Editor's Note: This article was initially published on TrueAccord's blog and is republished here with the author's permission.
A couple weeks ago, I posted about the three main themes I heard in the public comment forum from consumer advocates, businesses, and trade groups on the new California Consumer Privacy Act (CCPA). I heard from a number of ARM compliance professionals that the themes highlighted provoked discussion on how this law might impact our industry in particular. Today I want to take the discussion further and talk a bit about some of my concerns for how this law will likely add significant complications to your compliance platform.
The California Attorney General’s Office has been hosting a number of public comment forums around the state to hear from consumer advocates, business, and trade groups about the new California Consumer Privacy Act. The Act will require that businesses inventory and map personal data, provide consumers rights to see what data a business has collected, and allow consumers to opt out of data selling or transmission. If you have a website and interact with any consumers in California, you need to be concerned about the potential impacts of the CCPA to your business.
This law conflicts with state licensing requirements or industry best practices.
Section 1798.105 requires companies to delete a consumer’s information upon request. In the ARM space, collections agencies have both data provided by their clients on consumer accounts placed for collection and data they collect throughout the collections process. Businesses in the consumer finance space, for example, need to keep this information to demonstrate how they handled the consumer’s account, to prove they followed the various laws regulating the industry, maintain accurate records for their finance departments, and to improve the collections process for consumers and clients.
There is a list of exceptions to the requirement to delete a consumer’s information upon request, in section 1798.105(d). Subsection (d)(7) says you may keep information “To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business” and Subsection (d)(8) says you may keep information to “Comply with a legal obligation.” These provisions are extremely broad and ambiguous. What might be “reasonably aligned” with how a collection agency would use consumer information will result in differences of opinion. Would a consumer expect an agency to keep a record for state or federal regulators? What about being able to provide a receipt for the consumer months or years later to prove payment on an account? Would a consumer, or even California regulators, agree that another state’s licensing rules that require an agency to keep that consumer’s records for a period of time trump the consumer’s request to delete that information? Without reliable guidance, definitions, or safe harbors this provision will result in disharmony, divergent expectations and likely legal battles.
A new opportunity for bad actors and for corporate espionage.
Section 1798.140(c) states that the law applies to any business that:
- Has annual gross revenues in excess of $25,000,000; or
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
This provision alarms information security officers in large and small businesses alike. On nearly every website, each time you visit a site and browse around, your IP address is logged by the administrative system for the web page. As written, merely collecting an IP address could count towards the 50,000 threshold to trigger compliance with this law.
A Distributed Denial of Service attack (“DDOS”) is an increasingly common method for bad actors to try and hack into a business database by bombarding the company’s website with hundreds of thousands of web site visits, overwhelming the system and causing it to crash and distracting the company’s administrators and allowing the hacker to get easy access. This creates a scenario where any hacker going after valuable consumer records can add the headache of complying with CCPA.
Another unpleasant possibility would be for an unhappy consumer or a competing business to launch a DDOS attack and then sending dozens or hundreds of information requests under the CCPA. Simply search online for “how to do a DDOS attack” and you will find dozens of articles and videos that explain just how easy it is for the average person with minimal technical knowledge to start their own DDOS attack. If your company does any business in California and any IP addresses used in this attack are from a California resident, your company will have to comply with the CCPA for all of your California consumers. These albeit too common scenarios are yet unaddressed in the law.
Client information? Agency information? Who is responsible for what?
Collection agencies must keep detailed records of how and when we communicate with consumers. Whether agents are calling, responding to letters, emailing, or texting, we must know the details of what we discuss to meet our federal and state compliance regulations, improve our chances of collecting on outstanding balances and to inform our clients on the status of their accounts. It is unclear in the CCPA whether an agency would be required to delete this valuable information at the request of a consumer. As written, the results of skip tracing could be considered personal information and if an agency is required to delete current addresses or respect an opt-out for using this information it is impossible to provide legally required disclosures to consumers. A likely unintended consequence may be more creditors choosing to sue clients than facing the legal uncertainty posed by the CCPA.
An issue raised by the CCPA particular to collections is there is no clear delineation between whether the client or the collection agency bears the responsibility for honoring a consumer request to opt out or to delete information. It is common for a consumer to communicate with both the creditor and the agency where the account is placed while the account is in collections. If a consumer tells the creditor that they are opting out and want their information deleted, does the creditor have to respect that request even if it makes the account unworkable? Will the creditor need to relay this request to the agency working the account and require them to delete consumer information? The law is unclear as to how the creditor or the collection agency can reasonably comply with consumer wishes without making the account potentially uncollectable.
These issues can be resolved before the law goes into effect.
The CA DOJ must build in a safe harbor provision to addresses these concerns that go beyond the consumer finance space into all forms of businesses interacting with consumers (think hospitals). We need to raise these issues with the regulators and ensure that there is no ambiguity around what information must be deleted or provided to a consumer upon request, the specific exceptions to this provision, how to transmit that information to consumers securely, and to protect businesses and consumers from bad actors. If you are a business who interacts with consumers, you need to either attend the next public comment forum nearest to you or provide critical feedback to the regulators and to follow up with a formal written response. You can find information on the public forum schedule, along with an email address and postal address to send your feedback below.
Upcoming events: https://oag.ca.gov/privacy/ccpa
Email to provide feedback directly to regulators: email@example.com
Postal mail address to provide feedback:
CA-DOJ, ATTN: Privacy Regulations Coordinator
300 S. Spring St.
Los Angeles, CA 90013
Editor's Note: Multiple industry groups are reportedly planning to submit comments. insideARM encourages as many voices to be heard as possible.