California Legislative Update: New Consumer Finance Laws for 2020
California's 2019 legislative session ended on October 15th. On the last day before the signing deadline, California Governor Gavin Newsom announced that he had signed 870 bills into law. Several of these laws involve consumer financial services or residential real estate. This report summarizes the following new laws with potential application to consumer financial services providers:
- California Consumer Privacy Act
- Fair Access to Credit Act
- California Public Banking Act
- Enforcement of Money Judgments
- Keep Californians Housed Act
- The Tenant Protection Act of 2019
- Rosenthal Act Amendments
Note, this report does not intend to cover all the California laws to which a financial services provider doing business in California may be subject, such as employment and labor laws.
The California Consumer Privacy Act ("CCPA" or "Act") creates new consumer rights relating to the collection, use, access, and deletion of Personal Information collected by businesses from consumers in California. The bill was passed in 2018 and amended in October 2019, before going into effect on January 1, 2020. Although companies were required to comply with the law by January 1, 2020, the Office of the Attorney General ("OAG") may not enforce the CCPA until July 1, 2020, or six months after issuance of the final regulations, whichever comes first.
The OAG issued his Proposed Text of Regulations, along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons on October 10, 2019. Members of the public could submit comments to the proposed regulations before December 6, 2019. Leading up to that date, the OAG held seven public forums around the state and received hundreds of written comments. The public will have a second chance to comment after the OAG issues revised regulations. The OAG must issue final regulations and a final Statement of Reasons before July 1, 2020, the first day that the Attorney General can enforce the law.
On January 6, 2020, the Attorney General issued an Advisory that describes consumers' rights under the CCPA and the private right of action for data breaches.
Covered Entities and GLBA Carve-Out
The CCPA applies to for-profit businesses that do business in California (no matter where they may be located), collect California residents' Personal Information, and satisfy one or more of these criteria:
- have annual gross revenues above $25 million
- receive or disclose the Personal Information of 50,000 or more California residents, households, or devices annually; or
- derive 50 percent or more of their annual revenues from selling California residents' Personal Information
Not-for-profits, small companies, and companies that do not collect large amounts of Personal Information are not subject to the Act. Because the CCPA only covers California residents, businesses need not comply with the Act for those consumers for whom:
- any information collected occurred while they were outside California
- no part of any sale of the consumer's Personal Information occurred in California, and
- no personal data was collected while the consumer was in California is sold. Given how broadly the CCPA defines "doing business" in California, companies located outside California should not assume these exceptions cover them.
The CCPA exempts Personal Information collected, processed, sold, or disclosed under the federal Gramm-Leach-Bliley Act ("GLBA"), 15 U.S.C. 6801 et seq. and its implementing regulations. Because most commercial banks, savings banks, mortgage companies, loan servicers, data aggregators, and other financial institutions are subject to the GLBA, they qualify for this exemption. But the GLBA exemption merely carves out from the scope of the CCPA categories of Personal Information subject to the GLBA―it does not provide GLBA-covered entities with a wholesale exemption.
The CCPA covers a broader range of information than does the GLBA. The CCPA applies to "Personal Information," defined broadly to include all "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Cal. Civ. Code § 1798.140(o)(1). The GLBA applies to "personally identifiable information" that a financial institution collects for specific or reasons, such as:
- information generated from consumer accounts and transactions
- information collected by a financial services business and transferred to a second financial services business while providing joint financial products or services
- account website information, such as IP addresses and information collected through cookies as part of providing a financial product or service
Some information, likes names, Social Security numbers, and account information, is covered by both the GLBA and CCPA and thus exempt from the CCPA for entities subject to the GLBA. The CCPA also covers information unlikely to be covered by the GLBA, such as data concerning:
- general advertising and website marketing, including IP addresses, browsing history, and records of products reviewed on a website
- third-party advertising cookies
- commercial and business-purpose loans
Note that the GLBA does not apply to commercial and business-purpose loans, but the CCPA applies to Personal Information of California residents collected in both their individual and business capacities.
Consumer Rights Created
The CCPA gives consumers certain basic rights relating to their Personal Information, including:
- the right to be informed of the information a business collects from consumers, how the company uses the information, whether it is being sold or disclosed to a third party, and if so, to whom
- the right to request and receive (for free) specific information about the Personal Information a business has collected in an electronic format
- the right to "opt-out" of allowing a company to sell Personal Information to third parties (or, for consumers under 16 years old, the right to opt-out of having their Personal Information sold absent their consent
- the right to have their Personal Information deleted by a business, with some exceptions
- the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act
Under the Act, "Personal Information" is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household," including:
- personal identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers
- characteristics of protected classifications under California or federal law
- commercial information, including records of personal property; products or services bought, obtained, or considered; or other buying or consuming histories or tendencies
- biometric information
- internet or other electronic network activity information, such as browsing history, search history, and information on a consumer's interaction with an internet website, application, or advertisement
- geolocation data
- audio, electronic, visual, thermal, olfactory, or similar information
- professional or employment-related information
- educational history
"Personal Information" does not encompass "de-identified" or "aggregated information." "Deidentified information" is information that a company has protected from being linked to a consumer by taking certain enumerated safeguards. Information is not "de-identified" unless these safeguards exist. See 2019 Assembly Bill 1355 and Assembly Bill 874.
A 2019 Amendment to the CCPA (AB 25) largely exempts information collected from employees from the CCPA. But employers must notify employees of the data collected from them and the purposes for which the data is or may be used. Cal. Civ. Code § 1798.100(b). Another amendment (AB 1355) exempts business-to-business communications and Personal Information transfers to clients or vendors if the individuals involved in the information processing are employees, contractors, or owners of the business.
CCPA Enforcement and Private Right of Action
The primary responsibility for enforcing the CCPA rests with the OAG. The CCPA authorizes the Attorney General to sue a business for any violation of the CCPA, whether intentional or unintentional, after giving the company a 30-day cure period. The CCPA authorizes the OAG to recover penalties of up to $2,500 for each violation, and up to $7,500 for each intentional violation. Civ. Code § 1798.155(b).
The CCPA does not create a private right of action for violating the new privacy requirements. But it expands the existing private right of action for data breaches codified in the state's data breach notification statutes, Cal. Civ. Code §§ 1798.29 and 1798.82, and information security statute, Cal. Civ. Code § 1798.81.5. The CCPA adds to those provisions a new private right of action for any consumer whose "nonencrypted or nonredacted Personal Information" has been subjected to "unauthorized access and exfiltration, theft, or disclosure" because of a "business's violation of the duty to implement and maintain reasonable security procedures and practices." Cal. Civ. Code § 1798.150(a)(1). The new provision allows consumers to recover statutory damages, while previously, consumers could recover only actual damages caused by a data breach. Consumers can recover statutory damages in an amount between $100 and $750 per consumer per incident or actual damages, whichever is greater. See Cal. Civ. Code § 1798.150(a)(1)(A). Consumers may also seek injunctive or declaratory relief. § 1798.150(a)(1)(B), (C).
For purposes of the CCPA's private right of action for data breaches, "Personal Information" is defined differently than the definition discussed above or in the previous version of California's data breach law. Before the CCPA, California's breach notification law defined "Personal Information" to include a covered person's first name and last name coupled with sensitive Personal Information such as Social Security numbers, driver's license numbers, financial account numbers, and medical and health information. See Cal. Civil Code § 1798.81.5(d)(1)(A). The CCPA expands the definition of "Personal Information" as applied to data breaches to include: (1) government identifiers, such as tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; and (2) biometric data generated from measurements or technical analysis of human body characteristics (e.g., fingerprint, retina, or iris image) used to authenticate a specific individual. Biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes. This expanded definition of "Personal Information" applies only to private claims relating to data breaches authorized under the CCPA, not to the CCPA generally.
A consumer considering filing a lawsuit for statutory damages must give the putative defendant 30 days written notice of the claim, identifying the precise CCPA provision(s) the company has violated. The company then has 30 days to cure the alleged breach. If the company implements an effective cure within the 30 days, the consumer may not pursue an action for statutory damages on either an individual or a class-wide basis. But a consumer may sue for actual damages without providing a 30-day notice, even if the company "cures" the violation.
Although the CCPA does not define the term "cure," plaintiffs are likely to argue that merely stopping the breach or blocking future "exfiltration" of Personal Information does not cure the violation because it does not compensate the consumer for damages they suffered. Companies wishing to avoid a lawsuit may want to consider tendering a cash payment to the consumer. Even if the consumer sues, the defendant can argue that the consumer lacks standing to sue because they have been compensated for any injury caused by the alleged breach.
Interest Rate Cap
The Fair Access to Credit Act ("FACA") amends California's Financing law ("CFL"), which requires finance lenders to obtain licenses to do business in California. Until this recent amendment, licensed lenders were exempt from state usury laws for "consumer loans" greater than $2500. A "consumer loan" is any loan: (1) with a principal amount of less than $5,000, absent a contrary, signed statement from the borrower, and (2) for which the proceeds are used mainly for personal, family, or household purposes, regardless of amount.
In 2018, the California Supreme Court answered a question certified to it by the Ninth Circuit and held that a loan with a high-interest rate could be unconscionable and therefore void, even if the lender were exempt from state usury laws. See De La Torre v. Cashcall, Inc., No. S241434 (Cal. Aug. 13, 2018). The De La Torre decision exposed lenders to significant uncertainty and risk. To address this issue and to address findings that more than half of consumer loans larger than $ 2500 made by licensed lenders carried effective annual percentage rates of 100% or more, California enacted FACA. FACA amends the CFL to subject licensed lenders to an interest rate cap on loans of $2500–$10,000. This cap is equal to the federal funds rate plus 36% per annum.
Lenders may also charge an "administrative fee" not to exceed $75 per year for loans larger than $2500. For loans less than $2500, the administrative fee may not exceed the lesser of 5% of the principal amount or $50. FACA prohibits lenders from charging or collecting any prepayment penalty for consumer loans, regardless of the loan amount.
Entities exempt from the CFL, e.g., banks and insurance companies, are not affected by this change. However, nonbank lenders should incorporate these new requirements into their compliance programs, and nonbank purchasers of bank-originated loans should either comply with these provisions or confirm that the transaction is structured to benefit from the originating entity's exemption.
Minimum Loan Term
FACA also imposes a minimum loan term of 12 months for consumer loans between $2500-$10,000, except for certain open-ended and student loans. It imposes a maximum loan term of 60 months and 15 days for non-real estate secured consumer loans of at least $3,000 but less than $10,000. This bill would increase the maximum principal loan amount under the above schedule to $10,000.
Credit Reporting and Credit Counseling Requirements
Lenders must now report borrowers' payment performance to at least one national consumer reporting agency. Newly licensed lenders not yet approved data furnishers have one calendar year to obtain that approval. Also, before distributing funds for a loan covered by FACA, a lender must offer the borrower free access to an approved credit education program, although consumers need not take the program to qualify for a loan.
Impact on Loan Buyers and Debt Collectors
Although the CFL and FACA ostensibly apply only to non-exempt lenders and brokers, FACA states that the rate cap provisions apply to entities that "collect or receive" payments on consumer loans made under the CFL, raising concerns that (i) assignees, debt buyers, and debt collectors are also subject to the law and (ii) these entities could be liable for collecting on high-interest rate loans originated before the new law went into effect. Traditionally, a loan was lawful if it was valid and non-usurious when originated. In Madden v. Madden v. Midland Funding, LLC, however, the Second Circuit abandoned the "valid-when-made" doctrine. It held that the collection of a bank-originated credit card debt, purchased by a non-bank, was subject to New York State's usury laws, even though a national bank originated the loan.
As for prospective securitizations that include California small-dollar loans made by nonbank lenders, the new rate limitations and prepayment penalty restrictions may reduce the profitability of newly securitized pools (all other factors equal) as compared to similar prior securitized pools. Due diligence in connection with securitizing pools must ensure that non-exempt loans will be enforceable.
Penalties for Violating the CFL
The CFL imposes both civil and criminal penalties for violations. For consumer loans, if a lender willfully violates the CFL when making or collecting a loan, the loan contract is "void" and "no person has any right to collect or receive any principal, charges, or recompense in connection with the transaction." For both consumer and commercial loans, a "willful" violation may result in a penalty of up to $10,000 and up to a year's imprisonment by the party making or enforcing the law.
California's new Public Banking Act, AB 857, authorizes cities and counties in the state to sponsor or create nonprofit public banks. Before this law, California prohibited cities and counties from extending credit to any person or corporation and required local agencies to deposit all funds they receive in state or national banks. This new law allows local governments to create "public banks" and use them for their banking needs. The law defines "public bank" as "a corporation, organized as either a nonprofit mutual benefit corporation or a nonprofit public benefit corporation for the purpose of engaging in the commercial banking business or industrial banking business, that is wholly owned by a local agency, as specified, local agencies, or a joint powers authority."
Cities or counties wishing to sponsor or open a public bank must obtain a certificate of authorization from the Department of Business Oversight ("DBO"), conduct a viability study, comply with the legal requirements applicable to nonprofit corporations, and obtain deposit insurance through the Federal Deposit Insurance Corporation. Each proposed public bank must include a specific purpose statement in its articles of incorporation.
The Public Banking Act will be implemented initially for a seven-year pilot period. The DBO can approve two public bank licenses per calendar year, up to a maximum of ten licenses. During the pilot period, the DBO will study the efficacy of the program and determine whether to recommend that the law be made permanent and available to a larger number of local authorities.
Nearly two dozen other states have tried to enact laws allowing creating public banks. Before California's adoption of AB 857, North Dakota was the only state with a public bank. The Bank of North Dakota is a state-owned, statewide bank founded in 1911 to provide retail banking services to underbanked state residents. Unlike the Bank of North Dakota, California, public banks are prohibited from competing with local financial institutions and may only engage in retail banking activities in partnership with private financial institutions.
Judgment creditors can enforce judgments through various mechanisms, such as garnishing the debtor's wages or seizing funds in a bank account. State law establishes the processes for enforcing judgments, while both federal and state law limits how a creditor may garnish or seize from a debtor to enforce a judgment. Senate Bill 616 creates a new exemption limiting the amount a judgment creditor can seize from a debtor's bank account and changes the process for asserting exemptions.
New Automatic Exemption for Bank Account Seizures
Both federal and state law govern the amount of funds that a creditor can garnish or seize from a debtor to enforce a judgment. For example, the federal Consumer Credit Protection Act limits the wages that a judgment creditor can garnish from an employee's wages to the lesser of (i) 25% of the employee's disposable earnings, or (ii) the amount by which an employee's disposable earnings are greater than 30 times the federal minimum wage. Federal law also protects Social Security, VA benefits, and certain other federal benefits against garnishment for ordinary non-federal debt.
California provides debtors with even greater protection against wage garnishment. The maximum amount of a judgment debtor's disposable earnings subject to garnishment is equal to the lesser of either 25% of a debtor's weekly earnings or 50% of the amount by which the debtor's earnings exceed 40 times the minimum hourly wage. See Cal. Code of Civil Procedure § 704.070. California law also exempts distributions from private retirement plans and retirement-focused profit-sharing plans (CCP § 704.115) and public retirement benefits (CCP § 704.110).
In California, wage garnishment exemptions continue to apply even after wages are deposited into a bank account. This protection is not self-executing, however. A bank that receives a garnishment order from a judgment creditor may freeze all funds in the account. A debtor must affirmatively raise any exemptions. A debtor waives any exemptions that it fails to raise.
SB 616 creates a new, self-executing exemption for funds in a debtor's bank account. Under the new law, funds in a debtor's deposit account that are "equal to or less than the minimum basic standard of adequate care for a family of four" are exempt from garnishment automatically. See CCP § 704.220(a). Currently, the minimum basic standard of care amount is $1,724.00. A bank may not allow a debtor to seize funds that leave the account balance at less than the basic minimum amount. If a creditor does seize a portion of this exempted amount, the debtor may go to court to get back the unlawfully seized funds.
The automatic exemption comes into play after all other applicable exemptions are applied. For example, if the funds in a bank account consist of wages, the creditor may not seize over 25% of a debtor's weekly earnings. If the funds exempted under this wage exemption exceed the standard of living exemption, the standard of living exemption is not triggered.
The automatic exemption is limited to one bank account per debtor. If the debtor has multiple accounts at the same financial institution, the financial institution may select the account to which the exemption will apply (unless the court orders otherwise). If the debtor has accounts at more than one financial institution, the judgment creditor must seek a court order specifying to which account the exemption will apply (or the judgment debtor may do so).
New Procedures for Asserting Exemptions
Except for this new exemption, exemptions are not automatic. Debtors must affirmatively raise them. SB 616 amends the deadlines and procedures for claiming exemptions in response to a notice of a levy against a bank account. See CCP § 703.520. Beginning on September 1, 2020:
- A judgment debtor may file a claim of exemption with the levying officer either in person or by mail within 15 days of receiving notice of the levy if the debtor was personally served with a notice of levy on the property claimed to be exempt, or 20 days if the judgment debtor was served with notice by mail. A claim of exemption is considered filed on the date mailed if it is assigned a tracking number; and otherwise, on the date received by the levying officer.
- The judgment creditor may file an objection within 15 days of being served with the claim of exemption.
- If the debtor files an objection, a hearing will be scheduled within 30 days.
SB 616 also amends CCP §§ 699.520 and 699.540, which govern the contents of a writ of execution and notice of levy, respectively.
California law requires a foreclosing institution to provide a tenant or subtenant in possession of a rental housing unit with 90 days' written notice to quit before removing them from a property. Current law also provides tenants or subtenants renting a housing unit under a fixed-term residential lease the right to continued possession until the end of the lease term, except in specified circumstances. The provisions were set to expire on December 31, 2019. SB 18 deletes this repeal date, extending these provisions indefinitely. SB 18 also sets aside state funds to provide both direct assistance for households that have fallen behind on their rent and legal support for tenants whose landlords may be trying to evict them illegally.
The Tenant Protection Act of 2019 ("TPA"), which went into effect on January 1, 2020, imposes rent and eviction controls across the entire state, where these protections do not already exist. The TPA contains three main sections:
- Civil Code § 1946.2 implements "just cause" limitations, which prohibit eviction without just cause of a tenant who has lived in a unit for at least 12 months. "Just cause" includes both tenant at-fault behavior (such as repeated late payment of rent) and no-fault reasons (g., owner move-ins).
- Civil Code § 1947.12 prohibits increasing the annual rent more than the cost of living for that locality plus five percent, up to a maximum increase of ten percent of the prior rent amount.
- Civil Code § 1947.13 governs a unit's transition from a form of publicly assisted housing (but not rentals subsidized by a Section 8 voucher) to market-rate housing. This section does not affect private, for-profit landlords.
"Just Cause" Eviction Restrictions
Under existing law, landlords can evict tenants at the end of their lease without specifying any reason, if they give advance notice of 60 days or, for tenants renting for less than a year, 30-days' notice. Newly enacted Civil Code § 1946.2 prohibits a landlord from terminating tenancies without "just cause" and requires eviction notices to state the reason for an eviction. The new law applies only to tenancies in which all tenants have occupied the unit continually for 12 months. When the tenants have changed over time, just cause protections attach when at least one tenant has occupied for 24 months or more.
The new law does not replace existing eviction protection laws. Thus, if a local ordinance provides greater tenant protection than this law, the local law's protection controls instead of this law.
"For Cause" Evictions Unaffected
The law does not prevent a landlord from terminating a lease "for cause," i.e., breach of the lease agreement. But it requires a landlord to provide a preliminary warning notice and a three-day cure period for violations that can be remedied, including nonpayment of rent. The three-day period does not include the day on which the notice was served. If the tenant does not correct the problem identified in that warning notice, the landlord must serve a second notice before filing an eviction action. An eviction based on just the first notice, which had been the practice until now, is not valid.
Grounds of "for cause" eviction include:
- Non-payment of rent
- An uncured or incurable material breach of the lease after a written notice to correct the breach
- maintaining or committing a nuisance or waste
- criminal activity on the property or threats of harm to the landlord or agents
- assigning or subletting in violation of the lease
- refusing to allow a lawful entry under Civil Code § 1954
- failing to move out after giving the landlord a notice to terminate under Code of Civil Procedure § 1161
- using the unit for an unlawful purpose (illegal activity like drug dealing, or zoning code violations like operating a business)
- for resident managers and maintenance or cleaning staff, failing to move out after the landlord has terminated the tenant's employment, agency, or license
- refusing to sign a new lease like the old lease
In certain circumstances, landlords can terminate a lease on "no-fault" grounds in exchange for compensation equal to one month's rent. These grounds include:
- an owner's or relative's intent to occupy the unit
- the landlord's planned withdrawal of the unit from the rental market
- notice to vacate based on a health or safety issue or any court or administrative order that requires vacating the unit
- the planned demolition or substantial remodeling of the unit (substantial remodeling does not include cosmetic upgrades). The landlord need not pay relocation compensation if the tenant's behavior caused the government to issue the abatement order
From January 1, 2020, onward, all termination notices for no-fault terminations must include a statement of the cause that supports termination and the tenant's rights to relocation assistance. If the tenant fails to vacate, the landlord can recover the relocation assistance if the landlord sues and lists that assistance as damages in an unlawful detainer action. We have updated the forms on our webpage to reflect these new notice requirements.
Rent Control Rules
Besides establishing new eviction controls, the Tenant Protection Act caps rent increases during five percent plus the increase in the consumer price index ("CPI plus 5") up to a maximum of 10% of the monthly rent. Thus, owners of residential rental property will be prohibited from, during any 12-month period, increasing existing gross rental rate by more than (i) 5 percent plus the percentage change in the cost of living or (ii) 10 percent, whichever is less. In determining the gross rental rate, any discounts, incentives, concessions, or credits will be excluded.
A landlord can impose only two increases per year to reach the maximum increase. Local cities and counties may impose or enforce existing rent control laws that are stricter than the new law. The law does not regulate the rent the landlord may charge for new tenancies.
The new law applies to all rental units, subject to these exceptions:
- owner-occupied single-family dwellings (single houses and condominiums), provided that (i) the owner is not a real estate investment trust, corporation, or LLC in which at least one member is a corporation and (ii) the tenants have been provided a specific written notice regarding the exemption.
- duplexes where the owner-occupied one unit at the beginning of the tenancy and continues to live there (must be owner's principal residence).
- multi-family residences whose certificates of occupancy were issued 15 years or less before a date
- specialty housing such as nonprofit hospitals, religious facilities, licensed care, and health facilities, school, or college dormitories operated by the school or college, government-sponsored public and affordable housing, hotels, and other transient housing properties
- properties already subject to local rent control and just cause ordinance as of September 2019 or properties subject to a law passed after September 2019 are exempt if that law provides greater tenant protections than the new state law
- tenancies where none of the tenants have resided in the unit for twelve months or more. The law offers no tenant protection for short term occupancies of less than one year
- housing issued a certificate of occupancy in the past 15 years (this is a rolling 15-year window that will continue to shift)
- Section 8 or other deed-restricted housing
The TPA became operative on January 1, 2020 and applies retroactively to rent increases on or after March 15, 2019, if a landlord has raised the rent beyond the permissible amount between March 15, 2019, and January 1, 2020.
The Rosenthal Act, California's corollary to the Federal Debt Collection Practices Act, 15 U.S.C. §§ 1692, et seq., ("FDCPA") regulates debt collection activities in the state. Debt collection activity is subject to the Rosenthal Act if those activities are performed by a "debt collector" for "consumer debt" or "consumer credit." The Rosenthal Act broadly defines the term "debt collector" to mean "any person who, in the ordinary course of business, regularly, on behalf of himself or herself or others, engages in debt collection[.]" Cal. Civ. Code § 1788.2(c). The Rosenthal Act defines "debt collection" as "any act or practice in connection with the collection of consumer debts." Id. § 1788.2(b). "Consumer debt" means "money, property or their equivalent, due or owing or alleged to be due or owing from a natural person because of a consumer-credit transaction." Cal. Civ. Code § 1788.2(f).
Mortgage lenders and servicers have long argued that they are not subject to the Rosenthal Act because they are not "debt collectors" and because enforcing mortgages is not "debt collection." In 2018, a California appellate court held that mortgage servicers were subject to the Rosenthal Act.² The state Legislature ended any remaining debate on this issue by amending the Rosenthal Act to expressly include "mortgage debt" within the statute's definition of "consumer credit." See Senate Bill 187.
The amendment went into effect on January 1, 2020. However, courts are likely to apply this amendment retroactively because the Legislature described the amendment as a declaration of existing law rather than a change in the law. The Legislature appears to have premised its position that adding "mortgage debt" to the definition of "consumer debt" is merely a clarification of existing law on the Rosenthal Act's broad definition of "consumer credit transaction" as "a transaction between a natural person and another person in which property, services, or money is acquired on credit by that natural person from such other person primarily for personal, family, or household purposes."
SB 187 also amends the Rosenthal Act, so it now includes attorneys in the definition of "debt collector." The version of the Rosenthal Act, in effect before SB 187's effective date, defines a "debt collector" to mean "any person who, in the ordinary course of business, regularly, on behalf of himself or herself or others, engages in debt collection. The term includes any person who composes and sells, or offers to compose and sell, forms, letters, and other collection media used or intended to be used for debt collection but does not include an attorney or counselor at law." SB 187 eliminates the exclusion of "an attorney or counselor at law." Cal. Civ. Code § 1788.2(c).
 The obligation to implement reasonable data security measures derives from Cal. Civ. Code § 1798.81.5, which requires any "business that owns, licenses, or maintains Personal Information about a California resident [to] implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure. Although CCP § 1798.81.5 does not define "reasonable security," a February 2016 "California Data Breach Report," issued by the OAG's office endorses the Center for Internet Security's "Critical Security Controls" as a minimum threshold for achieving "reasonable security."
 A "finance lender" is "any person who is engaged in the business of making consumer loans or commercial loans." Cal. Fin. Code § 22100(a). Finance lending includes "lending money" and "taking... as security for a loan... … the forfeiture of rights in or to personal property." Certain entities, such as federally chartered banks and trusts, are exempt from the CFL.
 Disposable earnings are the employee's earnings after deduction of amounts required by law to be withheld, including federal, state, and local taxes, Social Security, and contributions to other governmental retirement programs that are required by law.