The next step in protecting consumer privacy has been taken through the new California Consumer Privacy Act (CCPA). The law, which becomes operative January 1 of 2020, is the first of its kind in the U.S. 

In a recent webinar hosted by the California Association of Collectors, Lauren Valenzuela, Compliance Counsel at Performant Recovery, Inc. gave an overview of the CCPA. Co-panelist June Coleman, Business Litigator at Carlson & Messer LLP, then took a closer look at the consumer rights outlined within the CCPA, and how these rights will impact debt collectors. 

The first thing to understand is that the CCPA establishes rights for “consumers,” defined as natural persons who are California residents. Meaning, it does not matter that your collection agency is headquartered elsewhere. If you collect debts from California residents, your agency has to adhere to the rights outlined below. 

There are six basic rights listed in the CCPA. Coleman believes two of these rights may not always apply to collection businesses. These are:

• The Right to Opt-Out of the Sale of Personal Information

• The Right to Have Equal Service and Pricing Even if Rights Under the CCPA Are Exercised

Although these rights may not directly apply to your industry, it is still important that you speak to your agency’s counsel about all aspects of the CCPA, including these rights. You should be prepared to communicate to consumers who may inquire about these rights even if your counsel agrees they don’t apply.

Aside from the two rights listed above, collectors should pay close attention to the other four rights created by the CCPA.

Consumers are entitled to request information about the following five areas:

• The categories of personal information a business has collected about that consumer. This could mean financial data like account numbers, personal identifying information like social security number and date of birth, contact information like address and phone number, information from credit report, IP addresses when consumers view your website or payment portal, or employment information.

• The categories of sources from which the personal information is collected. You should explain in correspondence with the consumer how the information is obtained. For debt collection, this will likely be from creditors, skip tracing organizations or credit reports, and the consumer herself, among other sources. 

• The business or commercial purpose for collecting or selling personal information. You should also be prepared to explain your company’s purpose for collecting the information. For collection professionals, this data is used to facilitate your collection efforts.

• The categories of third parties with whom the business shares personal information. Among these may be the consumer’s creditor and credit reporting agencies.

• The specific pieces of personal information it has collected about that consumer.   This could include not only the initial information you received from your client, but also credit reports or verification of debt documents or recordings.

The CCPA allows a consumer to request information about what has happened in the past year.  Collection agencies should begin drafting letters to respond to requests and provide information (and potentially documents and recordings) that was obtained during the last 12 months. Even though the law is not effective until January 1, 2020, some agencies are already receiving requests.

The CCPA creates a right to be forgotten, to have their information deleted. But there are nine important exceptions that allow businesses to retain information despite a consumer’s request for deletion. Of these exceptions, the most applicable for collection professionals is that the information collected is necessary to complete performance of a transaction or contract between the business and the consumer. “In order to obtain payment from the consumer, we have to collect this data,” says Coleman.  

She notes that this may not be universally true for every piece of information you collect, however. For example, those in close proximity to a consumer with a debt (neighbors, family members, etc.) may find their personal data being collected during skip tracing efforts. If one of these consumers reaches out to your agency, this may be a case where the exemptions for deleting data no longer apply.

A few of the other exceptions that would probably allow a collection agency to maintain the information after the debt is paid, at least from some period of time are:

• To address fraudulent activity/identity theft, which probably allows you to refrain from deletion for at least four years.

• To comply with a legal obligation, which probably allows you to refrain from deletion for at least the statute of limitations period for a debt (in case the debtor wants to dispute the debt after payment). 

• For lawful, internal uses compatible with why the consumer provided the information, which may provide a basis to never delete the information. 

To prepare for implementation of the law, work with your attorneys. Start creating letters that respond to requests and letters that explain these exceptions in the event that you receive requests to delete information. 

“How you explain it will be the difference between people understanding and people being upset and potentially turning to litigation,” says Coleman. She suggests you take care with creating these responses. Be sure consumers understand the legal grounds behind declining their requests in each specific case. 

In debt collection, there are not many examples where information is disclosed to third parties, but there are a few. Process servers, a sheriff’s office and credit reporting agencies are just a few third parties to whom you may need to disclose information. Be ready to respond to a consumer’s request, and when asked, disclose to them:

• The categories of personal information that the business collected about the consumer.

• The categories of personal information that the business disclosed about the consumer for a business purpose. 

• The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.  This last item might not be relevant to collection professionals, although the industry is paying close attention to how the “sale of information” is defined to ensure that furnishing credit reports is not somehow considered a sale of information.

Be aware, the definition of “sold” under the CCPA is broad: 

The CCPA also covers data breaches.  “I never thought this would be something the industry would have an issue with,” says Coleman. “But, over the last four or six months there have been some breaches involving collection agencies who collect medical debt. So this is something that you need to be aware of.”

The process for suing under the CCPA due to a data breach is complicated. Before a consumer can sue, they must give the business 30 days written notice, bringing the violation to the attention of the business. The business then has 30 days to “cure” the violation, and respond to the consumer in writing that they have done so. After this, if violations continue to occur, a consumer can sue.  

Consumers may sue for a data breach only, and can obtain the following relief:

• Damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. 

• Injunctive or declaratory relief. 

• Any other relief the court deems proper.

The CCPA dictates that businesses must provide methods through which consumers may submit information requests. At minimum, these must include a toll-free telephone number and a web address if the business has a corporate website.

To prepare, agencies must:

• Create a process for incoming verbal requests and train staff to report those requests to a central place for processing. Update policy and procedure manuals and training materials to reflect these changes.

• Create an online form for receiving these requests. Take into account your current website design. Where can you place the online form to make it easy to identify and access?  Create a link on your home webpage.

• Add to any consumer self-service online portals an option for making such requests and supplying the information via that portal. For example, if you collect online payments, consider how consumers access this portal and where it might make most sense to provide the necessary information or link to the online request form.

• Provide a clear and conspicuous link on your agency’s homepage titled “Do Not Sell My Personal Information.” This link will direct consumers to a page that allows for opt-out of the sale of personal information. While collectors may not sell personal information, Coleman says it’s safer to comply with this requirement than to fight against why it’s not needed later during litigation. 

In a future article, we will cover required disclosures, consumer requests and verifying the requests before responding, and how debt collectors can prepare to comply with the CCPA. Don’t miss out on this valuable information! Subscribe to the PDCflow blog:

Subscribe:

Disclaimer Information