New branch licensing requirements take effect in Maryland July 1, plus several more states enact data privacy laws, bringing the total to 10.
06/13/2023 11:45 A.M.
5 minute read
Legislative sessions have wrapped in most states and outside of main actions on credit repair, fees and wage garnishment tracked by ACA International, measures on data privacy and licensing also came across the finish line.
Let’s check in on the status of these new laws and state requirements.
Maryland Licensing Change
Effective July 1, 2023, Maryland will cease licensing branch locations as outlined in House Bill 686 approved by Gov. Wes Moore.
The bill eliminates requirements for collection agencies and certain non-depository financial institutions to maintain separate licenses for branch locations and authorizes them to conduct business at multiple licensed locations under a single license.
It also changes other requirements and provisions governing the licensing and regulation of collection agencies and certain non-depository financial institutions, including applications, assessments and bond requirements.
Branch locations that are properly disclosed to the Office of the Commissioner of Financial Regulation will be covered, along with the entity’s principal executive office, by a single license, known as the “company license” in the Nationwide Multistate Licensing System (NMLS).
Licenses for branch locations are still required until July 1, 2023.
Beginning July 1, licensees will be required to disclose branch locations by uploading to NMLS, in the “Additional Requirements” area, a list showing the address of each location and any trade name used at that location.
Licensees may also begin uploading their lists before July 1. A licensee must upload a revised list whenever a branch is opened, closed or moved, or a trade name is changed.
For more information on how the ACA licensing staff can assist with your licensing application completion needs, please contact us at [email protected] or call (952) 926-6547.
Texas Data Privacy
Texas Gov. Greg Abbott has signed a bill on data breach notifications and comprehensive privacy proposal approved by the state Senate, and the House awaits his signature.
The data breach bill amends the state’s statutes on notifications.
Under the amended law, a security breach must be disclosed to the attorney general “as soon as practicable and not later than the 30th day after the date on which the person determines that the breach occurred,” according to a summary from ACA member firm Troutman Pepper. The amendment reduces the disclosure period for data breach notifications from 60 to 30 days and requires electronic form notices.
It states, “A person who is required to disclose or provide notification of a breach of system security under this section shall notify the attorney general of that breach as soon as practicable and not later than the 30th day after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of this state.”
It will take effect on Sept. 1, 2023. Find more information on the law here.
On the health care front, Abbott signed a bill requiring hospitals and health care providers to send patients a written, itemized invoice before their account is placed with a debt collector. The invoice is required to include information such as a plain language description of each health care service provided to the patient and the amount the provider says is due for each service.
The law is also scheduled to take effect on Sept. 1. Learn more here.
According to a report from the International Association of Privacy Professionals, comprehensive data privacy legislation is pending Abbott’s approval, which would make Texas the 10th state to have a law in this area.
The Texas Data Privacy and Security Act follows the law passed in Virginia as a framework but carves out different coverage thresholds and contains mandates for “opt-in consent for sensitive data collection and use, opt-outs for targeted advertising and data sales, data protection assessments, language concerning ‘dark patterns,’ and a 30-day cure provision,” according to the IAPP.
If signed by the governor, the law would take effect earlier than other laws passed this year—July 1, 2024. Some components, such as universal opt-out mechanisms, wouldn’t take effect until January 2025, according to the IAPP.
Montana Data Privacy
On May 19, Montana Gov. Greg Gianforte signed the Consumer Data Privacy Act. Montana is the ninth state to pass a comprehensive consumer data privacy law, before Texas.
Montana’s law also follows Connecticut and Virginia’s framework, according to the National Law Review.
It “applies to persons that conduct business in Montana or that produce products or services that are targeted to Montana residents and (i) control or process personal data of at least 50,000 consumers; or (ii) control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data,” according to the report.
With the state’s small population, the thresholds are lower than in other states.
The law will take effect Oct. 1, 2024. For more information, click here (PDF).
Tennessee Information Protection Act
And at number eight for the U.S., Tennessee Gov. Bill Lee signed the state’s data privacy law, which will take effect July 1, 2024, according to an article from ACA member firm Maurice Wutscher.
The law requires data processors to follow and comply with the National Institute of Standards and Technology (NIST) Privacy Framework and update the program as the framework changes.
According to the article, it applies to businesses that:
- “During a calendar year, control, or process personal information of at least 100,000 consumers; or
- Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.”
Learn more on the law here.
For more updates on state laws, a quarterly series from ACA, “State Specifics for Collectors,” will eliminate confusion and help trainers, compliance officers and collectors in the accounts receivable management industry gain a better understanding of the most important state “can and cannots” to remain compliant on every call, no matter the consumer location. Stefanie Jackman, partner at Troutman Pepper, Abigail Pressler, general counsel at NCB Management Services Inc., and Nicholas Prola, general counsel at Professional Finance Company Inc., lead this session.
The next webinar is from 2 to 3 p.m. CDT, Aug. 18. Visit the registration page here.
For more state updates, members are invited to register and join the weekly ACA Huddle at 11 a.m. CDT on Wednesdays.