Ad Law Access https://www.kelleydrye.com/viewpoints/blogs/ad-law-access Updates on advertising law and privacy law trends, issues, and developments Thu, 23 Jan 2025 02:56:31 -0500 60 hourly 1 States Place New Restrictions on Collection Efforts and Outbound Calls Amidst COVID-19 Pandemic https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/states-place-new-restrictions-on-collection-efforts-and-outbound-calls-amidst-covid-19-pandemic https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/states-place-new-restrictions-on-collection-efforts-and-outbound-calls-amidst-covid-19-pandemic Fri, 03 Apr 2020 14:43:46 -0400 The COVID-19 pandemic continues to have far-reaching effects on businesses and consumers everywhere. While many states are taking broadly consistent approaches on certain issues (e.g., price gouging, non-essential business closures), one area where we’ve seen significant divergence involves regulation of collection efforts – both by first party creditors and debt collectors. In an effort to protect consumers who may themselves be experiencing financial distress, some states have imposed new, stringent restrictions to prevent businesses from engaging in certain collection activities.

For example, Massachusetts issued an emergency regulation that prohibits creditors from making unsolicited debt collection telephone calls to Massachusetts consumers for the next 90 days, unless the state of emergency ends before that time. The regulation also prohibits collectors from

  • filing any new collection lawsuit;
  • garnishing wages, earnings, properties or funds;
  • repossessing vehicles;
  • applying for or serving a capias warrant;
  • visiting or threatening to visit the household of a debtor;
  • visiting or threatening to visit the place of employment of a debtor;
  • confronting or communicating in person with a debtor regarding the collection of a debt in any public place.
Nevada went a step further by requiring all collection efforts with Nevada consumers to cease until April 16, 2020, although its directive only applies to collection agencies holding a license or certificate and located out-of-state. Other states such as California, New York, and Illinois have expressly stated that collection agencies and debt buyers are non-essential businesses, but have not sought to impose additional restrictions on activities that can occur remotely consistent with other federal and state laws.

First-party collectors and debt collectors should consider the Massachusetts and Nevada initiatives before contacting consumers in those states, and continue to monitor whether other states follow suit with similar restrictions.

]]>
Massachusetts Imposes Additional Data Breach Notification Requirements https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/massachusetts-imposes-additional-data-breach-notification-requirements https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/massachusetts-imposes-additional-data-breach-notification-requirements Wed, 23 Jan 2019 20:54:47 -0500 On January 10, 2019, Massachusetts Governor Charlie Baker signed into law the Massachusetts’s Data Breach Notification Act, which amends Massachusetts data breach reporting laws. The new law, available here, amends the timing and content of individual and regulator data breach notifications, and provides for credit monitoring services when social security numbers may have been compromised.

Key updates to the state’s data breach notification laws include the following:

  • Free Credit Monitoring: Following breaches involving Social Security numbers, entities must “contract with a third party to provide” free credit monitoring services to impacted Massachusetts residents at no cost for at least 18 months (42 months, if the company is a consumer reporting agency), and provide consumers with instructions on how to access these services.
  • No Mandatory Arbitration Clauses: Companies are prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services.
  • Additional Required Information for the Breach Notice: The required notice to consumers, the Massachusetts Attorney General, and the Office of Consumer Affairs and Business Regulation already provided for under current Massachusetts law must now also include additional information such as the name and address of the person that experienced the breach of security, the person responsible for the breach, if known, and the type of personal information compromised. Entities are also required to submit to regulators a sample of the notification letters that they send to consumers, which will be posted online.
  • Notice Timing: An entity may not delay notice to affected individuals on the grounds that it has not determined the total number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary.
  • Disclosure of Parent/Affiliate Company: If the company experiencing a breach is owned by a separate entity, the individual notice letter must specify “the name of the parent or affiliated corporation.”
Under Massachusetts data security regulations (201 CMR § 17.03), any entity that owns or licenses personal information about a Massachusetts resident is currently obligated to develop, implement, and maintain a comprehensive written information security program that incorporates the prescriptive requirements contained in the regulation.

The Massachusetts’s Data Breach Notification Act will take effect on April 11, 2019. This is a good opportunity for businesses to update their data breach notification related policies and procedures to ensure that they are in compliance with all state requirements. We will continue to track any updates to state breach notification statutes and post on this blog.

]]>