Three Steps Every Company Must Take Today to Avoid CCPA Class Action Liability

ACA International member attorney provides best practices for compliance with the new California data privacy law.

1/7/2020 10:30 AM

NewsStateAdvocacy
Three Steps Every Company Must Take Today to Avoid CCPA Class Action Liability

By Michael T. Etmund

The effective date of the California Consumer Privacy Act (CCPA) was Jan. 1, 2020. Unfortunately, the California legislature rushed the CCPA into law with broad language and limited guidance. Further, it is presumed that consumer attorneys will target financial services companies—including banks, fintechs, automobile lenders, debt collectors and debt buyers—for alleged violations of the CCPA with individual and class action lawsuits brought under the Rosenthal Act or other provisions of state or federal law. Thus, it is crucial that all financial services companies understand how to comply with the CCPA. 

Your company is most likely not exempt from the CCPA.

The CCPA applies to for-profit entities that:

  1. Generate annual gross revenue of $25 million; or, 
  2. Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or,
  3. Derive 50% or more of annual revenue from selling consumers’ personal information

There is a common misperception that if a company complies with federal privacy laws—such as The Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)—the company is exempt from complying with the CCPA. This is not entirely accurate. There are many categories of consumer information typically collected by financial services companies (such as biometric data and internet activity information) that are arguably not subject to the GLBA and HIPAA. The handling of these categories of data for accounts otherwise covered by the GLBA or HIPAA would likely fall within the purview of the CCPA.  Accordingly, the most efficient manner to service all data on such accounts would be to comply with the CCPA.

Your company website should be updated immediately to reflect a CCPA-compliant privacy policy.

While the inclusion of a privacy policy on a company’s website is a best practice for businesses, the CCPA requires disclosures to consumers regarding at least 11 categories of personal consumer information. In addition, the CCPA requires that a company must disclose policies regarding gathering, sharing, retaining and deleting information and the California consumers’ rights regarding the data. 

The first step in drafting a CCPA-compliant privacy policy is to map the categories of data maintained by your company and the sources of that data. The completed data mapping will provide the information necessary to begin crafting a CCPA-compliant privacy policy and will provide an opportunity for your company to evaluate the data it collects and the utility of that data. 

Devise a strategy to respond to “verifiable consumer requests” to identify and delete data.

Two of the key consumer protection features of the CCPA include the right of the consumer to request disclosure of what data is collected about a consumer and the right to request deletion of a consumer’s information. Companies should be ready to respond to such requests immediately. The law requires that a company respond to requests for categories of information or requests for deletion within 45 days, with one 45-day extension. 

Please note that a company must only respond to a “verifiable consumer request.”  Thus, it is crucial that a company be able to verify the consumer request before responding. There are exemptions to the consumer’s right to require a company to delete information including:

  • Data needed to complete a transaction; 
  • Data necessary to comply with legal obligations; and,
  • Data to use in a lawful manner that is compatible with the context in which the consumer provided the information. 

Every company should immediately have a strategy in place for responding to such consumer requests for disclosure and/or deletion in a manner that conforms to the law. Even though an individual review of each consumer request is required, if your company anticipates response to consumer requests will be identical, templates for responding to consumer requests in writing and scripting for responding to consumer requests by phone is highly recommended to ensure consistency.

Michael T. Etmund is an ACA International member and attorney with Moss & Barnett in Minneapolis.

Author's Note: This article is provided only as a general discussion of legal principles and ideas. Every situation is unique and must be reviewed by a licensed attorney to determine the appropriate application of the law to any particular fact scenario. If you have a legal question, consult with an attorney. The reader of this publication will not rely upon anything herein as legal advice and will not substitute anything contained herein for obtaining legal advice from an attorney. No attorney-client relationship is formed by the publication or reading of this document. Moss & Barnett assumes no liability for typographical or other errors contained herein or for changes in the law affecting anything discussed herein. 


Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to comm@acainternational.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.

Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.


Subscribe to ACA Daily NEWSROOM

Three Steps Every Company Must Take Today to Avoid CCPA Class Action Liability

By Michael T. Etmund

The effective date of the California Consumer Privacy Act (CCPA) was Jan. 1, 2020. Unfortunately, the California legislature rushed the CCPA into law with broad language and limited guidance. Further, it is presumed that consumer attorneys will target financial services companies—including banks, fintechs, automobile lenders, debt collectors and debt buyers—for alleged violations of the CCPA with individual and class action lawsuits brought under the Rosenthal Act or other provisions of state or federal law. Thus, it is crucial that all financial services companies understand how to comply with the CCPA. 

Your company is most likely not exempt from the CCPA.

The CCPA applies to for-profit entities that:

  1. Generate annual gross revenue of $25 million; or, 
  2. Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or,
  3. Derive 50% or more of annual revenue from selling consumers’ personal information

There is a common misperception that if a company complies with federal privacy laws—such as The Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)—the company is exempt from complying with the CCPA. This is not entirely accurate. There are many categories of consumer information typically collected by financial services companies (such as biometric data and internet activity information) that are arguably not subject to the GLBA and HIPAA. The handling of these categories of data for accounts otherwise covered by the GLBA or HIPAA would likely fall within the purview of the CCPA.  Accordingly, the most efficient manner to service all data on such accounts would be to comply with the CCPA.

Your company website should be updated immediately to reflect a CCPA-compliant privacy policy.

While the inclusion of a privacy policy on a company’s website is a best practice for businesses, the CCPA requires disclosures to consumers regarding at least 11 categories of personal consumer information. In addition, the CCPA requires that a company must disclose policies regarding gathering, sharing, retaining and deleting information and the California consumers’ rights regarding the data. 

The first step in drafting a CCPA-compliant privacy policy is to map the categories of data maintained by your company and the sources of that data. The completed data mapping will provide the information necessary to begin crafting a CCPA-compliant privacy policy and will provide an opportunity for your company to evaluate the data it collects and the utility of that data. 

Devise a strategy to respond to “verifiable consumer requests” to identify and delete data.

Two of the key consumer protection features of the CCPA include the right of the consumer to request disclosure of what data is collected about a consumer and the right to request deletion of a consumer’s information. Companies should be ready to respond to such requests immediately. The law requires that a company respond to requests for categories of information or requests for deletion within 45 days, with one 45-day extension. 

Please note that a company must only respond to a “verifiable consumer request.”  Thus, it is crucial that a company be able to verify the consumer request before responding. There are exemptions to the consumer’s right to require a company to delete information including:

  • Data needed to complete a transaction; 
  • Data necessary to comply with legal obligations; and,
  • Data to use in a lawful manner that is compatible with the context in which the consumer provided the information. 

Every company should immediately have a strategy in place for responding to such consumer requests for disclosure and/or deletion in a manner that conforms to the law. Even though an individual review of each consumer request is required, if your company anticipates response to consumer requests will be identical, templates for responding to consumer requests in writing and scripting for responding to consumer requests by phone is highly recommended to ensure consistency.

Michael T. Etmund is an ACA International member and attorney with Moss & Barnett in Minneapolis.

Author's Note: This article is provided only as a general discussion of legal principles and ideas. Every situation is unique and must be reviewed by a licensed attorney to determine the appropriate application of the law to any particular fact scenario. If you have a legal question, consult with an attorney. The reader of this publication will not rely upon anything herein as legal advice and will not substitute anything contained herein for obtaining legal advice from an attorney. No attorney-client relationship is formed by the publication or reading of this document. Moss & Barnett assumes no liability for typographical or other errors contained herein or for changes in the law affecting anything discussed herein. 


Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to comm@acainternational.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.

Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.


Subscribe to ACA Daily NEWSROOM

Loading...

Loading...

Scroll to Top