CCPA Update: Calif. Atty General Hearing and how Data Privacy laws intersect with Debt Collection Part 2

CCPA Part I - Data Privacy Law versus Debt Collection Reality

Our Director of Operations Lance Suder and I took a road trip to attend the California Consumer Privacy Act (CCPA) Public Hearing at the Stanford University Law School yesterday. Like me, Lance is an entrepreneur, and unlike me, Lance graduated from Stanford.

I'm a skip tracer, and I've been gathering data on people for debt collections, legally and with permissible purpose, since the early 80's. My career in debt collection started well before you could push a button and gather thousands of pieces of consumer data on your customer and practically everyone they've ever come into contact with.

As we crossed the Dumbarton bridge, the irony of driving past the massive Facebook campus en route to a meeting with the Atty General's office about data privacy was interesting. This was a meeting that may not have happened had Facebook not sold their data to Cambridge Analytica, and now these new data privacy laws have found their way into the manner in which every business GATHERS, ORGANIZES, USES, SHARES and (hopefully) TRACKS each specific piece of data we described in Part 1 of this series on the effect of data privacy laws in comparison to data gathered for debt collections;

https://www.dhirubhai.net/pulse/ccpa-summary-debt-collections-masterqueue-part-1-john-lewis/?published=t

As we drove across the bay, hearing Lance's stories of Crew races reminded me of my son as he raced Crew for years. The discipline and teamwork of a Crew boat and its members is unlike that of any sport I've ever seen. Hearing his stories of Tiger Woods as a pledge in the fraternity he was a member of were also interesting, and it reminded me of the times I spent in a Fraternity at Eastern Illinois University. Then I thought of the things we did in college and many things that used to happen are no longer acceptable. As I walked into the Stanford Law building's assembly hall, I realized the journey we are going through in debt collections in a way is similar, as many things have and continue to change, and some of the tactics used in debt collection in the past were wrong. Many of these regulatory, compliance and security laws are good for our industry, but many people don't like change, and for many, change is difficult, even when laws around protecting people's personal data and how its accessed and used is such an important part of how we grow as a society that's now dominated by technology that exposes our personal data in a much easier way when it is so easily accessed. We believe there always has to be a reminder that there are bad people out there who want to do bad things, so laws around protecting our data we believe are good, but its important the lawmakers provide clarity so the change is not confusing and too difficult.

Our goal in attending this hearing was to try and gain a better understanding of the GLB exemption written into the CCPA and how the rule affects our clients who are First Party Lenders and 3rd Party Vendors. We also wanted to learn how it affects their customers, and how this law affects the debt collection industry as a whole. We also were there to meet the authors of the law, and we’ll share more on that in a subsequent blog. Like most who attended, we came away with some additional clarity, but bottom line is there is still a lot of uncertainty.

As this law potentially affects every business in every industry that gathers data on Calif. consumers, the focus today was not on Debt Collection, but Debt Collection was discussed. EVERY SPEAKER applauded the intent of this law, but most also stated additional language is needed to better understand the implications, and to clarify the ambiguity before this goes live on January 1, 2020.

One speaker, from a prominent credit union in Northern California, asked several questions and made several statements regarding the GLB exemption, stating:

·     They have to use data to locate people, as do their vendors, but they are unclear on how the GLB exemption applies to debt collection, and their 3rd party vendors in debt collection in comparison to the GLB law they currently follow – they need specifics or they feel they have risk

·     They want to insure the information security of their 3rd party service vendors related to the consumer data they gather will remain in place with the same standards, or will this law change this in any way?

o  They already answer to several regulatory oversight entities and they would like to know if the Atty General will be working with the other entities so there is clarity in regard to what they need to do when conflict between rules or law exists

·     They need additional language and definitions around the Opt-Out and deletion of consumer data language, specifically when it applies to consumers not their customers whose data is gathered in a report on their customer and they ask to see what data the credit union or their vendor gathered on them? 

·     They need clearer definitions and language around PII and what becomes PII by how their credit union employees and their 3rd party vendors may use and add to one piece of data by attaching it to another piece of data and now that data can become PII or sensitive data and can everyone regulating them get together and decide what data needs to be regulated and what doesn’t as the definition in CCPA of private info, or public info, is much more broad than in GLB

·     Will the Atty General provide scenario specific solutions?

When it was my turn to speak, I also spoke about debt collection, and it was ironic as for many years I was the vendor that the Compliance Officer before me spoke about, so in one sense I represented the 3rd party vendor who collects data on bank or credit union customers. As a software company whose clients use the data detailed in the CCPA in masterQueue, I also was speaking for the challenges our clients face in understanding this and how they want to address these laws, or not, within our masterQueue platform. My points were:

·     This is an opportunity to improve an unstructured, manual data gathering process that is mostly determined by individual collectors, with very little oversight other than their experience and intuition in regard to what data they look at, gather and use.

o  By adding technology and structure to the process, we believe our industry can do its part to document and validate what data is being gathered, exactly, and why was it gathered, exactly, and how was it stored and used, exactly. This is the foundation masterQueue was created on, well before these laws were written, BTW, as we believe strongly in data accountability and data privacy.

·     This is an opportunity to put more secure guidelines in place on systems where data is stored after its sold or shared to insure it’s in a secure platform that meets industry standards for holding this type of data. This is not the case today.

·     We need clarification on the ambiguity around the GLB exemption.

Some clarity we learned from the speakers today:

·     The “Uniform Opt-Out Logo Button” piece of the law was written to have an “Opt-Out” button placed on any page, on any site, that gathers consumer data.

·     In June 2018, a poll was conducted amongst Calif Consumers and 81% approved of this law, and some said the approval rating is now much higher.

o  Like Accenture states in this article linked below, we see CCPA as an opportunity for Lenders to show their clients they are taking the gathering, organizing and tracking of consumer data seriously by being pro active

o  https://financeandriskblog.accenture.com/regulatory-insights/regulatory-alert/the-challenge-and-the-opportunity-of-the-california-consumer-privacy-act

·     Standards and specifications for a minimum viable product as a technology solution to be used to Gather, Organize and Track data being collected on consumers should be specified, and in reverse, consumers should be held accountable for their requests, so the data request process can be managed in a simple and user friendly way

·     Eleven other states are writing similar laws right now, six are almost identical to the CCPA

·     Since the similar General Data Protection Regulation (GDPR) law went into effect in the European Union in April 2018, the enforcement guidelines for GDPR may be a guide for what to expect from the Calif Atty General’s office in regard to how they will accept complaints and conduct enforcement. It was also noted the number of complaints in Europe has exceeded 100K in less than a year and this will be a huge enforcement task for the AG

·     While the enforcement from the AG is not scheduled to start until mid 2020 to allow for the AG to set rule making for enforcement, recent proposed legislation makes these laws more law suit friendly once they go into effect in Jan 2020. 

o  What they have not done is extend the period where private law suits may commence, so effective Jan 1, one speaker noted it will be wide open for attorneys to start filing lawsuits for non-compliance.

https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en

?

The GDPR link to enforcement above says you can file a complaint if you believe your data protection rights have been infringed by the EU institution, for instance:

• Excessive amounts of your personal data is being collected;
• mQ Comment- One stated intent of CCPA is to mandate that companies only gather data they have a permissible purpose and a business case to gather, and they only gather the minimal amount of information necessary for the business purpose the data is being gathered.
• In many cases in debt collection, the same data is gathered over and over again, sometimes only days or weeks apart- everyone recognizes this issue but few seem willing to change to prevent this from continuing to occur based on our experience
• Change management is challenging and debt collectors and skip tracers for the most part perform a job function that many lenders feel can’t be automated, or task driven, which we disagree with and have proven with many of our mQ clients is a process that can be built and managed with great success.
• When it comes time for management to adopt changes in how debt collectors gather data and track data usage process, many companies turn their head and keep doing it the way they have since Hank Asher built websites to sell mass amounts of data to collectors who used to have limited data available to them.
• Does a debt collector really need a comprehensive report on a consumer that may contain hundreds and hundreds of pieces of data on consumers other than the customer, i.e.:
• Neighbors
• NOTE-does anyone call neighbors anymore? Seems a bit over reaching and maybe only as a last resort after every other attempt was made.
• People who lived with the customer at every address they’ve ever lived at
• NOTE- we understand the need to contact people who live at the most recent address(s) but why not gather that one address at a time so you limit the amount of exposure to so many people’s data?
• Every relative of the consumer
• NOTE- if you need to contact a relative under FDCPA 804 for “Location Purposes”, no problem, but shouldn’t you gather a few names and contact info of a few relatives first, call them, and if no luck, pull some more data…versus pulling the data of a hundred relatives at a time, and shouldn’t you pull a person’s data once when they’re not your customer, but you need to contact them in regard to FDCPA 804?
• What about the rule that says you can only call a person that’s not your customer one time during the life of the loan, no ne follows that unless you’re using a system that is the same system your vendor uses and all internal collectors use, so you KNOW when you cant call thatn person back during the life of the loan as they’ve already been called and you DO NOT have reason to believe they have new location information
• You have been refused access to your personal data;
• Companies manually gathering data will be challenged to locate all the data manually gathered that’s stored in pdf’s or in notes in loan servicing systems if they’re not using a system like masterQueue to gather, organize and track data
• Data should be tracked and easily identified and shared, where applicable, with transparency available to the consumer, as every person reading this would want for themselves and their data someone is looking at.
• You have been refused the right to rectify inaccurate or incomplete personal data;
• Aggregating data is challenging and difficult, and many times your data contains false positives as the companies aggregating the data have matching errors. There is a John Lewis in Utah that I don’t know that shows in almost every data providers record on me and I have no idea who he is, nor can I tell why were linked.
• Data coming from the smaller data providers, or “free data” is where most of the daa errors occur – how many phone calls will we have to receive for wrong parties before a regulatory body holds the data providers more accountable for data accuracy on data they sell?
• Your personal data has been shared with third parties without your consent;
• CCPA requires every piece of data sold or shared be tracked, which we do through integration or by direct use of our system between 1st party lenders and 3rd party vendors
• You are refused the right to block or erase inaccurate or irrelevant personal data about you;
• masterQueue is built to identify data gathered and be able to block, do not call, or delete it on demand
• your personal data is being processed illegally;

There are two situations in which you can submit complaints:

1. Anyone whose personal data are processed by an EU institution can complain about that processing;
2. Anyone who is employed by an EU institution can complain about breaches of the data protection rules by an EU institution, even if they are not personally affected. (Whistleblowers)

As we consider how 1st party Lenders and their 3rd party Vendors currently gather data on consumers for debt collection, skip tracing and repossession, a couple of the points above may be relevant, as noted in italic using examples of how we at masterQueue address these enforcement items the GDPR follows in the points above.

Another point worth noting is the period for submitting written questions and comments is Friday 3/8, and I believe that’s “received by”, but they didn’t clarify. The address to send your comments and questions to is:

Calif Dept of Justice

Attn: Privacy Regulations Coordinator

300 S. Spring St.   Los Angeles, CA  90013

In speaking to Kevin Armstrong, a former manager at one of the largest repo companies in NorCal, former Director of Consumer Lending at KeyPoint Credit Union and current Credit Union Market Director at one of our clients; ALSResolvion, he identifies the risk facing any company with CCPA exposure by stating:

“Sometimes you have to understand and play by the rules of the playground you’re in, and not necessarily by the “rules” of a larger playground. One thing we’ve learned in State vs Federal case history is that Federal rules don’t always trump a State Judges’ interpretation of a State vs Federal law when they’re ruling from the bench”. 

If we are all dedicated to protecting people's data and we all work together as a team, the tools are in place in masterQueue, and I'm sure will also soon be in place in many software platforms now that laws like these are coming to pass. It takes teamwork, but there is no reason why we, as an industry, can't effectively Gather, Organize and Track the data used in debt collection in a more efficient manner that the current manual processes that still dominate today's debt collections world.