Editor's Note: This article was written by Lauren Valenzuela, Compliance Counsel at Performant Financial Corp., and June Coleman, Of Counsel at Carlson & Messer LLP. It is published on insideARM with permission from the authors.
On February 5th, the California Attorney General’s (“AG”) Office held its fifth public forum in Sacramento to collect feedback about the California Consumer Privacy Protection Act (“CCPA”). Under the CCPA, the AG is responsible for developing regulations to support the CCPA. The Sacramento forum was well attended and active – people from coast to coast participated.
Even if you are a business outside of California that collects personal information for any California residents, you should pay attention to this law. In case anyone reading this article needs an orientation to the CCPA, essentially it gives California residents unprecedented rights over their personal information:
- The right to know what personal information is being collected about them.
- The right to access the personal information collected about them and request it be deleted, although there are exceptions to the right to delete.
- The right to know whether their personal information is sold or disclosed and to whom.
- The right to opt-out of the sale of their personal information.
- The right to have equal service and pricing even if they exercise their rights under the CCPA.
Although people at the forum expressed support for the CCPA and recognized the value of what it is trying to achieve, many people voiced concerns surrounding its current design and asked the AG to provide guidance on many of its provisions. Here are highlights of some issues raised at the forum.
Expansive Definition of “Personal Information”
The CCPA’s definition of “personal information” is broad. It includes data which identifies, relates to, describes, or is capable of being associated/linked with not only a consumer, but also a household. Many people expressed concerns over the definition’s inclusion of “household.” For example, in theory a roommate or an estranged spouse could request “personal information” related to the household they are (or were) part of, thereby gaining access to information for everyone in the household for the 12-month period preceding the request. A person requesting personal information related to a household could conceivably result in a breach of the other people’s privacy who are in the household; not to mention, how do you authenticate the identity of a person in a household who is not the primary person on an account? People also highlighted safety concerns about disclosing information about a household. Many commentators asked the AG to provide clarification, and perhaps rein in, how to approach households within the definition of personal information.
Commentators also asked the AG to rein in the definition’s inclusion of employment-related and education information included in the definition of “personal information.” For example, could an employee request that an employer delete any part of their employment records – can an employee found in violation of a company’s anti-harassment policy request their employer to delete that information about them? Can a student request that a school delete their bad grades? Under the CCPA’s current unregulated design, these things are conceivable. Under the CCPA, it is not hard to imagine a consumer requesting that a debt collection agency delete their personal information. Luckily the CCPA does provide nine exceptions to consumers’ right to request deletion of their personal information, and we believe that debt collection agencies and law firms would most likely fall into one or more of those exceptions. However, it would be helpful for the AG to tease out those exceptions so that a myriad of industries know how they apply (or don’t apply) and consumers will know when their request falls within an exception.
Safe Harbor if a Company Provides Information to a Fraudster
If a consumer’s identity is stolen, how does a business protect that consumer from a fraudster who has enough information to “verify” the consumer’s identity, potentially giving a fraudster the ability to gather more information on their victim? Given the expansive definition of “personal information,” a fraudster could in theory gain access to an enormous amount of consumer personal information by using the CCPA. One public commentor asked the AG to provide a safe-harbor to businesses that respond to a verified consumer request when that request was made by a fraudster.
Scope of Exceptions
The CCPA does not apply to certain types of personal information. For example, protected health information collected and governed under the Health Insurance Portability and Accountability Act (“HIPAA”) and personal information collected, processed or sold pursuant to the Gramm-Leach-Bliley Act (“GLBA”) is not subject to the CCPA. At first glance this is a relief to many; however, upon closer examination, there is ambiguity around whether these exceptions would cover, for example, a financial institution selling a debt portfolio. The personal information contained in that portfolio is subject to GLBA, but the overall transaction may not be. If the GLBA exception does not extend to this kind of transaction, the CCPA requires that the consumers in that portfolio be given notice and the opportunity to opt-out of the sale. Accordingly, it would be beneficial for the AG to provide clarification of the scope of the CCPA’s exceptions.
Timeline for Compliance
The CCPA is regarded as the first law in the U.S. to adopt privacy rights like those provided in the European Union’s General Data Protection Regulation (“GDPR”). The EU had two full years to gear up for compliance with the GDPR, and compliance was arguably a light lift since it was built upon an existing privacy directive in the EU. By comparison, the CCPA was signed into law in June 28, 2018, was amended on September 23, 2018, became effective January 1, 2019, and is operative January 1, 2020. Comments swirled around the short time period that companies have to prepare for compliance and how this creates a heavy lift (and cost) for small and mid-size businesses. Many businesses need to modify how they collect, record, retain, and retrieve consumer data in order to comply with the CCPA. One commentator proposed that each aspect of the rule be given a different implementation date/timeline in order to make integrating compliance with the CCPA manageable for businesses.
CCPA Interfacing with Existing Privacy Laws
Commentators from various industries explained how there are existing laws and regulations governing consumer privacy and the sale of consumer information. Many commentators want guidance and clarification on how existing privacy laws will interface with the CCPA. For example, education information is included in the definition of personal information under the CCPA. However, many education records and related personal information is already governed by the Family Educational Rights and Privacy Act (FERPA). How will the CCPA and FERPA interface?
In summary, commentators asked the AG to provide clear and practical guidance on how they balance their responsibility to protect consumer information and privacy with consumers’ CCPA rights.
The AG is hosting two more public forums. The next one is in Fresno on February 13, 2019, and the last one is in Stanford on March 5, 2019. The AG is collecting written comments from the public until March 8, 2019. The AG’s staff encouraged the public to visit its website for news and updates related to CCPA. They also reminded the forum that once the AG publishes proposed rules (which the AG Office anticipates doing in the Fall of 2019), the public will have an opportunity to provide comments on those rules. The AG will then review the comments and revise the rules as necessary to address relevant comments, before issuing the AG’s regulations.
CCPA poses many questions for the ARM industry: will this impact how we collect and store data, especially data found during skip-tracing? How will the industry be able to comply with the obligation to provide information to wrong-party contacts and third parties? How will the industry be able to honor requests to delete information about wrong party contacts and third parties, especially when the exceptions might not include people who are not debtors. How does this impact how we furnish data to credit reporting agencies, especially when providing information to credit reporting agencies might be considered the “sale” of information? How will this impact how we exchange data with our vendors? How do the privacy rights given to consumers under the Fair Debt Collection Practices Act (FDCPA) and the Fair Credit Reporting Act (and their state law counterparts) interface with the CCPA? How will this impact debt buying? Everyone should continue to watch how the CCPA develops (and participate in its development!) The CCPA is ushering in a new privacy regime in California since many federal and state legislators are looking at the CCPA as a model and pioneer in this new regime, to potentially enact identical or similar legislation in other states or even federally.