Jenner & Block

Consumer Law Round-Up

April 7, 2021 Supreme Court Answers the Call: Clarifies Meaning of “Automatic Telephone Dialing System” under the TCPA


By: Madeleine V. Findley and Emma J. O’Connor

Mobile in carOn April 1, 2021, the Supreme Court of the United States unanimously reversed the Ninth Circuit Court of Appeals decision[1] in Facebook Inc. v. Duguid et al., No. 19-511, and held that in order for a device to be an “automatic telephone dialing system” (ATDS), a key term in the Telephone Consumer Protection Act of 1991 (TCPA), 47 U.S.C. § 227, it must have the capacity to use a random or sequential number generator to either store or produce phone numbers to be called.[2] This decision represents a significant victory for entities defending against TCPA claims.

The TCPA prohibits making calls or sending text messages to mobile telephones using an ATDS (often simply referred to as an “autodialer”) without the prior express consent of the recipient. What precisely that means has become a heated dispute in TCPA litigation because using an ATDS to place a call is an essential component of many TCPA claims. The statute defines an ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called using a random or sequential number generator; and (B) to dial such numbers.”[3] Lower courts had split on the provision’s meaning. The Third, Seventh, and Eleventh Circuits interpreted the provision narrowly, holding that an ATDS must have the capacity to generate random or sequential phone numbers, not merely to store and dial the numbers automatically.[4] The Second, Sixth, and Ninth Circuits had taken a broad approach, holding that an ATDS need only have the capacity to store numbers to be called and to dial those numbers automatically.[5]

The Supreme Court Duguid answered the question of whether a device constitutes an ATDS if it can “store” and dial telephone numbers, even if it does not “us[e] a random or sequential number generator.”[6] It took the narrow view.

The Duguid plaintiff claimed Facebook, Inc. (Facebook) violated TCPA when it allegedly sent him text messages to alert him to login activity on a Facebook account linked to his telephone number,[7] even though he never created that account (or any account on Facebook) and had not provided his phone number to Facebook.[8] The text messages at issue were sent to the plaintiff using Facebook’s login notification system, which automatically sends users text notifications when someone attempts to log in to the user’s account from an unknown device or browser, but which does not use a random or sequential number generator.[9]

In Duguid, the parties’ respective positions hinged on the syntax of the statutory definition of an ATDS. Facebook argued that to constitute an ATDS, the equipment must use a random or sequential number generator, because the clause “using a random or sequential number generator” modifies both verbs, “store” and “produce.”[10] The plaintiff, however, argued that a number generator was not required for a device to be an ATDS, because “using a … number generator” applies only to “produce,” and therefore the statute prohibits the use of equipment with the capacity “to store … numbers to be called” and to dial them.[11]

The Court sided with Facebook, reasoning that “[u]nder conventional rules of grammar, ‘[w]hen there is a straightforward, parallel construction that involves all nouns or verbs in a series,’ a modifier at the end of the list ‘normally applies to the entire series.’”[12] The Court also concluded that the statutory context confirmed this reading, because the plaintiff’s proposed interpretation “would capture virtually all modern cell phones,” which can store and dial numbers.[13] Therefore, in the Court’s view, the more expansive reading would mean that “ordinary cell phone owners” could face TCPA liability “in the course of commonplace usage, such as speed dialing or sending automated text message responses.”[14]

Justice Sotomayor, joined by seven justices, wrote the Court’s opinion. Justice Samuel Alito concurred in the judgment, but wrote separately to opine on the limitations of the Court’s “heavy reliance” on the “series-qualifier canon,” noting that interpretive canons “are not ‘rules’ of interpretation in any strict sense but presumptions about what an intelligently produced text conveys.”[15]

The Supreme Court’s decision will likely have a profound impact on TCPA litigation, as the use of an ATDS is a necessary element of many TCPA claims. But the decision is unlikely to “unleash” a “torrent of robocalls,” as Duguid had argued, because the TCPA’s other restrictions still stand, such as prohibiting artificial or prerecorded voice calls to residential and wireless numbers.[16]

And backlash to the decision was swift. In an April 1 joint statement, Senator Edward J. Markey (D-Mass.) and Representative Anna G. Eshoo (CA-18) criticized Duguid as “toss[ing] aside” an “essential consumer protection,” and described it as “disastrous for everyone who has a mobile phone in the United States.”[17] Further, the legislators—who had led 19 members of Congress in submitting an amicus brief supporting the Ninth Circuit’s broader reading of ATDS—stated that “

y narrowing the scope of the TCPA, the Court is allowing companies the ability to assault the public with a non-stop wave of unwanted calls and texts, around the clock.”[18]

Senator Markey and Representative Eshoo declared an intent to introduce legislation to “fix the Court’s error” and amend the TCPA.

The Court’s ruling provides welcome clarity and uniformity on a contested issue. It notably also eliminates the need for the FCC to provide an interpretation of ATDS, as the 2018 remand of ACA Int’l v. FCC[19] otherwise would have required. But it does not eliminate TCPA risks for callers. Companies must still be prudent about which technologies they use to contact consumers. Companies should also ensure they still comply with the other requirements of the TCPA, such as the ban on placing pre-recorded telemarketing calls to residential telephone numbers without the prior express written consent of the recipient or placing calls to numbers on the Do Not Call registry; and should still maintain proper records to demonstrate that they only market to consumers who have provided consent. Additionally, businesses should train employees on TCPA compliance, and must ensure that all of their third-party vendors comply with the TCPA, including by not using a proscribed ATDS to contact customers. Because Duguid applies only to the TCPA, companies must also confirm that they comply with other state and federal robocall laws.


[1] Duguid v. Facebook, Inc., 926 F.3d 1146 (9th Cir. 2019), cert. granted in part, 141 S. Ct. 193 (2020), and rev'd and remanded, No. 19-511, 2021 WL 1215717 (U.S. Apr. 1, 2021).

[2] Facebook, Inc. v. Duguid, No. 19-511, 2021 WL 1215717, at *2 (U.S. Apr. 1, 2021). 

[3] 47 U.S.C. § 227(a)(1). The TCPA is a strict liability statute that provides a private right of action for individuals to sue for and obtain $500 for each violation of the act, trebled to $1,500 for a willful violation. Id. at § 227(b)(3).

[4] Gadelhak v. AT&T Servs., Inc., 950 F.3d 458, 468 (7th Cir. 2020) (Barrett, J., for the court); Glasser v. Hilton Grand Vacations Co., 948 F.3d 1301, 1306–07 (11th Cir. 2020); Dominguez v. Yahoo, Inc., 894 F.3d 116, 119 (3d Cir. 2018).

[5] Duguid, 926 F.3d at 1151–52; Duran v. La Boom Disco, Inc., 955 F.3d 279, 290 (2d Cir. 2020); Allan v. Pennsylvania Higher Educ. Assistance Agency, 968 F. 3d 567, 579–80 (6th Cir. 2020).

[6] Facebook, Inc., 2021 WL 1215717, at *2.

[7] First Am. Compl. ¶¶ 21-37, Duguid v. Facebook, Inc., No. 3:15-cv-00985, 2016 WL 10518965 (N.D. Cal. Apr. 22, 2016).

[8] Facebook, Inc., 2021 WL 1215717, at *3.

[9] Id. at *3, *5.

[10] Id. at *4.

[11] Id.

[12] Id.

[13]  Id. at *6.

[14] Id.

[15] Id. at *8 (Alito, J., concurring). 

[16] Id. at *7.

[17] Senator Markey and Rep. Eshoo Blast Supreme Court Decision on Robocalls as “Disastrous,” SENATOR EDWARD MARKEY OF MASSACHUSETTS (Apr. 1, 2021),

[18] Id.

[19] ACA Int’l v. Fed. Commc’ns Comm’n, 885 F.3d 687 (D.C. Cir. 2018).

April 6, 2021 Does Novel “Greenwashing” Enforcement Action Portend a New Trend?

By: Todd C. Toral and PJ M. Novack

GreenLawsuits over alleged misleading environmental marketing claims, or “greenwashing,” are nothing new. It has been nearly 30 years since the Federal Trade Commission (FTC) released its first version of the “Green Guides,” which are intended to help marketers avoid the practice. Since then, there have been many greenwashing actions before the FTC. More broadly, the FTC has pursued a number of suits in federal court, such as false advertising claims over the terms “clean diesel” and “100% organic.” But last month, in a first, several environmental groups petitioned the FTC to use its Green Guides offensively against a fossil fuel company for “misleading consumers on the climate and environmental impact of its operations.”

On March 16, 2021, Earthworks, Global Witness, and Greenpeace USA filed a complaint against Chevron for misleading consumers through advertisements that exaggerate the company’s investment in renewable energy and its commitment to reducing fossil fuel pollution. The action comes on the heels of Chevron’s new “Climate Change Resilience” report, where Chevron outlined its contributions against climate change. The environmental groups argue that Chevron misrepresents its image to appear climate-friendly and racial-justice oriented, while actually doing more harm than good. In support of their claims, the environmental groups point out that Chevron is the second most polluting company in the world and had spent only 0.2% of its capital expenditures on low-carbon energy sources between 2010-2018.

Considering the recent change in administrations, this action may represent a new trend where consumer and environmental groups are willing to take on major oil companies by petitioning a potentially more consumer-friendly FTC. President Biden currently has an opportunity to fill the vacant FTC seat and tip the balance of power toward Democrats. Moreover, President Biden has signaled his personal support for environmental causes by halting oil and gas sales and canceling the Keystone XL crude pipeline. Given the shifting sands, companies should be prepared for new and perhaps more creative enforcement actions.


PEOPLE: Todd C. Toral, Pj M. Novack

February 11, 2021 Kang v. PF Chang’s, Inc.: Reasonable Consumer Deception, or Just a “Crabby” Plaintiff?

By: Alexander M. Smith

SushiOn February 9, 2021, the Ninth Circuit—in a split decision with a spirited dissent—reversed the dismissal of a consumer class action challenging P.F. Chang’s’s use of the phrase “krab mix” to describe sushi rolls that contain no real crab. Although Kang is an unpublished case and breaks little new legal ground, the two opinions offer a useful glimpse into how both defendants and plaintiffs frame their positions in false advertising lawsuits, and they highlight how easily judges can come to radically different conclusions in consumer class actions, even when faced with the same facts and law.

In Kang, the plaintiff alleged that P.F. Chang’s’s sushi rolls were deceptively labeled because they purported to contain “krab mix,” but did not include any crab at all. Judge Anderson of the Central District of California dismissed the plaintiff’s lawsuit, holding that no reasonable consumer would be deceived into believing that “krab mix” contained crab. The Ninth Circuit reversed. Judge Friedland and Judge Watford—writing for the panel majority—emphasized that “determining whether reasonable consumers are likely to be deceived will usually be a question of fact not appropriate on a motion to dismiss.” Applying this standard, the panel majority concluded that the plaintiff had plausibly alleged that the “inclusion of the term ‘krab mix’ in the ingredient list for certain of its sushi rolls is likely to deceive reasonable consumers into thinking that the sushi rolls contain at least some real crab meat when in fact they contain none.” Although P.F. Chang’s offered several reasons that this interpretation was implausible, the panel majority rejected them all:

  • The panel majority rejected P.F. Chang’s’s argument that the “fanciful” term “krab mix” suggested the absence of real crab. Although the panel majority agreed that “reasonable consumers confronted with the fanciful spelling of ‘krab’ on the menu would not assume they were purchasing a sushi roll with 100% real crab meat,” it nonetheless concluded that the plaintiff had plausibly alleged that the term “krab mix” suggests that the product contains “a mixture of imitation and real crab.” In contrast to cases where the challenged term has a specific, widely-understood meaning (such as “diet” soft drinks), the panel majority held that “there is no prevailing understanding that listing ‘krab mix’ as an ingredient in a sushi roll signifies that the item contains no real crab meat.” And in contrast to a case where the “fanciful” term appears in the name of the product (such as “Froot Loops”), the panel majority concluded that the term was at least plausibly misleading because it appeared in the ingredient list.
  • The panel majority rejected P.F. Chang’s’s argument that the relatively low price of the sushi rolls suggested that they contained no real crab, and it found that this issue was not susceptible to resolution on a motion to dismiss.
  • The panel majority rejected P.F. Chang’s’s argument that a reasonable consumer would not be misled by the use of the term “krab mix” because other menu items included “crab” in the ingredients list. Much as a reasonable consumer should not be expected to look at the ingredient list on the packaging of a food to correct a misrepresentation elsewhere on the packaging, the panel majority concluded that “we cannot assume that reasonable consumers would necessarily look past the term ‘krab mix’ in the item they were ordering to notice that ‘crab’ appeared as an ingredient in other items on the same menu.” For similar reasons, the panel majority rejected P.F. Chang’s’s argument that the use of the term “crab” elsewhere on the menu served as “qualifying language” that corrected the alleged misimpression arising from the term “krab mix”—particularly since “that language does not appear immediately next to the representation that it purportedly qualifies.”

Judge Bennett vigorously dissented. The first paragraph of his opinion struck a dramatically different tone than the panel majority:

Class representative Chansue Kang bought sushi rolls on April 12, 2019, according to his opening brief. His complaint contends he bought the appetizer because he read and relied on the “false and misleading” menu description “krab mix.” Kang claims that he believed he was getting crab. He further claims that he wouldn’t have bought the “krab” had he known “krab” wasn’t crab. Thus, he tells us he was “deceived.” His complaint states that on April 29, 2019, he gave pre-suit notice by certified mail. So, in a seventeen-day period: (1) Plaintiff was unfairly bamboozled by P.F. Chang’s into thinking “krab” was crab; (2) Plaintiff discovered the horrible truth that “krab” wasn’t crab; (3) Plaintiff found a crusading attorney; (4) that attorney somehow confirmed the horrible truth; and (5) that attorney drafted and mailed a pre-suit letter. Remarkable diligence!

After setting this stage, Judge Bennett then noted that the standard for consumer deception “is not whether the ‘least sophisticated’ or ‘most gullible’ consumer would be misled by the term ‘krab mix,’ but whether a significant portion of ordinary consumers, acting reasonably, would think ‘krab mix’ contains real crab meat.” From his perspective, he noted, the panel majority “fails to give the ordinary California consumer enough (or any) credit.” For example, he noted that “‘Krab’ with a ‘k’ should be a dead giveaway,” as consumers “understand that fanciful spellings materially change the meaning of a word.” Much as a reasonable consumer would not conclude that Froot Loops contain real fruit, that “cavi-art” contains real caviar, or that “tofurky” contains real turkey, an “ordinary consumer” acting with “ordinary common sense” would not conclude that “krab mix” contained real crab meat. Moreover, because “krab” is indisputably different from “crab,” Judge Bennett reasoned, no reasonable consumer could conclude that “krab mix” contains real crab, as opposed to “a mixture of ‘krab’ and other ingredients.” While “[c]onsumers may be unsure about what exactly those ingredients are,” Judge Bennett explained, “that doesn’t make it reasonable to assume one of those ingredients will be crab.”

“Context matters too,” Judge Bennett then explained, “and it does not support the majority’s conclusion.” In contrast to the panel majority, which placed little stock on the fact that other products featured “crab” in the ingredients list, Judge Bennett found that this fact defeated the plaintiff’s theory of deception: “[W]hen confronted with both ‘krab mix’ and ‘crab’ on the same menu,” Judge Bennett noted, “such a consumer knows that one is not another.” Although Judge Bennett acknowledged that a manufacturer ordinarily cannot use an ingredients list on a box to correct an affirmative misrepresentation on the front of the package, he emphasized that “the ingredient list on product packaging . . . is nothing like a restaurant menu.” While the ingredient list “exists to satisfy regulatory requirements,” “is almost always tucked away on the back or side of the product label,” and “is usually expressed in very small print,” Judge Bennett explained, “[t]he same cannot be said for items or ingredients on a menu that are placed on equal footing with, and on the same page as, the alleged misrepresentation.” Even if a “hasty diner . . . might fixate on sushi rolls with ‘krab mix’ to the exclusion of all other items on the menu,” Judge Bennett concluded that this “approach to ordering food doesn’t bear any resemblance to the real dining experience of consumers.”

Ultimately, the panel majority and Judge Bennett came to diametrically opposed—and incompatible—conclusions. The panel majority, like many plaintiffs in false advertising class actions, focused on the purported difficulty of resolving factual questions about the deceptive effect of the labeling at the pleading stage, and it relied on many of the most common cases cited by plaintiffs in false advertising class actions. Judge Bennett, in turn, relied more on many of the common themes raised by defendants in these cases—including, most importantly, that “context matters” and that reasonable consumers must be expected to apply “common sense.” And while the panel majority did not frame its result in policy terms, Judge Bennett did not hesitate to point out that the decision did not help protect consumers; to the contrary, he explained, “[t]he real harm here comes from allowing such implausible claims as Plaintiffs’ to proceed, which will increase costs to all consumers.”

While Kang is hardly groundbreaking, it undoubtedly serves as a microcosm for the issues that recur at the pleading stage in virtually every food labeling case. And just as importantly, it underscores that the decision may depend as much on the judge’s orientation to consumer fraud cases as any other factor.

CATEGORIES: Class Action Trends

PEOPLE: Alexander M. Smith

February 1, 2021 What to Expect from Director Rohit Chopra’s CFPB

By: Kali Bracey and Erica S. Turret

New-Update-IconPresident Biden has nominated Federal Trade Commission (FTC) Commissioner Rohit Chopra to serve as Director of the Consumer Financial Protection Bureau (CFPB). Commissioner Chopra served as the agency’s Assistant Director and first Student Loan Ombudsman prior to his appointment to the FTC in 2018. The CFPB under his leadership will shift to the more aggressive posture of the Obama administration and return the agency to its consumer watchdog mission.[1] His vision is aligned with that of Senator Elizabeth Warren whom he helped to set up the agency after the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010.[2]

Because of the Supreme Court’s decision in Seila Law holding that the President has the power to fire the CFPB Director, the CFPB more closely carries out the current administration’s agenda than was intended in the Dodd-Frank Act which had sought to structure the bureau as an independent agency.[3] Thus, Commissioner Chopra, once in office, will be able to quickly chart the agency on a new, more muscular course.

Regulated entities can expect enforcement to ramp up as the agency reverses efforts by the Trump administration to reduce the agency’s impact. CFPB enforcement activity decreased by 54 percent under the leadership of Trump appointees.[4] Focus areas for a reinvigorated CFPB are likely to include:

  • Student Loans: Given his experience, a Director Chopra will make student debt a top priority with the goal of continuing the work he started as Ombudsman. The bureau will likely crack down on student loan servicers and lenders to ensure they follow the law and adequately serve student borrowers.[5] The CFPB will also likely resume Obama-era efforts to increase transparency in the student loan process and create additional resources for borrowers. In addition to increased enforcement actions, the CFPB will likely also create new regulations (including possible federal student-loan servicing guidelines) for the industry and step up its oversight and monitoring functions, closely collaborating with the Department of Education and state regulators. The CFPB is also likely to step up enforcement actions against for-profit colleges.[6]
  • COVID-19 Relief: The CFPB may take a more forceful approach in enforcing the consumer protection provisions of the CARES Act and other federal relief legislation, such as the requirement to offer borrowers extended periods of mortgage and student loan repayment forbearance.[7] A more active CFPB will aggressively pursue violations and go after allegedly unfair debt collection practices.[8] Commissioner Chopra has pointed to inequities in the distribution of relief funds, highlighting the underrepresentation of small businesses among recipients. [9] This suggests that he will prioritize the CFPB’s role in monitoring the implementation of federal stimulus legislation.
  • Fair Lending: Regulation and enforcement that prioritizes equity issues is likely. In addition to being a focus area for the Biden administration, Commissioner Chopra has advocated for the use of disparate impact analysis to detect and work to eliminate discriminatory lending practices.[10] The CFPB’s enforcement of the Equal Credit Opportunity Act to challenge discriminatory practices will likely increase.[11] Commissioner Chopra has highlighted the way in which mass data surveillance can be discriminatory and harm consumers, suggesting increased data collection efforts and agency action in this space.[12]
  • Credit Reporting and Data Protection: While at the FTC, Commissioner Chopra has discussed the importance of credit reporting protections and has emphasized the role of the CFPB in supervising credit bureaus.[13] He has focused on the technology industry and frequently discusses online predatory practices that harm consumers[14], suggesting that these will be likely areas of focus for him at the CFPB.
  • Payday Lending: The CFPB is likely to bring back former CFPB Director Richard Cordray’s Small Dollar Rule which would have required lenders to determine whether borrowers would be able to repay their loans prior to granting them. There is current litigation regarding the 2020 rescission of the Rule, which the new CFPB could rely on to reconsider the rescission. The bureau is sure to increase enforcement actions in this area as well, against allegedly predatory or unfair lending in violation of the Dodd-Frank Act.
  • Large Financial Institutions: A more muscular CFPB is more likely to bring actions against larger, more powerful institutions including the country’s largest banks and lenders.[15] The bureau will also pursue larger penalties for violations. At the FTC, Commissioner Chopra has consistently advocated for stronger enforcement actions against large companies. During his tenure, he has voted against several FTC settlements with companies that he views as insufficient and too lax (particularly no dollar settlements) and has advocated for larger penalties for repeat violators.[16] He emphasizes the dangers of monopolization and the power of large companies compared to small business and consumers.

Thus, regulated entities can expect increased activity from a CFPB led by Rohit Chopra. In addition to a return to the more aggressive enforcement posture of former Director Richard Cordray, who was appointed by President Obama, a Director Chopra will bring his own set of priorities to the bureau. The issue areas outlined here are likely to take center stage in this new era for the Consumer Financial Protection Bureau.


[1] Statement of Commissioner Rohit Chopra Regarding the 10th Anniversary of the Enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act, (July 21, 2010),

[2] Senator Elizabeth Warren, (Jan. 18, 2020),

[3] Seila Law LLC v. Consumer Fin. Prot. Bureau, 140 S. Ct. 2183, 207 L. Ed. 2d 494 (2020).

[4] Consumer Carnage: How Federal Enforcement of Consumer-Protection Laws Has Declined Under Trump, Public Citizen, (Mar. 13, 2019),

[5] Written Testimony before the Committee on Budget, (June 4, 2014),; Written Testimony of

FTC Commissioner Rohit Chopra Before the US House of Representatives Committee on Financial Services

“Examining Legislation to Protect Consumers and Small Business Owners from Abusive Debt Collection Practices,” (Sept. 26, 2019),

[6] Written Testimony of FTC Commissioner Rohit Chopra Before the US House of Representatives Committee on Financial Services “Examining Legislation to Protect Consumers and Small Business Owners from Abusive Debt Collection Practices,” (Sept. 26, 2019),

[7] Richard Cordray, White Paper: Immediate Actions for CFPB to Address Covid-19 Crisis, (Apr. 6, 2020),

[8] Senators Elizabeth Warren and Sherrod Brown, Congress Must Provide Immediate Relief for Consumers. Here’s How, (Apr. 21, 2020),

[9] Rohit Chopra, (Apr. 21, 2020),

[10] Comment Submitted by Rohit Chopra, Federal Trade Commission to the Department of Housing and Urban Development on the Disparate Impact Proposed Rulemaking, (posted on Oct. 17, 2019),; Statement of Commissioner Rohit Chopra

In the Matter of Liberty Chevrolet, Inc. d/b/a Bronx Honda Commission File No. 1623238, (May 27, 2020),

[11] Introductory Remarks of Commissioner Rohit Chopra, National Fair Housing Alliance 2020 National Conference, (Oct. 6, 2020),

[12] Rohit Chopra: Consumer Protection in an Age of Uncertainty Keynote Conversation (Day 2), (Mar. 22, 2019),

[13] Id.

[14] Written Testimony of FTC Commissioner Rohit Chopra before the US House of Representatives Committee on the Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law Hearing on Online Platforms and Market Power, Part 3: The Role of Data and Privacy in Competition, (Oct. 18, 2019),

[15] Statement of Commissioner Rohit Chopra Regarding the 10th Anniversary of the Enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act, (July 21, 2010),; Rohit Chopra, (Mar. 6, 2020),

[16] Rohit Chopra: Consumer Protection in an Age of Uncertainty Keynote Conversation (Day 2), (Mar. 22, 2019),; Rohit Chopra and Samuel A.A. Levine, The Case for Resurrecting the FTC’s Penalty Offense Authority,(Nov. 3, 2020),

January 15, 2021 Consumer Finance Observer – Winter 2021 Edition

CFO WinterJenner & Block has published its sixth issue of The Consumer Finance Observer or CFO, a newsletter providing analysis of key consumer finance issues and updates on important developments to watch. As thought leaders, our lawyers write about the consumer finance sector on topics ranging from biometric data, compliance, data security, FinTech, lending, and securities litigation.

In the Winter 2021 issue of the CFO, our consumer finance lawyers discuss: California's passing of Proposition 24; CCPA's Private Right of Action; California's new Consumer Financial Protection Law; betting on an athlete's biometric data; Colorado's right to enforce its consumer loan interest rates; LendIt 2020, the largest FinTech conference of the year; a recent enforcement action by the SEC and the CFTC in the FinTech space; and European Data Protection Board's guidance on personal data transfers following Schrems II. Contributors are Partners Kelly HagedornCharles D. RielyMichael W. RossDavid P. SaundersKate T. Spelman, and Wade A. Thomson; Special Counsel David W. Sussman; Associates Vivian L. BickfordEffiong K. DamphaMichael F. LindenE.K. McWilliamsMadeline Skitzki, and Matthew Worby; and Staff Attorney Alexander N. Ghantous.

To read the full newsletter, please click here

November 13, 2020 EDPB Provides Guidance on Personal Data Transfers Following Schrems II

By: Kelly HagedornDavid P. Saunders, and Matthew Worby

New-Development-IconEarlier this year, in Schrems II, the Court of Justice of the EU (CJEU) invalidated the EU-US Privacy Shield.[1] That judgment also cast doubt over the validity of standard contractual clauses (SCCs) as a means by which to transfer personal data outside of the EU, in particular to the United States. Unsurprisingly, this has caused concern within organisations who rely on such transfers as part of their business model.

Data protection requirements, imposed by the GDPR, travel with any personal data whenever it is transmitted outside of the EU. Problems arise when an organisation needs to transfer personal data to a jurisdiction where local laws might undermine these protections. Without some way to manage this potential conflict, it was unclear if organisations’ personal data transfers outside of the EU would be able to continue.

Unfortunately, the CJEU provided no practical guidance for organisations as to how to make international personal data transfers compliant with its ruling and did not provide any safe harbour period before its ruling took effect. In recent days, however, two key efforts have been made to assist organisations meet their post-Schrems II GDPR requirements:

  1. recommendations have been issued by the European Data Protection Board (EDPB);[2] and
  2. a revised set of SCCs has been published by the European Commission for consultation.

Recommendations Issued by the EDPB

The EDPB has published a practical roadmap for organisations seeking to transfer personal data internationally in a compliant manner in the wake of Schrems II. This roadmap sets out six recommended steps:

  1. Map all transfers of personal data

As a first step, organisations should identify and catalogue all of their international personal data transfers. The EDPB used this opportunity to remind organisations that remote access to personal data, or the cloud storage of personal data, may constitute transfers to be included in this exercise.

  1. Verify that this personal data is being transferred in a compliant manner

Once the data flows have been catalogued, the tool (for example, SCCs) that each transfer relies upon must be identified. 

An international transfer of personal data should not proceed without an appropriate transfer tool in place. The transfer tools available are (i) an adequacy decision in respect of the recipient country made under Article 45 of the GDPR, (ii) one of the mechanisms provided for under Article 46 of the GDPR, including SCCs and Binding Corporate Rules, or (iii) one of the derogations provided for in Article 49 of the GDPR (such as public interest).

  1. Assess if there is any law or practice in the receiving country that would limit the effectiveness of the safeguards created by the transfer mechanism in use

The third step requires organisations to assess each transfer tool, and identify – on a practical level – if each tool being relied upon protects personal data to the level required by the GDPR.[3]

Of principal concern, per the EDPB, is the existence of “anything in the law or practice of the [receiving country] that may impinge on the effectiveness of the appropriate safeguards” being relied upon. Schrems II highlighted the difficulties posed by the US’ mass surveillance programmes in this regard. If a transfer tool is unable to provide an adequate level of protection, despite otherwise being valid, it should not be used alone as a means of transferring personal data outside of the EU.

Where an assessment is required, the EDPB recommends that this should be based on an objective review of the receiving country’s legislation or, if this is not possible, “other relevant and objective factors”. This assessment should not take into account any subjective factors, such as the type of data being transferred. If the receiving country’s laws do not allow for personal data to be protected, then further action, as detailed in step 4 below, will be required.

It is possible that a country’s legislation empowers national security agencies to access personal data. If this is the case, the assessment should consider (i) the extent to which these powers are limited to what is necessary or proportionate in a democratic society, or (ii) if they breach EU standards.[4]

Any such assessment will be a complex undertaking. Helpfully, however, the EDPB does provide practical and positive recommendations in this regard. In particular, the EDPB notes that:

  1. it is possible to conclude following an assessment that any potential interference permitted by a country’s laws will be limited to a similar degree to that to level of potential interference allowed under the GDPR; and
  2. the existence of a comprehensive data protection law, or an independent data protection authority, can indicate that a country’s potential interference with personal data protections can be considered proportionate.

This is a pragmatic approach from the EDPB and seems to be designed to empower organisations to make positive decisions as to the ability to transfer personal data internationally, where appropriate.

In any event, the assessment should be clearly documented and undertaken carefully. The EDPB notes that organisations will be held accountable for the decisions made based on the assessment.

  1. Identify and adopt any additional measures as necessary to bring the level of protection for this data to the level required by the GDPR

It is possible that a company concludes that the transfer tool they intend to rely on, by itself, will not provide the required level of protection for personal data. This may be the case with transfers to the US in light of Schrems II. The EDPB has however provided companies with suggestions as to how supplementary measures can be used to continue data transfers even if the tool for transfer alone is insufficient.

These supplementary measures are categorised as being of a technical, contractual, or organisational nature. All three, when used in combination, are likely to be most effective in ensuring compliance with the GDPR.

The technical measures suggested by the EDPB include:

  • “State-of-the-art” encryption;
  • Pseudonymisation, where the personal data being transferred is altered such that an individual can no longer be identified without further information; and
  • Split processing, where the personal data is segmented and provided to separate parties, such that no one party can identify an individual from the data it receives.

The contractual measures listed by the EDPB include imposing obligations on recipients of the personal data to implement appropriate technical measures, or a requirement for relevant legislative developments within the recipient country to be brought to the attention of the data exporter by the recipient.

Organisational measures relate to internal policies or methods, intended to improve a company’s awareness of the risks present in transferring personal data outside of the EU.

It is important to note that these supplementary measures must be capable of ensuring, in conjunction with a transfer tool, that the level of data protection provided will meet the level required by the GDPR. If this is not the case then the transfer should not proceed.

  1. Take formal procedural steps if required

Where supplementary measures are identified and implemented, certain formalities may need to be completed. These should be completed prior to any international transfer of personal data.[5]

  1. Periodically re-evaluate the level of protection these transfers enjoy

Finally, once this process has been concluded, organisations should ensure that they monitor any developments in countries where personal data has been transferred. In the event there are any developments, these six steps should then be re-visited to ensure continued compliance with the GDPR.

Draft SCCs Published by the European Commission

Seemingly drafted with the EDPB guidance in mind, the European Commission has proposed a new set of SCCs. This document, currently published in draft form, is open for consultation until 10 December 2020. It is currently unclear when the final version of the revised SCCs will be published.

Importantly, and not entirely in response to Schrems II or the EDPB guidance, these draft SCCs represent a clear attempt by the European Commission to provide as practical a set of SCCs as possible. For example, the draft SCCs:

  1. Cater for international data transfers from a data processor to another data processor, a long overdue development;
  2. Set out a new modular approach, allowing for parties to use one single template document to govern transfers from (i) controller-to-controller, (ii) controller-to-processor, (iii) processor-to-processor and (iv) processor-to-controller; and
  • Reference the need for parties, using whichever module, to assess what constitutes an “appropriate level of security” for a transfer, account for the risks involved in a transfer, and then undertake due consideration of the technical measures that would be appropriate to safeguard a transfer.

In perhaps one of the more significant concessions to businesses put into some difficulty by Schrems II, the European Commission’s draft measures currently provide for a year’s grace period to implement these new clauses. This would give organisations time to transition from the previous form of SCCs (subject to implementing any required supplementary measures in the meantime) to the new version, whenever these are finalised.


In the face of the uncertainty that Schrems II created, it is to be welcomed that the EDPB and European Commission have sought to provide practical guidance to organisations. This uncertainty has been compounded by the impending end of the Brexit transition period on 31 December 2020, following which personal data transfers from the EU to the UK will need to rely on an effective and reliable transfer tool. The finalisation of the new SCCs will allow for greater stability in that regard. It is a fact that many businesses rely on international personal data transfers for various reasons, and a recognition that these should be facilitated as far as possible is a positive step.

Organisations now face the task on implementing the EDPB’s recommendations, which is where their utility and practicality will really be tested.


[1] Case C-311/18, available here.

[2] The EDPB is the body within the EU tasked with ensuring that data protection rules are applied consistently within the bloc.

[3] It should be noted that, where the transfer of personal data relies on an adequacy decision, no further steps need to be taken in this regard, apart from ensuring on a periodic basis that this decision is still in force. This is because, unlike other transfer mechanisms, an EU adequacy decision in effect states that there are no laws or practices that would undermine data protection rights in that jurisdiction.

[4] Greater guidance is available from the EDPB, available here. Broadly, EU standards are as follows:

  • Processing should be based on clear, precise and accessible rules.
  • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
  • An independent oversight mechanism should exist.
  • Effective remedies need to be available to the individual.

[5] Such formalities include, for example, where parties seek to deviate from the SCCs, or the technical measures that are required in some way contradict the SCCs. In such an instance prior approval from the appropriate Data Protection Authority would be required before any international transfer of personal data occurs.

November 4, 2020 California Passes Proposition 24: California Privacy Rights Act to Become Law

By: David P. Saunders, Kate T. Spelman, and Effiong K. Dampha

New-Update-IconPrivacy was on the ballot this November, at least in California. And it appears that enough people voted in favor of Proposition 24, the California Privacy Rights Act (CPRA), for it to become law. Although the CPRA technically becomes effective five days after the California Secretary of State certifies the voting results, the bulk of the law – which is an overhaul of the California Consumer Privacy Act (CCPA) – will not come into force until January 1, 2023. Businesses have some time to prepare for the most significant changes, which we have written about previously. Those changes include handling a new category of “sensitive personal information,” the expansion of the existing CCPA private right of action, and mandatory changes to company privacy policies. So what happens to the CCPA, and what do businesses have to prepare for? The answer is not much in the short term.

Until the CPRA becomes fully effective in 2023, the CCPA remains in full effect. That means businesses should keep up with their CCPA compliance, including being attentive to new California Attorney General regulations. The following CPRA provisions – which largely do not impact businesses directly – will become effective once the California Secretary of State certifies the voting results:

  • An extension of the carve out for business contact and employee personal information that is collected by businesses covered by the CCPA. In the existing CCPA, these carve outs were set to expire on January 1, 2021. The carve outs will now be extended to January 1, 2023.
  • A Consumer Privacy Fund will be created – with appropriations to be made by the legislature – with the purpose of “offsetting the costs” of state courts and the California Attorney General enforcing the CCPA (and later the CPRA). The fund will also be used “to promote and protect consumer privacy, educate children in the area of online privacy, and fund cooperative programs with international law enforcement organizations” in connection with addressing consumer data breaches.
  • The California Attorney General will be charged with developing a laundry list of new regulations, which will put meat on the bones of many of the new CPRA rules.
  • A new state agency, the California Privacy Protection Agency, will be created, funded, and begin operations.

Because of the phased effective dates for CPRA’s provisions, businesses have time to revise their policies and prepare for the full weight of the CPRA. Of course, that does not account for whatever CPRA regulations the California Attorney General publishes, which we expect to be previewed perhaps as early as late 2021.

Jenner & Block has developed a checklist for clients to compare their existing CCPA privacy notices against the new requirements of the CPRA. If you need assistance preparing for the CPRA, please contact the authors.

October 28, 2020 Authors Explore Cases that Test Limits of the California Consumer Privacy Act

CaliforniaIn a recent article published by The Recorder, Jenner & Block Partner Kate T. Spelman and Associates Vivian L. Bickford and Effiong G. Dampha examine class action cases that test the limits of the California Consumer Privacy Act, which took effect January 1. “These suits shed light on the various ways plaintiffs are testing the boundaries of the CCPA and its private right of action,” the authors observe. They then highlight several categories of these boundary-testing lawsuits.

To read the full article, titled "Class Actions Seek to Test the Limits of the CCPA's Private Right of Action," please click here

October 21, 2020 Three Takeaways from Lendit 2020

By: Michael W. Ross 

FintechI recently attended LendIt’s 2020 conference, the largest Fintech conference of the year.  Kudos to everyone at LendIt for successfully transitioning the conference to a remote platform – it was a great few days of speakers and topics including really slick tools for engagement and networking. In this post, I’m sharing rough notes on my top three takeaways from the sessions I attended. This is by no means a comprehensive recap, and, if you attended, I’d love to hear from you about what you thought.

Artificial Intelligence. First, artificial intelligence and machine learning are on everyone’s mind these days. From regulators to service providers to financial institutions, speakers honed in on the use of AI for everything from underwriting, to risk analysis, to loan servicing, to many other things. Everyone is talking about the risks and rewards of using these new tools, including how to hone their models and how much to involve a human touch. As I listened, the relevance of our prior writing and talks on the potential for enforcement activity in the area of AI was top of mind – it has stayed quite relevant.  Check it out!

Serving the Underserved.  Relatedly, almost everyone seems to be talking about how technology is helping improve access to credit and banking services to those previously cut out – not only the use of AI, but also the overall digitization of banking, payments, and credit. Thought leaders are focused on looking beyond the ordinary credit file; on the use of mobile services to reach new consumers; and on the growth of non-traditional payment platforms. Stay tuned for developments in this area, including the broadening of the “payments” world to include non-financial institutions.

Partnerships.  Last, partnerships are all the rage. Financial institutions are buying startups, in addition to investing in technology themselves; smaller banks, community banks, and others are partnering to keep up with the latest tech trends; and regulators are focused on the third-party risk issues that partnerships raise, and also on allowing third parties to keep smaller banks competitive through partnerships. This area is not limited to true lender issues – especially keep an eye on the FDIC’s recent request for information on standard-setting for third-party service providers.

Again, these are just some blog thoughts from one attendee – please get in touch with your reactions and thoughts!

PEOPLE: Michael W. Ross

October 6, 2020 Colorado Consumers Receive Additional Protections after Attorney General Settles Lawsuits

By: Alexander N. Ghantous


In August of 2020, the Colorado Attorney General’s Office settled two lawsuits concerning Colorado’s right to enforce its consumer loan interest rate limits.[1] The lawsuits involved Avant of Colorado, LLC (“Avant”) and Marlette Funding, LLC (“Marlette”), both of which are not banks.[2] However, partnerships with banks located outside of Colorado were established by the companies: Avant with WebBank, and Marlette with Cross River Bank.[3]

According to the Colorado Attorney General’s website, federal law permits “certain out-of-state banks” to offer loans at higher interest rates in Colorado than what is generally permitted in the state.[4] The Colorado Attorney General alleged that the partnerships in these matters were established to illegally offer loans at higher interest rates than what was allowed in Colorado.[5] While the lawsuits did result in a settlement, there was no admission of fault, liability, or wrongdoing.[6]  

The settlement provides Colorado consumers with an extra layer of protection against predatory lending practices.[7] It ensures that “true bank loans” are being made by Cross River Bank, WebBank, and their non-bank company partners that include, but are not limited to, Marlette and Avant.[8] Included in those protections is a “Safe Harbor” provision, which was implemented to ensure compliance with the Colorado Uniform Consumer Credit Code.[9] The following criteria must be met to comply with the settlement’s “Safe Harbor” provision:

  • Oversight Criteria: To satisfy the “Safe Harbor” provision’s “Oversight Criteria,” 14 terms must be met.[10] For example, the first term mandates that any loan that is “offered and originated” online by either WebBank or Cross River Bank in conjunction with Avant, Marlette, or any other Fintech company partner is “subject to oversight by the respective [b]ank’s prudential regulators, including the FDIC and the [b]ank’s state banking regulators.”[11]
  • Disclosure and Funding Criteria: Three terms must be met to satisfy the “Safe Harbor” provision’s “Disclosure and Funding Criteria.”[12] For example, the first term requires that WebBank or Cross River Bank be identified as the lender on loan agreements.[13]
  • Licensing Criteria: Five terms must be met to satisfy the “Safe Harbor” provision’s “Licensing Criteria,” including, but not limited to, licensing requirements when “supervised loans” are offered.[14]
  • Consumer Terms Criteria: Two terms must be met to satisfy the “Safe Harbor” provision’s “Consumer Terms Criteria.”[15] For example, loans cannot have an interest rate that is higher than 36 percent.[16]
  • Structural Criteria: To satisfy the “Safe Harbor” provision’s “Structural Criteria,” there must be compliance with a minimum of one of the options that follow: “the Uncommitted Forward Flow Option, the Maximum Committed Forward Flow Option, the Maximum Overall Transfer Option, or an Alternative Structure Option,” all of which are described within the settlement.[17]

Under the settlement agreement, Web Bank, Cross River Bank, Avant, and Marlette are also joint and severally liable for: (1) a payment of $1,050,000 to the State of Colorado; and (2) a $500,000 contribution to the Colorado MoneyWi$er program.[18]  

The final, executed version of the settlement agreement is located here


[1] Colorado Attorney General’s Office, Colorado Attorney General’s Office Settles Lawsuit Against Lenders for Exceeding State Interest Rate Limits on Consumer Loans, (Aug. 18, 2020),; Assurance of Discontinuance,

[2] Colorado Attorney General’s Office, Colorado Attorney General’s Office Settles Lawsuit Against Lenders for Exceeding State Interest Rate Limits on Consumer Loans, (Aug. 18, 2020),; Assurance of Discontinuance, pg. 1,

[3] Colorado Attorney General’s Office, Colorado Attorney General’s Office Settles Lawsuit Against Lenders for Exceeding State Interest Rate Limits on Consumer Loans, (Aug. 18, 2020),

[4] Id

[5] Id

[6] Assurance of Discontinuance, pg. 6,

[7] Colorado Attorney General’s Office, Colorado Attorney General’s Office Settles Lawsuit Against Lenders for Exceeding State Interest Rate Limits on Consumer Loans, (Aug. 18, 2020),

[8] Id. 

[9] Assurance of Discontinuance, pgs. 6-14,

[10] Id. at 6-8

[11] Id at 6, 2-3

[12] Id. at 8

[13] Id. at 8, 2-3

[14] Id. at 8-9

[15] Id. at 9

[16] Colorado Attorney General’s Office, Colorado Attorney General’s Office Settles Lawsuit Against Lenders for Exceeding State Interest Rate Limits on Consumer Loans, (Aug. 18, 2020),; Assurance of Discontinuance, pg. 9,

[17] Assurance of Discontinuance, pgs. 9-14,

[18] Colorado Attorney General’s Office, Colorado Attorney General’s Office Settles Lawsuit Against Lenders for Exceeding State Interest Rate Limits on Consumer Loans, (Aug. 18, 2020),; Assurance of Discontinuance, pgs. 14-15, 2,

PEOPLE: Alexander N. Ghantous

September 14, 2020 California Legislature Passes New Consumer Financial Protection Law

By: Madeline Skitzki

New-Update-IconOn August 31, 2020, the California Legislature passed Assembly Bill 1864. In general, this bill (1) renamed the Department of Business Oversight as the Department of Financial Protection and Innovation and renamed the commissioner of the Department as the Commissioner of Financial Protection and Innovation, and (2) enacted the California Consumer Financial Protection Law (CCFPL) to, among other purposes, strengthen consumer protections by expanding the ability of the Department of Financial Protection and Innovation to improve accountability and transparency in the California financial system and promote nondiscriminatory access to responsible, affordable credit.

Under the bill, the Department of Financial Protection and Innovation is required to regulate the provision of various consumer financial products and services and exercise nonexclusive oversight and enforcement authority under California and federal (to the extent permissible) consumer financial laws. The Department is granted the power to bring administrative and civil actions, issue subpoenas, promulgate regulations, hold hearings, issue publications, conduct investigations, and implement outreach and education programs, and is required to promulgate certain rules and regulations regarding registration requirements. The bill also makes it unlawful for covered persons or service providers to engage in unlawful, unfair, deceptive, or abusive acts or practices with respect to consumer financial products or services or to provide consumers financial products or services that are not in conformity with any consumer financial law.  It further requires covered persons and service providers to file certain documents under oath and imposes specific civil and monetary penalties, as well as injunctive relief, for violations of the CCFPL.  With respect to funding, the bill requires the Commissioner to deposit all money collected or received under the CCFPL with the State Treasurer for the Financial Protection Fund, which is created under the bill for the administration of the CCFPL.

PEOPLE: Madeline Skitzki

September 3, 2020 Consumer Finance Observer – Summer 2020 Edition

Summer 2020Jenner & Block has published its fifth issue of Consumer Finance Observer or CFO, a newsletter providing analysis of key consumer finance issues and updates on important developments to watch. As thought leaders, our lawyers write about the consumer finance sector on topics ranging from artificial intelligence, compliance, data security, FinTech, lending, and securities litigation.

In the Summer 2020 issue of the CFO, our consumer finance lawyers discuss: litigation and enforcement consideration for FinTech PPP Lenders; an update on New York State’s Department of Financial Services; the US Supreme Court’s decision in Selia Law LLC v. CFPB; Office of the Comptroller of the Currency's adoption of the rule in Madden v. Midland Funding; COVID-19's disparate impact; and proposed amendments to California's Proposition 65. Contributors are Partners Kali N. BraceyJeremy M. CreelanMichael W. Ross, and Kate T. Spelman; Associates Jacob D. Alderdice and Julian J. Ginos.

To read the full newsletter, please click here

July 31, 2020 RIP “White” Chocolate Litigation (2012-2020)

By: Alexander M. Smith 

White chocolateWhile some varieties of food labeling lawsuits (such as lawsuits challenging the labeling of “natural” products) show no sign of dying off, other trends in food labeling litigation have come and gone. Last year, for example, appeared to mark the end of lawsuits challenging the labeling of zero-calorie beverages as “diet” sodas. And this year may witness the end — or, at least, the beginning of the end — of lawsuits challenging the labeling of “white” candy that is not technically “white chocolate,” at least as the FDA defines that term.

Although it is difficult to pinpoint the beginning of “white” chocolate litigation, the leading case for many years was Miller v. Ghirardelli Chocolate Co., 912 F. Supp. 2d 861, 864 (N.D. Cal. 2012). There, the court declined to dismiss a lawsuit challenging the labeling of Ghirardelli’s “Classic White” baking chips. The court concluded that the plaintiff had plausibly alleged that a variety of statements on the packaging — including “Classic White,” “Premium,” “Luxuriously Smooth and Creamy,” “Melt-in-Your-Mouth-Bliss,” and “Finest Grind for Smoothest Texture and Easiest Melting” — collectively misled the plaintiff into believing that the product was made with “real” white chocolate, even though it was not. Id. at 873-74. Emboldened by this decision, plaintiffs in California, New York, and elsewhere began filing a wave of similar class actions challenging the labeling of “white” chocolate, baking chips, and other candy. Since the beginning of this year, however, courts have begun dismissing “white” chocolate lawsuits with increasing frequency.

In Cheslow v. Ghirardelli Chocolate Co., for example, the plaintiffs — like the plaintiffs in Miller — challenged the labeling of Ghirardelli Classic White Premium Baking Chips as misleading. --- F. Supp. 3d ---, 19-7467, 2020 WL 1701840, at *1 (N.D. Cal. Apr. 8, 2020). Although the plaintiffs alleged that the product’s labeling misled them into believing that the product contained white chocolate, the court found this theory of deception implausible and dismissed the complaint. In reaching that conclusion, the court noted that the labeling did not include the terms “chocolate” or “cocoa” and that the term “white” referred to the color of the chips, rather than the presence of white chocolate or the quality of the chips. Id. at *4-5. Much as the term “white wine . . . does not inform the consumer whether the wine is a zinfandel or gewürztraminer,” the court reasoned that the adjective “white” was not probative of whether the chips contained white chocolate. Id. at *5. Likewise, even if some consumers might misunderstand the term “white” to refer to white chocolate, the court concluded that this would not salvage the plaintiffs’ claims; according to the court, the fact that “some consumers unreasonably assumed that ‘white’ in the term ‘white chips’ meant white chocolate chips does not make it so.”  The court also rejected the plaintiffs’ remaining theories of deception: it concluded that the term “premium” was non-actionable puffery (id. at *5-6); it held that the image of white chocolate chip macadamia cookies on the package did not “convey a specific message about the quality of those chips” (id. at *7); and it held that consumers could not ignore the ingredients list, which made clear that the product did not include white chocolate and resolved any ambiguity about its ingredients (id. at *7-8). And while the plaintiffs attempted to amend their complaint to bolster their theory of deception, the court concluded that their new allegations — including a summary of a survey regarding consumer perceptions of the labeling — did not render their theory any more plausible and dismissed their lawsuit with prejudice. See Cheslow v. Ghirardelli Chocolate Co., --- F. Supp. 3d ----, 2020 WL 4039365, at *5-7 (N.D. Cal. July 17, 2020).

Likewise, in Prescott v. Nestle USA, Inc., the court concluded that the labeling of Nestle Toll House Premier White Morsels would not “deceive a reasonable consumer into believing that the Product contains white chocolate,” particularly given that “the Product’s label does not state that it contains white chocolate or even use the word ‘chocolate.’” No. 19-7471, 2020 WL 3035798, at *3 (N.D. Cal. June 4, 2020). As in Cheslow, the court concluded that “[n]o reasonable consumer could believe that a package of baking chips contains white chocolate simply because the product includes the word ‘white’ in its name or label,” and it held that some “consumers’ subjective opinions that Nestle’s labeling is misleading” did not render their allegations plausible. Id. at *4.  And the court likewise concluded that “Nestle’s use of the word ‘premier’ on the label of its ‘Toll House Premier White Morsels’ is mere puffery that cannot form the basis of a claim under the reasonable consumer standard . . . .” Id.

And most recently, in Rivas v. Hershey Co., the court concluded that the plaintiff could not plausibly allege that the labeling of “Kit Kat White” candy bars misled consumers into believing that they contained white chocolate. No. 19-3379, 2020 WL 4287272, at *4-6 (E.D.N.Y. July 27, 2020). Although the court dismissed the lawsuit on jurisdictional grounds, it reached the merits of the plaintiff’s claims in determining that amendment would be futile because the phrase “Kit Kat White” was not even conceivably misleading. In so holding, the Court emphasized that, “[c]rucially, there is no statement anywhere on Kit Kat White’s packaging . . . that describes the product as containing white chocolate.” Id. at *5. Instead, the court reasoned, the term “white” was simply a “modifying adjective” that described the bars as “white in color.” Id. And even if Kit Kat White bars are displayed next to Kit Kat bars that contain real chocolate, the court concluded that a reasonable consumer would not therefore conclude that they also contained white chocolate—particularly given that the labeling describes the product as “crisp wafers in crème.” Id.

It is possible, of course, that the Second or Ninth Circuits may weigh in and conclude — like the court in Miller — that the labeling of these “white” candy products plausibly suggests that they contain white chocolate. But the recent flurry of opinions dismissing these lawsuits may nonetheless suggest that the trend of “white chocolate” litigation is coming to an end.

PEOPLE: Alexander M. Smith

July 24, 2020 SEC and CFTC Actions Against Cryptocurrency App Developer for Unregistered Security-Based Swaps Highlight Risks for Fintech Companies

By: Charles D. Riely and Michael F. Linden

FintechA recent enforcement action by the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) in the Fintech space serves as a cautionary tale for innovators who fail to heed traditional regulations. On July 13, 2020, the SEC and CFTC each filed settled enforcement actions against California-based cryptocurrency app developer Abra and its related company, Plutus Technologies Philippines Corporation. Abra’s bold idea was to provide its global users with a way to invest in blue-chip American securities, all funded via Bitcoin. In executing this idea, Abra took pains to focus its products outside of the United States and hoped to avoid the ambit of US securities laws. As further detailed below, however, the SEC and CFTC both found that Abra’s new product violated US laws. This post details Abra’s product, why the regulators came to the view that the new idea ran afoul of long-established provisions under federal securities and commodities laws, and the key takeaways from the regulators’ actions.

  1. Abra’s Product

In 2018, Abra began offering users synthetic exposure, via Bitcoin, to dozens of different fiat currencies and a variety of digital currencies, like Ethereum and Litecoin. Users could fund their accounts with a credit card or bank account, and Abra would convert those funds into Bitcoin. When a user wanted exposure to a new currency, the user would choose the amount of Bitcoin he or she wanted to invest, Abra would create a “smart contract” on the blockchain memorializing the terms of the contract, and the value of the contract would move up or down in direct relation to the price of the reference currency.

In February 2019, Abra announced that it planned to expand its business to provide synthetic exposure to US stocks and ETF shares, rather than just currencies. Abra advertised that users could enter into smart contracts to invest in their chosen stocks and ETFs. For example, Abra said in a blog post that:

[I]f you want to invest $1,000 in Apple shares you will place $1,000 worth of bitcoin into a contract. As the price of Apple goes up or down versus the dollar, bitcoin will be added to or subtracted from your contract. When you settle the contract – or sell the Apple investment – the value of the Apple shares will be reflected in bitcoin in your wallet which can easily be converted back to dollars, or any other asset for that matter.

Abra said it planned to hedge the smart contracts by purchasing—in the US securities markets—the actual securities referenced in a given contract.

  1. The Securities and Commodities Law Violations

The SEC’s cease-and-desist order found that the contracts Abra offered were swaps because they tracked the value of the underlying securities without also conveying any ownership in those securities. Abra did not set any asset requirements to enter into these swaps, nor did it make any effort to confirm the identity or financial resources of its customers, including whether those customers were “eligible contract participants,” as defined by the securities laws. More than 20,000 people joined the waitlist to buy swaps from Abra. After being contacted by the SEC and CFTC in February 2019, Abra shut down the swaps project before it went live and removed mention of it from its website.

In May 2019, however, Abra rebooted the project, this time limiting offers to non-U.S. persons and making Plutus, Abra’s related Filipino company, the counterparty to the swaps, apparently under the belief that doing so would avoid exposure to U.S. securities laws. While the app was run via Asian servers and Abra’s website was coded to show the swap opportunity only to users outside the United States, California continued to be Abra’s brain center. Employees in California designed the details of the contracts—including prices—sought out investors, marketed the swaps, and hedged the contracts by actually purchasing the underlying securities. Though Plutus was the legal party to the swaps, Abra lent it the hedging money.

Abra and Plutus ultimately sold more than 10,000 swaps, including a small number to customers in the United States, despite efforts to avoid doing so. The SEC’s order found that Abra and Plutus violated Section 5(e) of the Securities Act of 1933 —which prohibits offers to sell security-based swaps to any person who is not an eligible contract participant without an effective registration statement—when they marketed and sold swaps to thousands of unidentified customers without a registration statement in place. For similar reasons, the order found that Abra and Plutus also violated Section 6(1) of the Securities Exchange Act of 1934, which prohibits effecting security-based swaps with a person who is not an eligible contract participant, unless the transaction is effected on a national securities exchange.

The CFTC order similarly found that from December 2017 to October 2019, Abra entered into thousands of digital-asset and foreign currency-based smart contracts via its app. Those contracts, according to the CFTC, constituted swaps under the Commodity Exchange Act (CEA). Because Abra offered these swaps to persons who were not eligible contract participants, and did so outside of a board-of-trade-designated contract market, the swaps violated Section 2(e) of the CEA. Further, in soliciting and processing the swaps, Abra violated Section 4(d)(a)(1) of the CEA by operating as a futures commission merchant without registering with the CFTC.

Key Takeaways

In bringing the action, the SEC and CFTC also emphasized the messages they hoped the filing of the action would send: namely that it was important that Fintechs comply with the relevant laws as they seek to bring innovative products to the market. In filing the action, the SEC emphasized that parties could not avoid the reach of the securities laws easily when key parts of their operations occurred in the US. In the press release announcing the action, Dan Michael, the head of the Complex Financial Instrument, said, “businesses that structure and effect security-based swaps may not evade the federal securities laws merely by transacting primarily with non-U.S. retail investors and setting up a foreign entity to act as a counterparty, while conducting crucial parts of their business in the United States.” For its part, in its press release, the CFTC emphasized that it would continue to focus on ensuring responsible development of digital products. As stated by the CFTC’s Enforcement Director, “Rooting out misconduct is essential to furthering the responsible development of these innovative financial products.”


PEOPLE: Charles D. Riely, Michael F. Linden

July 13, 2020 OCC Adopts Final Rule Rejecting Madden

By: Michael W. Ross, Williams S.C. Goldstein, Amy Egerton-Wiley and Maria E. LaBella

LoanLast month, the Office of the Comptroller of the Currency’s (OCC) adopted a final rule clarifying that the terms of a national bank’s loans remain valid even after such loans are sold or transferred.  The rule was intended to reject the Second Circuit’s decision in Madden v. Midland Funding 786 F.3d 246 (2015).  The Federal Deposit Insurance Corporation (“FDIC”) followed suit later in the month, adopting a rule to clarify that interest rates on state bank-originated loans are not affected when the bank assigns the loan to a nonbank.  These steps do not resolve all of the uncertainty surrounding the decision, as discussed further below.

  1. The Madden v. Midland Funding

In Madden v. Midland Funding, Saliha Madden, a New York resident, contracted with Bank of America for a credit card with a 27% interest rate.  That rate exceeded the 25% usury cap under New York law.  But, as a national bank, Bank of America believed that it was entitled to “export” the interest rate of Delaware, its place of incorporation, under the National Bank Act and attendant principles of federal preemption.  By the time Madden defaulted, the balance had been acquired by Midland Funding, a debt collector headquartered in California.  When Midland Funding tried to collect the debt at the 27% interest rate, Madden sued under New York usury laws.  She argued that Midland could not take advantage of Bank of America’s interest-rate exportation.

The Second Circuit ruled in favor of Madden, holding that the National Bank Act’s preemption of state usury law did not apply to Midland because it is not a national bank.  The decision generated considerable uncertainty in the lending market, which had operated under the assumption that the applicability of the National Bank Act’s preemption of state usury law turned on the identity of the loan originator.  This assumption was rooted in the century-old common law doctrine that a loan which is “valid when made” cannot become usurious by virtue of a subsequent transaction.

  1. The OCC Rule Rejecting Madden.

On June 2, the OCC adopted a final rule rejecting the Madden decision.  See Permissible Interest on Loans That Are Sold, Assigned, or Otherwise Transferred, 85 Fed. Reg. 33,530 (June 2, 2020) (to be codified at 12 C.F.R. pts. 7 & 160).  The rule, which fully adopted the OCC’s November 2019 proposed rule, states that interest rates on a loan issued by a national bank are not affected when the bank assigns the loan to a third party.  In its analysis, the OCC cites “valid when made” principles but notes that it does not do so “as independent authority for this rulemaking but rather as tenets of common law that inform its reasonable interpretation of section 85 [of the National Bank Act.]”  

The OCC rule unmistakably rejects Madden’s holding that a bank’s transfer of a loan can affect the validity of the loan’s interest rate, and reaffirms the “valid when made” doctrine that the Madden court failed to address.

  1. Opposition to the OCC’s Rule.

Commentators raised three main objections to the OCC’s rule.  First, some commentators questioned the OCC’s authority to issue the rule.  The OCC took the position that the Chevron doctrine allows it to interpret the National Bank Act’s silence on the effect of a national bank assigning loans to a third party.  Second, others argued that the rule could promote predatory lending. The OCC rejected this argument as well, affirming its “strong” opposition to predatory lending practices, and pointing to earlier OCC guidance on managing third-party relationships. Third, some argued that the rulemaking did not comply with Administrative Procedure Act requirements.  The OCC disagreed.

Notable among the rule’s opponents were 22 State Attorneys General, who lamented that the rule would “expand the availability of exploitative loans that trap borrowers in a never-ending cycle of debt.” Others voiced support for the rule, applauding the certainty it provides for banks and other loan market participants.

  1. Ambiguities Moving Forward.

The rule does not resolve all of the confusion surrounding Madden. Most notably, it expressly does not address the separate issue of how to determine when a bank is the “true lender” of a loan.  Specifically, in determining whether state usury or consumer protection laws apply to lending decisions involving nonbank entities, some courts have asked whether a bank or a nonbank lender has the “predominant economic interest” in a loan.  If the nonbank has the predominant economic interest in the loan, courts applying this doctrine will treat the nonbank as the “true lender,” even if the loan technically originated on the bank’s balance sheet.  In its notice of proposed rulemaking back in November 2019, the OCC noted simply that “[t]he true lender issue . . . is outside the scope of this rulemaking.”

Additionally, the scope and effect of the OCC’s rule remain uncertain.  As noted, some objectors stated that it did not comply with the Administrative Procedure Act, which could be the subject of future challenges.  And future litigation may be required to resolve the inconsistency between the rule and Madden.[1]  Specifically, courts may be asked to decide whether the OCC is entitled to deference in its interpretation of the National Bank Act, particularly given the Second Circuit’s Madden decision.

  1. An Analogous Move by the FDIC

On June 25, the FDIC took a similar step to clarify that interest rates on state bank-originated loans are not affected when the bank assigns the loan to a nonbank.  It finalized a rule identical to the OCC’s for loans originated and sold by state banks (rather than national ones).  As a result, the “valid when made” doctrine is now codified—at least as an administrative matter—for all state and federally chartered depository institutions.  Whether there will be challenges to these rules remains to be seen.


[1] A Colorado court, for example, recently discounted the OCC’s proposed rule, instead expressly adopting Madden’s analysis. See Fulford v. Marlette Funding, LLC, No. 2017-cv-0376 (Colo. Dist. Ct. June 9, 2020).  However, it is unclear whether the court realized the OCC rule had become final, as it wrote that “the rule proposals are not yet law and the Court is not obligated to follow those proposals.” Id.

PEOPLE: Michael W. Ross