and Predictions for Litigation Trends in 2023

Tuesday, February 7, 2023
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

In the first session of the series, we will provide insight on the tidal wave of ESG demands, reports, and conflicts (legal and otherwise), as well as significant trends, predictions and recommendations in the following areas:

  • Trial Outlook
  • Consumer Class Actions
  • Trade Secrets, Computer Fraud & Non-Competes
  • eDiscovery & Innovation

Speakers

Kristine Argentine, Partner, Seyfarth Shaw
Jay Carle, Partner, Seyfarth Shaw
Rebecca Davis, Partner, Seyfarth Shaw
Dawn Mertineit, Partner, Seyfarth Shaw
Christopher Robertson, Partner, Seyfarth Shaw

Click here to register for the webinar series.

immo-wegmann-2TL6RxRTwnk-unsplash

Today, the Illinois Supreme Court issued its much-anticipated decision in Tims v. Black Horse Carriers, which determined whether the one-year or five-year statute of limitation applies to claims filed under the Illinois Biometric Privacy Act. In the landmark decision (found here), the Court veered from the Illinois Appellate Court’s splicing of limitations and claims and decided that the “catch-all” five-year statute of limitation applies to all BIPA claims.

Background

The Tims lawsuit has been pending since March 2019. It is premised on the defendant’s failure to institute a retention schedule available to the public, in violation of Section 15(a) of BIPA, and for obtaining their employees’ biometric data and disclosing it to third parties without first obtaining their written, informed consent, in violation of Sections 15(d) and (b), respectively.

Following the denial of the defendant’s motion to dismiss as untimely, the trial court allowed the defendant to take an interlocutory appeal to settle the issue of which statute of limitation applies to BIPA since the law is silent on the subject. Before the Illinois Appellate Court, the defendant argued that the one-year limitations period for privacy actions outlined in 735 ILCS 5/13-201 should apply. On the other hand, plaintiffs argued that the five-year “catch-all” limitations period contained in 735 ILCS 5/13-205 is more appropriate for actions under BIPA because the legislature did not intend to create a specific or shorter limitation for claims under the statute.

In September 2021, the Illinois Appellate Court complicated matters, agreeing with both parties in part, and decided that the one-year and five-year limitations periods applied to different sections of the Act. See, generally, 2021 IL App (1st) 200563. Specifically, the Appellate Court held that the one-year period under § 13-201 applies to Section 15(c) and 15(d) BIPA claims because those sections involve the “publication” of biometric data, which is a term explicitly used in § 13-201. Conversely, since the Appellate Court found that Sections 15(a), (b), and (e) of BIPA does not involve the publication of an individual’s biometric data, it applied the five-year limitations period from § 13-205 to those sections.

Illinois Supreme Court’s Decision

Having stated at oral argument by Justice Michael Burke that the Illinois Appellate Court’s holding seemed “unworkable,” the Court’s decision to have all BIPA claims fall under a single statute of limitation is no surprise.

For its analysis, the Court started by highlighting that the purpose of a limitations period is “to reduce uncertainty and create finality in the administration of justice” and that “[t]he appellate court’s decision to invoke two different statutes of limitations to different [sections of BIPA] does not align with this purpose.” See, 2023 IL 127801, ¶ 20. In as much, the Court recognized that “[t]wo limitations periods could confuse future litigants about when claims are time-barred, particularly when the same facts could support causes of action under more than one subsection of [BIPA].” Id. Therefore, “applying two different limitations periods or time-bar standards to different subsections of [BIPA] would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.” Id., ¶ 21.

In arriving at its decision to apply the five-year statute of limitation to all claims under BIPA, the Court first pointed to the statutory construction of the law. There, the Court recognized that the plain language of BIPA is designed to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information. Id., ¶ 29. Therefore, since Sections 15(a), (b), and (e) contain no words that are construed as meaning publication, there was no support that such claims could fall under the limited one-year statute of limitations under § 13-201, thereby agreeing with the Appellate Court’s decision for those claims. Id., ¶ 30. And while the Court recognized that the one-year statute of limitation could be applied to Sections 15(c) and (d), given its publication-esque buzzwords, it referred back to legislative intent and purpose and its unwillingness to split claims like the Appellate Court, holding that “it would be best to apply the five-year catchall limitations period” for BIPA. Id., ¶ 32.

To close out its decision, the Court further pointed to the plain language of § 13-205, which states that “all civil actions not otherwise provided for, shall be commenced within 5 years after the cause of action accrued.” Id., ¶ 34, citing 735 ILCS 5/13-205 (West 2018). The Court further noted, “Illinois courts have routinely applied this five-year catchall limitations period to other statutes lacking a specific limitations period.” Id., ¶ 34. Therefore, the Court reasoned that “because the Act does not have its own limitations period; because subsections are causes of action ‘not otherwise provided for’ [citing the language of § 13-205]; and because we must ensure certainty, predictability, and uniformity as to when the limitations period expires in each subsection,” the five-year statute of limitation under § 13-205 is the appropriate limitation. Id., ¶ 37 (citations omitted).

Today’s decision paints a bleak picture for businesses defending against BIPA lawsuits. In the days and weeks to come, it is expected that many plaintiffs will seek to lift stays and push businesses to litigate or settle their cases. And while today’s decision brings finality to the statute of limitation issue, BIPA largely remains undeveloped. For example, the issue of claim accrual is still pending before the Illinois Supreme Court in Cothron v. White Castle, and a decision is expected later this quarter. Moreover, given the undeveloped nature of the statute, there is no doubt that another issue will arise that needs resolving by the Illinois Supreme Court, which could lead to another round of stays as cases progress.

Picture1

Seyfarth Synopsis: In 2022, the Third Circuit Court of Appeals revived a class action lawsuit asserting violations of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”). The lawsuit alleged that an online retailer and its marketing agency violated WESCA by tracking visitors’ activity on the website through the use of session replay code. Following the Third Circuit’s ruling that WESCA does not contain an exception for direct parties to a communication, plaintiffs across the country have begun filing similar lawsuits against companies whose websites use this type of tracking software. As businesses examine the privacy landscape in 2023, it is important to recognize and monitor this novel legal theory.

What is Session Replay Code?

At the center of this recent privacy trend is a software commonly known as “session replay.” From a high level, session replay is a type of technology that allows companies to track every action that a user undertakes on a website or mobile application. More importantly, though, what sets session replay code apart in the internet marketing space is its ability to recreate a user’s path through the website. As its name suggests, session reply code creates for businesses a visual record of any activity by a user, including their clicks, mouse movements, scrolls, and time spent on the website or application. While session replay does not literally record user’s screen, it reconstructs every user move in a visual manner that many companies find useful for internet marketing and user behavior research.

3rd Circuit Decision Leads to Flood of Wiretapping Lawsuits

One of the early lawsuits related to session replay code is entitled Popa v. Harriet Carter Gifts & Navistone, Inc., No. 2:19-cv-00450 (W.D. Pa.). In this case, the plaintiff alleged that, while she shopped for pet stairs on Harriet Carter Gifts’ website, the company’s marketing agency Navistone secretly “intercepted” her online activity without her consent. The lawsuit, filed on behalf of all Pennsylvania residents who used Harriet Carter’s website and had their data intercepted by Navistone, alleged violations of Pennsylvania’s WESCA (as well as a common law cause of action for invasion of privacy that was later dismissed).

The Pennsylvania District Court initially granted the defendants’ motion for summary judgment, holding the defendants not liable under WESCA because the plaintiff and defendants were direct parties to the communications, and thus could not have “intercepted” the communication. On appeal, a Third Circuit panel reversed that decision, reasoning that WESCA contains no exception from liability for direct parties.

In its motion for summary judgment, the defendants relied on two cases where Pennsylvania courts held that law enforcement officers did not “intercept” communications because they were direct recipients of the communications at issue. According to the Third Circuit, however, these decisions lost their precedential value in 2012 when the Pennsylvania legislature amended WESCA to clarify that the “direct recipient” exception only applies to law enforcement officers with prior approval from a supervisor. The defendants also sought summary judgment on two separate grounds–on jurisdictional grounds because Navistone did not intercept the data in Pennsylvania (but outside of the state), and on the basis that plaintiff consented to any interception by accepting the website’s privacy policy–but the Third Circuit found these issues more appropriate for the District Court on remand.

After the Third Circuit’s decision in Popa, a flood of wiretapping class actions were filed in Pennsylvania. Moreover, because the Third Circuit opted not to opine on the jurisdictional component of Popa, these subsequent complaints have also alleged wiretapping violations against businesses throughout the country (i.e., against businesses in every state).

This decision also fueled the expansion of wiretapping lawsuits under similar state and federal statutes that have spread to numerous states across the country. Plaintiffs also have raised these claims under broader state tort laws and statutes, including the California Invasion of Privacy Act, which allows consumers to recover damages of up to $5,000 per violation.

Implications for Businesses

Session replay lawsuits are flooding courts across the country, and these claims are evolving. Despite the marketing and customer research benefits associated with session replay, businesses using this software should keep a close eye on the privacy space as this trend continues to develop. Businesses everywhere also should pay close attention to their user tracking methods utilized on websites and mobile applications as well as their policies and procedures for consent.

For more information about these wiretapping lawsuits and how this recent privacy trend may affect your business, contact the authors Danielle Kays and James Nasiri, your Seyfarth attorney, or Seyfarth’s Workplace Privacy & Biometrics Practice Group.

george-prentzas-SRFG7iwktDk-unsplash

Despite its enactment in 2008, the Illinois Biometric Information Privacy Act’s (BIPA) legal standards were largely undeveloped until its emergence to the main stage circa 2017. But with the decisions in Rosenbach v. Six Flags in 2019 (standing) and McDonald v. Symphony in 2022 (workers’ compensation), and the recent $228 million jury verdict against BNSF Railway in the first-ever BIPA trial, we continue to see the BIPA landscape take shape. With more than 250 lawsuits filed in 2022 alone, BIPA litigation shows no signs of slowing down. As we look forward to another busy year of BIPA litigation in 2023, attorneys on both sides of the ‘v.’ eagerly await two critical decisions from the Illinois Supreme Court that could significantly impact pending and future litigation.

Statute of Limitations – decision to be issued on February 2, 2023

Tims v. Black Horse Carriers, Inc. (No. 127801) seeks to resolve the longstanding debate about the appropriate statute of limitations for BIPA actions. Because the law is silent on the issue, the defense bar (including in Tims) argues that the one-year limitations period for privacy actions outlined in 735 ILCS 5/13-201 should apply. On the other hand, plaintiffs argue (like in Tims) that the five-year “catch-all” limitations period contained in 735 ILCS 5/13-205 is more appropriate for actions under BIPA. However, in 2021, the Illinois Appellate Court complicated matters when it decided that the one-year and five-year limitations periods applied to different sections of the Act. See, generally, 2021 IL App (1st) 200563. Specifically, the Appellate Court held that the one-year period under § 201 applies to Section 15(c) and 15(d) BIPA claims because those sections involve the “publication” of biometric data, which is a term explicitly used in § 201. Conversely, since the Appellate Court found that Sections 15(a), (b), and (e) of the BIPA do not involve the publication of an individual’s biometric data, it applied the five-year limitations period from § 205 to those sections.

Given the split among limitations and claims by the Appellate Court, a reversal by the Illinois Supreme Court on any claim could be significant for both plaintiffs and defendants. For example, suppose the Supreme Court decides that a blanketed one-year limitation applies to BIPA claims. In that case, it could significantly reduce the class size of current class actions and certainly result in some time-barred lawsuits. However, the opposite would hold if the Supreme Court decides that a blanketed five-year limitation applies. Indeed, hundreds of BIPA lawsuits have been stayed for more than a year as this issue gets resolved, many with a pending motion to dismiss, raising the statute of limitations issue. Tims was argued before the court in September 2022, and today, the Illinois Supreme Court announced that a decision will come down on February 2, 2023.

Claim Accrual

Cothron v. White Castle (No. 128004) will determine whether claims asserted under 15(b) and 15(d) of BIPA accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric information. While currently before the Illinois Supreme Court, the case is pending in the U.S. District Court for the Northern District of Illinois. Following the district court’s rejection of White Castle’s “one time only” accrual theory at summary judgment, the court found the question close enough to warrant an interlocutory appeal under 28 U.S.C. § 1292(b). During the appeal, the plaintiff asked the Seventh Circuit to certify the question to the Illinois Supreme Court. See 20 F.4th 1156, 1159 (7th Cir. 2021). The Seventh Circuit obliged and directed the Illinois Supreme Court to answer the following question: “Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” Id. at 1167.

Oral argument before the Illinois Supreme Court in Cothron occurred in May 2022. White Castle argued that a first-scan theory is appropriate because that is when the privacy right is first invaded, and the loss of control occurs. White Castle also stressed that the issue of damages is necessarily intertwined with the issue of accrual and encouraged the court to weigh the consequences of holding that accrual occurs at each collection. Citing proximity to the issue before the court, White Castle suggested that the damages component be analyzed because the only safeguard against future plaintiffs seeking damages on a “per-scan” model are Due Process concerns and the possibility that lower courts may not find such significant awards appropriate. While conceding that Due Process concerns would likely safeguard against a per-scan damages model, the plaintiff argued that White Castle’s view would obviate the need for defendants to course correct and would avoid consequences for existing issues.

Resolution of the claim accrual issue is crucial for BIPA litigation. If the court decides that a claim accrues upon each scan without addressing the damages component, penalties for even the smallest of companies could be astronomical with only a Due Process argument to rely upon. Indeed, if the court does not address the damages component of accrual at this juncture, it will likely result in another round of stays until the issue is decided on a later appeal. A decision on this matter is expected in the first quarter of 2023.

For up to date information on these cases, the Seyfarth Shaw Commercial Consumer Class Action Defense practice group will provide detailed summaries of the decisions as they are released by the Illinois Supreme Court.

Compliance Recommendations

Despite these BIPA issues still up in the air, there are a few basic practices that can already be followed to avoid, or mitigate exposure under the statute:

  1. Maintain a public privacy policy;
  2. Permanently destroy biometric information in a timely manner;
  3. Provide pre-collection notice;
  4. Obtain pre-collection consent;
  5. Maintain security measures to safeguard biometric information;
  6. Strictly prohibit sales and any other form of profiting from biometric information, including for any vendors; and
  7. Obtain vendor compliance with BIPA.

Seyfarth Shaw LLP is an Amlaw 100 firm with a nationally recognized class action defense practice group. For information regarding Seyfarth’s Commercial Consumer Class Action Defense practice group, contact the National Chair, Kristine Argentine, at kargentine@seyfarth.com. Seyfarth is also a leader in BIPA class action litigation and routinely counsels clients on compliance and defense strategies to mitigate exposure from the statute. For more information regarding BIPA compliance or litigation, contact Paul Yovanic, at pyovanic@seyfarth.com.

2023 Commercial Litigation Outlook RPT M4

Seyfarth’s Commercial Litigation practice group is pleased to provide the third annual installment the Commercial Litigation Outlook, where our nationally-recognized team provides insights about litigation issues and trends to expect in 2023.

The continuing global tumult and increasing chances for a recession will weigh heavily on the litigation outlook for 2023. We expect an uneven year where some litigation booms, some busts. As was true last year, the trick to navigating the upcoming challenges will require clients and their counsel to be adaptive, creative, and proactive.

Trends covered in this edition include: Antitrust, Bankruptcy, Consumer Class Actions, Consumer Financial Services Litigation, eDiscovery & Innovation, ESG, Franchise & Distribution, Health Care Litigation, Insurance, International Dispute Resolution, Privacy, Real Estate Litigation, Securities Litigation, Trade Secrets, Computer Fraud & Non-Competes and the Trial Outlook.

Click here to download the 2023 Commercial Litigation Outlook.

73313

Over the term of this Administration, the DOJ and FTC have taken aggressive and novel antitrust positions as it relates to the labor market, launching broad investigations and criminal and civil prosecutions against companies and their employees for alleged labor market allocations, misuse of non-compete and non-solicitation provisions, and wage fixing. The State Attorney General Antitrust Divisions have followed suit investigating and pursuing these claims at the state level. As so often happens, these government investigations and public inquiries then serve as the basis for expansive class actions.

On Episode 33 of Seyfarth’s Health Care Beat Podcast, host Chris DeMeo is joined by Kristine Argentine, partner in Seyfarth’s Chicago office and chair of the firm’s Commercial Consumer Class Action Defense group. Their discussion focusses on a string of recent cases involving the pursuit of employers across the health care industry (and others) for labor-related antitrust violations. Kristine also provides insight on how businesses can protect their investments in personnel, while successfully mitigating the threat of criminal prosecution.

Click here to listen to the podcast.

enrique-alarcon-s8bX9IgG9rA-unsplash

Over the past year, a barrage of class action lawsuits asserting violations of the Video Privacy Protection Act (“VPPA”)—a vintage Reagan-era federal consumer privacy law—has shed light on potential liability facing companies that embed video content onto company websites and simultaneously collect and share consumer viewing data in the course of marketing analytics.

The VPPA is, until recently, a rarely invoked federal statute that was enacted to protect the privacy of information about people’s video tape rentals after the press leaked a list of a Supreme Court nominee’s movie watching habits in 1987. However, the VPPA is now providing the foundation for a new class of consumer privacy lawsuits based upon the way companies may be tracking and sharing data collected when consumers view video content posted on company websites, apps, and/or shared via email marketing.

A. What is the VPPA?

The VPPA prohibits a person or business that rents, sells, or delivers prerecorded “video cassette tapes or similar audio visual materials” from “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider. . . .,” absent informed, written consent as defined by the VPPA. 18 U.S.C. § 2710(a)-(b). Under the Act, “personally identifiable information” or “PII” is “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3).

If liability is found, the VPPA allows consumers to seek the trifecta of remedies—(1) statutory damages in the amount $2,500 per violation, (2) punitive damages, and (3) recovery of attorneys’ fees. 18 U.S.C. § 2710(c).

B. VPPA Claims in 2023

A slew of nationwide lawsuits are asserting violations of the VPPA. These lawsuits have nothing to do with video rental stores, instead alleging that businesses are illegally sharing consumers’ viewing history and PII with Facebook and other social media companies through a tracking pixel placed on company websites that can collect, among other things, a consumer’s navigation to a page containing an embedded video or audio visual file.

These universally utilized “tracking pixels” are pieces of code for Google Analytics and/or Meta Platforms Inc. that are incorporated into a company website that collect information about how users interact with the site, such as whether users initiate purchases, what content users view, and other details, and then shares information about the individual including the title and URL of the video.

C. Current Litigation

It has been reported that over 70 lawsuits asserting claims under the VPPA have been filed in the past year, and due to the willingness of some courts to entertain these claims at least past a motion to dismiss stage, it is very likely that more lawsuits will continue to be filed.

Companies faced with VPPA claims have argued that the information collected by the tracking pixels does not rise to the level of PII. There is a split of authority dictating what qualifies as PII. For example, the United States District Court for the District of Massachusetts in the First Circuit has adopted a broad approach, holding that the transmission of viewing records along with GPS coordinates and a device’s unique identification number constituted PII despite requiring additional information in order to link the plaintiff to their video history. In contrast, other courts including the United States District Court for the Southern District of New York in the Second Circuit have adopted a narrower view, requiring that for information to qualify as PII the disclosure itself, without any additional information, must identify a particular person.

Other arguments advanced in motions to dismiss VPPA claims include the following:

  1. The plaintiff is not a consumer under the VPPA. The VPPA defines “consumer” to mean any renter, purchaser, or subscriber of goods or services from a video tape service provider;
  2. The plaintiff cannot show that defendant is a “video tape service provider” under the VPPA;
  3. The plaintiff failed to plausibly allege that the defendant “disclosed” personally identifiable information because it is the consumer’s web browser, as opposed to the company website, that transmits the purportedly identifying consumer data;
  4. The plaintiff failed to plausibly allege that the defendant “knowingly” disclosed PII since the defendants have no access to or knowledge of the existence of the cookie on the web browser that may transmit the additional information; and
  5. The VPPA is unconstitutional because it restricts commercial speech in violation of the First Amendment.

Faced with these arguments, at least three courts—the United States District Court for the Districts of Massachusetts, Southern District of New York, and Northern District of Georgia— have denied motions to dismiss, finding that the plaintiffs plausibly asserted a claim under the VPPA, and allowing the VPPA claim to proceed to discovery.

Some defendants, however, have found success. As noted above, the Southern District of New York takes a narrow view on what qualifies as PII, and as a result dismissed a VPPA claim on the basis that the plaintiff failed to plausibly allege that the information the defendant company disclosed to third parties was PII. Federal district courts for Rhode Island and the Northern District of California have also dismissed VPPA claims where the viewed content at issue was live-streamed content, as opposed to prerecorded, on the basis that this fell outside the definition of “video tape service provider” in § 2710(a)(4).

The orders issued from these cases thus far demonstrate that there is no imminent consensus among federal courts. Until there is a clear consensus among federal courts on the viability of VPPA claims, we can expect to see a continued stream of VPPA litigation.

The slew of lawsuits alleging VPPA claims seek to impose enormous liability on what has become routine and universal data analytics. As a result, companies that utilize video content in brand marketing and advertising analytics could potentially be opening themselves up to a new class of consumer privacy litigation seeking $2,500 in statutory fees per violation, as well as potential punitive damages and attorneys’ fees.

ennio-dybeli-KDdNjUQwzSw-unsplash

Time of the event:
3:00 p.m. to 3:30 p.m. Eastern
2:00 p.m. to 2:30 p.m. Central
1:00 p.m. to 1:30 p.m. Mountain
12:00 p.m. to 12:30 p.m. Pacific

About the Program

On Tuesday, February 7th, Seyfarth attorneys Ada Dolph and Danielle Kays will present a webinar entitled The Here and Now of BIPA: Updates and Developments in Biometric Privacy.

As we move into 2023, Biometric Information Privacy remains a constantly evolving field, with states enacting new statutes, technology evolving, plaintiffs raising new theories, and cases being filed daily. Keeping up with biometric laws can be a daunting task for these reasons. Join our experts as we take a look at some of the recent developments in this ever-changing area of law, and break down how companies can adapt.

Topics include:

  • Questions that have finally been answered, and which areas remain unresolved
  • How to remain in compliance and avoid violations
  • What’s next for information privacy and protection

To register, click here.

If you have any questions, please contact Kate Stacey at kstacey@seyfarth.com and reference this event.

This webinar is accredited for CLE in CA, IL, NJ, and NY. Credit will be applied for as requested for TX, GA, WA, NC and VA. The following jurisdictions may accept reciprocal credit with these accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, CT, NH. The following jurisdictions do not require CLE, but attendees will receive general certificates of attendance: DC, MA, MD, MI, SD. For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used in other jurisdictions for self-application. Please note that attendance must be submitted within 10 business days of the program taking place. If you have questions about jurisdictions, please email CLE@seyfarth.com. CLE credit for this recording expires on February 6, 2024.

Following its recent “initiative” and request for information to reduce “exploitative junk fees,” the Consumer Financial Protection Bureau (“CFPB”) has on June 29, 2022 released an advisory opinion. The opinion concludes that “pay-to-pay fees,” which the debt collection industry refers to as “convenience fees” violate the Fair Debt Collection Practices Act (“FDCPA”) “unless the fee amount is in the consumer’s contract or affirmatively permitted by law.”

Section 808(1) of the FDCPA, 15 U.S.C. § 1692f(1), states: “A debt collector may not use unfair or unconscionable means to collect or attempt to collect any debt. Without limiting the general application of the foregoing, the following conduct is a violation of this section: (1) The collection of any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law.” Despite acknowledging that some courts have ruled otherwise, the advisory opinion concludes that “[t]he collection of any fee is prohibited unless the fee amount is in the consumer’s contract or affirmatively permitted by law.” CFPB Press release; see advisory opinion at 5. The opinion also construes the term “permitted by law” narrowly so that “[w]here no law expressly authorizes a fee, it is not ‘permitted by law,’ even if no law expressly prohibits it.” Id. “The CFPB therefore interprets FDCPA section 808(1) to prohibit a debt collector from collecting any amount unless such amount either is expressly authorized by the agreement creating the debt (and is not prohibited by law) or is expressly permitted by law. That is, the CFPB interprets FDCPA section 808(1) to permit collection of an amount only if: (1) the agreement creating the debt expressly permits the charge and some law does not prohibit it; or (2) some law expressly permits the charge, even if the agreement creating the debt is silent.” Advisory opinion at 6. The opinion also clarifies that “[d]ebt collectors violate the FDCPA when using payment processors who charge unauthorized fees at a minimum if the debt collector receives a kickback from the payment processor.” CFPB Press release.

The CFPB’s jurisdiction and advisory opinion is limited to construing federal law, in this instance the FDCPA, which governs consumer debt collection by (mostly) third-party debt collectors. But it’s advisory opinion has state law implications as well. The Pennsylvania state law version of the FDCPA, for example, not only declares that “[i]t shall constitute an unfair or deceptive collection act or practice under this act if a debt collector violates any of the provisions of the [FDCPA],” it further prohibits first-party creditors from “us[ing] unconscionable means to collect or attempt to collect any debt” by “collect[ing] … any amount, including any interest, fee, charge or expense incidental to the principal obligation, unless such amount is expressly authorized by the agreement creating the debt or permitted by law.” PA ST § 2270.4(a) & (b)(6)(i). The Rhode Island version also prohibits “[a] debt collector,” defined to (mostly) include third-party collectors, from “[c]ollecting any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law[.]” RI ST § 19-14.9-8(a). Collectors of consumer debt should check the laws of their applicable jurisdictions.

On June 15, 2022, in Viking River Cruises v. Moriana, the United States Supreme Court ruled that individual claims under the California Private Attorneys General Act (“PAGA”) can be compelled to arbitration under the Federal Arbitration Act, partially preempting the California Supreme Court’s longstanding and contrary Iskanian decision.

To read the full Legal Update, click here.