After the enactment of the General Data Protection Regulation (GDPR) in Europe, privacy experts foresaw that it would be only a matter of time until similar privacy laws—ones that gave consumers more control over their personal data and the way it was used—were enacted in the United States. Several states have already either implemented new laws or are amending existing laws that surround consumer protection and the privacy of consumers’ information. Of note is the California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020.[1] Washington State, home of Amazon and Microsoft, recently introduced Senate Bill 5376, the Washington Protection Act (WPA), which will offer consumers a way to oversee and manage their personal data.
The Laws
Like the GDPR, there are business-use exceptions that make it possible for most financial institutions, debt collectors included, to continue using personal data in their businesses without disruption. Both the CCPA and WPA provide exceptions for financial institutions that collect consumer information while complying with the Gramm Leach Bliley Act (GLBA); however, within the framework of these new privacy regulations, ensuring compliance may not be as straightforward as it seems at first glance.
The GLBA governs the privacy of consumer and customer information for financial institutions of all types. It is based on the customer’s/consumer’s relationship with a financial institution or service provider and requires the financial institution to protect information a customer or consumer has given to the financial institution. The institution also must disclose its privacy policy and practices as well as the types of information it may share with others.[2] Put simply, when it comes to information about consumers and customers, financial institutions must disclose how they will use the information, and the GLBA gives consumers the right to opt out of certain types of that use if it means information will be shared with a third party. These conditions apply to certain information given by the consumer in the pursuit of its relationship with the financial services provider or financial institution. In the GLBA, the protected information is called “nonpublic personal information,” which is defined as any information provided by a consumer in order to obtain a financial service or product.[3] This is important when discussing the WPA and CCPA because, as noted above, both acts have an exception for personal information obtained pursuant to the GLBA, although the designation and type of information protected under these acts are very different.
The CCPA and WPA
The CCPA and the WPA protect a broad range of personal information. Although the GLBA is focused on protecting information that is given to an institution in the conduct of business for personal, household, or family purposes,[4] the state acts create rights for consumers to access, delete, and better control the use of nearly any information that can identify them. The CCPA, for example, defines the information that it protects as “any information that identifies, relates to, describes or is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household,”[5] and the WPA defines its protected information as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”[6] Both the California act and the pending Washington act offer consumers the right to access and to delete their personal information with some exceptions. There are several types of information that are excepted from both acts, such as the information that is already regulated and protected by certain privacy or information statutes like the Fair Credit Reporting Act, the Federal Driver’s Privacy Protection Act, and, of course, the GLBA; however, unlike the other acts, the exception for information gathered pursuant to the GLBA is not comprehensive.
When the CCPA was originally passed, it excluded “personal information collected, processed, sold or disclosed pursuant” to the GLBA if it was in conflict with that law.[7] The language was changed, removing the caveat that required the CCPA to be in conflict, which effectively excluded all information collected under the GLBA; however, with this change, new language made it clear that consumers would have a private right of action around any GLBA-collected information in case of a breach.[8] Additional language was recently presented with the backing of California’s attorney general that, if passed, would subject information that financial institutions collect pursuant to the GLBA to a private right of action for any consumer whose rights under [the] title are violated.[9] Again, the CCPA creates rights to access, delete, and be notified about personal information for all California residents. As it stands currently, this opens the door for private rights of action against any information about a financial consumer that is not gathered pursuant to GLBA, and will allow consumers to assert their rights for personal information that is collected and processed pursuant to the GLBA. Similarly, the Washington Protection Act excepts information collected under the GLBA, but only if it complies with that law.[10]
Thinking about Compliance, Debt Collection, and Privacy
When collecting a debt, in addition to customer information collected pursuant to the GLBA, an entity may have additional personal data that is part of a loan or collection file. For example, a customer may provide a reference for a loan, or a co-signor’s personal information may be included in the loan file, but not subject to the obligations that financial institutions owe to consumers and customers. The GLBA does not require disclosures for parties affiliated with the customer that may be a part of the financial information that they provide. This information is still personal data as defined in the WPA and CCPA, and because it is not governed by the financial institution’s ongoing GLBA obligations to consumers, it may fall squarely into the states’ acts. Even if such information were considered as “complying with the GLBA” under the WPA, it still may be subject to the private right of action pursuant to the CCPA. Additionally, compliance with the GLBA is not so clear cut. Information that can be considered “publicly available” is not subject to the privacy and protection rules of the GLBA and is often subject to an institution’s reasonable belief about the information.[11]
Ultimately, despite the exemptions provided by the WPA and CCPA for institutions that follow the GLBA, there are likely to be gaps that require thinking about ways to adjust practices to comply with the state laws and to allow Washington and California consumers to exercise their full rights. Debt collectors, both creditors and others who engage in debt collection, must evaluate the nature of the data that they hold and prepare to respond to the exercise of consumer rights implemented by these acts. To prepare, any entity that is involved in debt collection should consider taking additional steps with the information that they receive. Overall, a more holistic approach to consumer data will ease compliance as the privacy landscape continues to change:
- Consider data holistically. Consider implementing practices that look at the best way to protect all of the data your entity receives, not just customer or consumer data. Information that comes through marketing, employment, and even that which is offered incidentally to a credit transaction or financial service can change your compliance obligations.
- Identify noncustomer personal information. During an application process or the acquisition of a new file for collection, consider noting when a person other than the customer has personal information in the file and denote that it exists.
- Segregate noncustomer personal information. Segregating personal information will help avoid risk and assist you or your client in responding to valid consumer requests under the WPA and the CCPA.
- Prepare to respond. The rights instituted under the WPA and the CCPA are likely to impact your organization even if it is complying with the GLBA. Mitigate risk by preparing to respond to customer requests for information. Consider the form of the requests that your organization will accept, what your responses will look like, how to minimize the time spent responding, and how to ensure that California and Washington consumers get the best customer service possible. Keep in mind that other states are likely to follow.
- Train staff. Training staff to focus on what constitutes personal data will improve their ability to track and preserve it across the organization, reducing the costs of compliance and lowering the likelihood of a lawsuit.
[1] There are multiple proposed amendments that have been presented to change the CCPA, and the amendments cover a variety of subjects. No one is exactly sure what will happen come January 1, 2020.
[2] The FCRA, like the GLBA, provides certain exceptions and restrictions related to affiliate disclosures. These can be found at 15 U.S.C. § 1681s; however, this article is not intended to address those restrictions.
[3] 16 C.F.R. § 313.3.
[4] 15 U.S.C. § 6807.
[5] CCPA § 1798.140(o).
[6] WPA § 3(16).
[7] CCPA § 1798.145(e) (2018 version).
[8] CCPA § 1798.145(e) (second version).
[9] CCPA § 1798.150 (as proposed by SB 561, Feb. 22, 2019).
[10] WPA § 4(f).
[11] 16 C.F.R. § 1016.3(r).
