Editor's note: This article was written by, except for the insideARM perspective below Lauren Valenzuela, compliance advisor at Performant Financial Corp. and is published on insideARM with permission from the author.
On the 5th of marchThThe California Attorney General (AG) staff held its seventh and final public forum to collect comments on the rules they must develop for the California Consumer Protection Act (CCPA). The event was held in a lecture hall at Stanford Law School and was well attended as people lined up to provide their final personal comments to the AG staff. Although comments varied, one thing was clear: the CCPA is a completely imperfect law.
As already written about it, the CCPA appears to be ushering in a new privacy regime that is sure to impact the ARM industry. Since the CCPA went into effect in June 2018, at least nine additional states have introduced bills that appear to be inspired by the CCPA in some way. Because the CCPA provides unprecedented privacy rights for consumers and unprecedented obligations for businesses, questions and comments continued to circulate about the scope of these rights and obligations. Here are highlights of some of the topics raised in the forum.
Do service providers/providers have to respond to consumer requests?
The CCPA is designed for specific types of companies: companies that sell/buy digital advertising and companies that collect, monitor, and sell information about consumers' online activities, device usage, etc. In many ways, the law is worded in such a way that it assumes that any business that has a consumer's personal information has a direct relationship or connection with the consumer. Businesses that do not have a direct relationship or connection with the consumer have difficulty understanding exactly how the CCPA applies to them. For example, many companies receive consumers' personal information from another company in order to provide a service to another company, such as when a provider receives consumer information when performing data cleansing for a debt collection agency, for example. There are many questions about the extent to which the CCPA applies to the provider that has no direct relationship or connection with the consumer. Will that provider that holds the consumer's personal data be required to respond to a consumer's request to delete their data? Several comments called on the AG to publish rules that would clarify such a situation.
Third Party Information Collected During Skip Tracing
One comment raised the question of how the CCPA should apply to activities such as skip tracing. The commenter explained how often when a consumer is in debt, the contact information that the creditor or debt collector has for the consumer is out of date. Creditors and debt collectors collect information about the consumer in order to locate the consumer's corrected or updated location information. Personal data about third parties associated with the consumer or related to the consumer are also collected and used. Accordingly, to what extent will the GLBA exception provided for in the CCPA extend to activities such as skip tracking? Another comment asked for specific guidance on how the CCPA applies to those in the financial services sector and what impact it will have on their service providers. Overall, people in the financial services industry expressed their desire to comply with the CCPA. They just need clear guidance on what compliance looks like when applied to an industry that appears not to have been considered when the law was drafted.
GDPR vs. CCPA
Many comments compared and contrasted the CCPA with the European Union's General Data Protection Regulation (GDPR). For example, in contrast to the design of the CCPA, the EU's General Data Protection Regulation (GDPR) distinguishes between “controllers” (i.e. those who “determine the purposes and means of processing personal data”) and “processors” (i.e. those who process “personal data “process on behalf of the person responsible”). Different expectations and obligations apply to controllers and processors because they have different relationships with the data and data subjects. The CCPA makes no such distinction, leading to confusion as to how it applies to businesses that do not have a direct relationship/connection with the consumer (as discussed above).
One commenter called on the AG to take the lessons learned from the GDPR. He quoted information published by authorities with GDPR oversight. Within approximately eight months of its launch (from May 2018 to January 2019), there were over 95,000 complaints to data protection authorities under the GDPR; The most common types of complaints concern telemarketing, promotional emails and video surveillance. Over 40,000 GDPR violations have been reported. and over 200 investigations by data protection authorities. The commenter said this information shows how necessary laws like the GDPR are, and he called on the AG to adopt rules that closely follow the principles of the GDPR. Considering the size of California's population and economy, looking at GDPR as a rough benchmark for what the CCPA might look like suggests that companies should prepare for repercussions when it comes to consumer complaints. Similarly, many commenters said that the AG will need assistance enforcing the CCPA and suggested that the AG contact county or city attorneys for enforcement assistance.
Verifying requests when the request does not come from the consumer
Under the CCPA, a consumer may authorize a third party to request information on their behalf. At least one comment focused specifically on what this means for populations that are frequently exploited, such as the elderly. Commenters asked the AG to provide companies with specific guidance on how to authenticate a request from a third party requesting information on behalf of a consumer. This can prove difficult, particularly if the person assisting an elderly person is not related to the consumer or, for example, does not have a power of attorney.
The advantage of the CCPA for companies
Some commentators noted that one benefit of the CCPA is that it will force companies to create a structure for unstructured data. One commentator said this will in turn give companies more control over their data and make it more useful. We live in a data-driven economy where data is the new currency. Therefore, many people think that big data exists good data – and many have the philosophy that the more data collected, the better. The commenter said that companies need to have better control over their data for it to be useful, and one benefit of the CCPA is that it forces companies to focus on this Quality of the data collected and not on the amount of data collected. Another commenter specifically noted that the data collected in the ARM space is often unstructured and how the CCPA will help the ARM industry structure unstructured data.
More changes on the horizon
One commenter said that concurrent with the AG's last forum, there was a hearing in Sacramento discussing an amendment to the CCPA, and he expressed difficulty with the evolving nature of the CCPA. The CCPA was passed in the California legislature with the understanding that there would be time for “fix-it” legislation to be passed before its effective date on January 1, 2020. For example, the CCPA was amended by SB 1121 just three months after it went into effect. Therefore, it is no surprise that there are at least two proposed amendments to the CCPA: SB 561 and AB 1130. It appears that the AG will have a difficult task making rules for a law that itself could be changed in the near future.
Diploma
At this time there is no clear way to comply with this law as it applies to many companies. There are many questions that need to be answered. However, protecting a consumer's privacy is nothing new for the ARM industry – it is one of the core tenants of the Fair Debt Collection Practices Act (FDCPA). The real challenge, therefore, is balancing a consumer's privacy rights with a business's obligation to be transparent about who it is, what its business purpose is, and what information it has about a consumer under the CCPA.
insideARM perspective
The California Attorney General Public Forumstogether with the California Senate Judiciary Committee Hearing Earlier this week sparked a public debate about what this new privacy law — as well as proposed privacy laws in other states — has in store for businesses and consumers alike. To review insights from the other public forums, links to participant-authored InsideARM articles below:
The biggest takeaway from all these meetings is that the debate is ongoing and there is still a lot of work to be done on both the regulator's and business side's sides.
Comments are closed.