Editor's Note: This article, except for the insideARM Perspective at the bottom, were written by Lauren Valenzuela, Compliance Counsel at Performant Financial Corp. and is published on insideARM with permission from the author.
On March 5th, the California Attorney General’s (AG) staff held its seventh and last public forum collecting comments for the rules it must develop for the California Consumer Protection Act (CCPA). It was held in a lecture hall at Stanford law school and was well attended as people lined up to get their last in-person comments heard by the AG staff. Although comments were diverse, one thing was clear: the CCPA is a perfectly imperfect law.
As previously written about, the CCPA is arguably ushering a new privacy regime that is sure to impact the ARM industry. Since the CCPA was enacted in June of 2018, at least nine other states have introduced bills that appear to be CCPA inspired in some shape or form. Since the CCPA provides unprecedented privacy rights to consumers and unprecedented obligations on businesses, questions and comments continued to swirl around the scope of those rights and obligations. Here are highlights of some issues raised at the forum.
Do Service Providers/Vendors Have to Respond to Consumer Requests?
The CCPA was designed with specific kinds of businesses in mind: those that sell/buy digital advertising, and those that collect, monitor, and sell information about consumers’ online activity, device usage, and the like. In many respects, the law is written in a way that presupposes that every business that has a consumer’s personal information has a direct relationship or nexus with the consumer. Companies who do not have a direct relationship or nexus with the consumer are struggling to understand exactly how the CCPA applies to them. For example, many companies receive consumers’ personal information from another company for a service to be provided to another business, such as the case when a vendor receives consumer information when providing a data scrub for a collection agency for example. Questions abound around what extent the CCPA applies to that vendor who does not have a direct relationship or nexus with the consumer. Will that vendor, who possess personal information about the consumer, be obligated to respond to a consumer’s request to delete their information? Multiple comments asked the AG to publish rules which provide clarify for this kind of situation.
Third Party Information Collected During Skip Tracing
One comment raised the question of how will the CCPA apply to activities such as skip tracing. The commentor explained how often when a consumer is in debt, the contact information the creditor or debt collector has for the consumer is out of date. Creditors and collectors collect information about the consumer in order to track down the consumer’s corrected or updated location information. In this process, personal information about third parties connected with or associated with the consumer is also collected and used in the process. Accordingly, to what extent will the GLBA exception provided for in the CCPA extend to activities such as skip tracing? Another comment asked for specific guidance on how the CCPA applies to those in the financial services space, and how will it impact their service providers. Overall, people in the financial services industry expressed their desire to comply with the CCPA. They just need clear guidance on what compliance looks like when applied to an industry that was seemingly not contemplated when the Act was designed.
GDPR v. CCPA
Many comments compared and contrasted the CCPA to the European Union’s General Data Protection Regulation (GDPR). For example, in contrast to how the CCPA is designed, the EU’s General Data Protection Regulation (GDPR) makes a distinction between data “controllers” (i.e. those that “determine the purposes and means of processing personal data”) and “processors” (i.e. those who “process personal data on behalf of the controller”). There are different expectations and obligations for controllers and processors since they have different relationships with the data and data subjects. The CCPA makes no such distinction, thereby creating some confusion about how it applies to businesses who do not have a direct relationship/ or nexus with the consumer (as further explained above).
One commentor urged the AG to look to the GDPR for lessons learned. He quoted information published by authorities with oversight of GDPR. In about an eight-month span since its inception (from May 2018 to January 2019), there have been over 95,000 complaints to Data Protection Authorities under the GDPR; the most common types of complaints involve telemarketing, promotional emails, and video surveillance; there have been over 40,000 breach notifications made under GDPR; and over 200 investigations by Data Protection Authorities. The commentor said this information shows just how necessary laws like the GDPR are, and he urged the AG to adopt rules which closely follow GDPR principles. Given how large California’s population and economy are, looking to the GDPR as a rough gauge for how the CCPA may go suggests that businesses should brace for impact when it comes to consumer complaints. In a similar vein, many commenters said the AG will need assistance with enforcing the CCPA and suggested that the AG turn to county or city attorneys for enforcement help.
Verifying Requests When the Request is Not from the Consumer
Under the CCPA a consumer may authorize a third party to request information on their behalf. At least one comment focused specifically on what this means for populations which are often taken advantage of, such as the elderly. Commentors asked the AG to provide businesses with specific guidance on how to authenticate a request from a third party who is requesting information on behalf a consumer. This can prove challenging, especially if the person helping an elderly person is not related to the consumer or doesn’t have a power of attorney for example.
The Upside to the CCPA for Business
Some commentors noted that one upside to the CCPA is that it will force businesses to create structure for unstructured data. One commentor said this will in turn give businesses more control over the data they have and make it more useful. We live in a data driven economy, where data is the new currency. As such, many think big data is good data – and many have the philosophy that the more data collected, the better. The commentor said that businesses need to have better control over their data for it to be useful and one benefit of the CCPA is that it will force businesses to focus on the quality of data collected rather than on the quantity of data collected. Another commentor specifically noted that often times data collected in the ARM space is often unstructured, and how the CCPA will help the ARM industry structure unstructured data.
More Change on the Horizon
One commentor said there was a hearing in Sacramento considering an amendment to the CCPA at the same time as the AG’s last forum, and he expressed his struggle with the evolving nature of the CCPA. The CCPA was rushed through the California legislature with the understanding that there would be time to pass “fix-it” bills before its effective date of January 1, 2020. Case in point, the CCPA was amended by SB 1121 only three months after its passage. Therefore, it is no surprise that there are at least two proposed amendments to the CCPA: SB 561and AB 1130. It seems the AG will have a difficult task of promulgating rules for a law that itself may be amended in the near future.
At this point in time there is no clear path for how to comply with this law as it applies to many businesses. There are many questions to be answered. However, protecting a consumer’s privacy is nothing new for the ARM industry – it is one of the central tenants of the Fair Debt Collection Practices Act (FDCPA). The true challenge, therefore, is how to balance a consumer’s privacy rights with a business’ obligation to be transparent about who they are, what their business purpose is, and what information they have about a consumer under the CCPA.
The California Attorney General's public forums, in tandem with the California Senate Judiciary Committee hearing earlier this week brought forth a public debate about what this new privacy law -- as well as the proposed privacy laws in other states -- has in store for businesses and consumers alike. To review the take-aways from the other public forums, below are links to insideARM articles written by attendees:
- Summary of Calif. AG Public Forum on Consumer Privacy Act in San Francisco and CCPA Part II: What The CCPA Will Mean For Your Compliance Platform, both by Adam Gotlieb of TrueAccord
- Calif.'s Second Public Privacy Forum on CCPA in Review, by Leslie Bender of BCA Financial Services, Inc.
- California’s Fifth Consumer Privacy Act Public Forum in Review, by Lauren Valenzuela of Performant Financial Corp.
The biggest take-away from all of these meetings is that the debate is not done and much work remains to be done on both the regulator's and business's end.