Yesterday, the California legislature passed AB-375, the California Consumer Privacy Act of 2018. It now awaits the Governor’s signature. The law chiefly targets Internet advertisers, but it has significant implications for all companies who collect data about their customers. We reviewed the new legislation to understand how it impacts collections law firms and agencies.
What is the purpose of the law?
Consumers have become increasingly concerned about the use of their data by large Internet companies such as Facebook and Google. Consumer data rights took on added significance in the wake of Facebook’s Cambridge Analytica scandal, precipitating support for greater regulation.
The goal of California’s new law is to give consumers the ability to request information about what data companies have collected about them, to know with whom that data was shared, and in some cases, to demand that a company delete the data. It outlaws selling data about consumers younger than 16, and prevents business from charging consumers more or denying them service if they attempt to exercise their rights under the Act.
Why is it important?
The law will directly affect California-based businesses, which will have to comply when it goes into effect on 1 January 2020, when transacting with California residents. California’s Attorney General will have sole authority to bring cases against businesses. (Note: consumers of a business whose personal information is subject to a security breach will also have standing to bring a suit against the business.)
It also has implications for businesses outside California. Last month, the European Union’s sweeping General Data Protection Regulation (GDPR) went into effect, forcing many companies around the world to change how they do business. It paved the way for similar legislation in the United States. Other states are therefore likely to use California’s new law as a template for their own privacy bills.
What does the law require?
The California Consumer Privacy Act means less for collections firms than for companies that sell data for advertising purposes—consumers likely won’t be able to demand that collectors delete their data, for example—but it will still require firms to disclose what information they collect about the consumer “at the point of collection,” and will have to fulfill consumers’ requests for data held about them.
The law covers personal information, such as the consumer’s name, mailing address, Social Security number, driver’s license number, email address, and IP address. It also covers demographic information, like race, gender, and job-related data. Companies will also have to disclose to consumers any information tied to what they do on the site or app, such as search and page visit history. Even “inferred” data, such as any conclusions about individual consumers that firms have derived via analysis of the data collected, are subject to the law. This likely includes “scoring” information firms use to denote the likelihood of a debt to be paid.
Firms will also have to disclose the categories (but not the specific identities) of third parties with which it shares a consumer’s data for “business purposes.” The definition of this term is vague, but it includes all information that the company shares with vendors in the normal course of business. These include, but are not limited to, Web-based management and analytics software, cloud computing providers, payment processors, cybersecurity services and advertisers.
Consumers will have the right to request the following information from companies:
- The categories of personal information collected in the past 12 months
- The categories of sources from which personal information is collected in the past 12 months
- The purposes for collecting the information in the past 12 months
- The categories of third parties with whom the business shares information
- The specific pieces of information collected in the past 12 months
- When it has NOT disclosed information in the past 12 months
How do collections firms achieve compliance?
Firms will have to clearly state the kinds of information the company collects “at or before the point of collection.” This likely means adding a disclosure much like the FDCPA “mini-miranda” warning offered both on the telephone and on consumer-facing websites. Privacy policies will also have to be updated to include the consumer’s rights under the Act.
The law specifies that consumers must have at least two ways of requesting their information. These must include a toll-free phone number and, if the company maintains a website, a webpage for submitting a request. Firms must provide the information within 45 days of receiving the request.
Given that many firms pay vendors to provide consumer-facing websites, portals, and apps, it is critical that those vendors are able to quickly respond to requests for consumer information. In some cases, they my also be required to give consumers a way to request data.
Note that the Act specifically exempts data that was bought from or sold to a consumer reporting agency if that information is to be used in a consumer report as defined by subdivision d of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the Fair Credit Reporting Act.
Where does the law stand now?
The Act passed the California legislature yesterday, surprising most observers. It now heads to Governor Jerry Brown’s desk. He has not publicly committed to signing it into law. If he does sign it, it will go into effect 1 January 2020.