Archives for February 2019

A major issue has been brewing for more than a year among data furnishers and credit bureaus regarding a practice that is sometimes known as “pay for deletion.” This is where a debt collector will tell a consumer that, in exchange for payment, they will delete the tradeline from the consumer’s credit report. This practice is expressly against the rules set out by the Consumer Data Industry Association (CDIA) guidelines, and some argue that it undermines the credit system.

insideARM received a copy of a letter sent September 5, 2018 by Kevin Stevenson, the President and CEO of PRA Group, Inc., to the leaders of Transunion, Equifax, Experian, CDIA, and federal regulators including the Board of Governors of the Federal Reserve, CFPB, OCC, and FTC. The letter provides an interesting history of the matter.

Stevenson outlines the problem:

“Our debt buying competitors are deleting tradelines from the Credit Bureaus upon payment or settlement in full. As you are likely aware, this is a clear violation of the Metro 2 standard.

For your reference, Encore Capital announced this policy over a year ago. 

We respect the integrity of the credit bureau data as well as our contractual agreement to abide by the Metro 2 format. 

Please understand that when these tradelines are deleted by debt buyers there is NO record anywhere of that charged off account, as all sellers, except for one, delete the tradeline upon sale.” 

He argues that the lack of response to his considerable outreach on this issue has put his firm at a competitive disadvantage because consumers regularly become frustrated and note that others offer the “delete for payment” benefit. He also suggests that the failure of the Bureaus to enforce the CDIA policy is creating a “data integrity issue that may prove extremely harmful to parties who rely on such information in making lending decisions.”

Stevenson concludes,

“We now are forced to assume that you do not agree with us that the Pay for Deletion practice is a systemic risk to the financial system by corrupting the integrity of your credit reporting data. Therefore, PRA will adopt a Pay for Deletion policy, effective October 1, 2018. Upon adoption, our new policy will result in just under 3 million tradelines being deleted from the Bureau’s systems immediately, and millions more as the years go by.”

Indeed, the company did begin this practice late last year. On January 15, 2019, insideARM noticed a “pop-up” FAQ on the PRA website, highlighting that it will now request the deletion of tradelines for accounts that are resolved. That pop-up no longer appears on the website, but here is a screenshot of what we noticed:

The landing page which provided further details also appears to have been removed from the website (at least I couldn’t find it), but here is a screenshot of what we saw in January:

The FAQ says that PRA will request that credit bureaus delete their tradeline approximately 30 days after a consumer’s final payment. The company also notes, “We do not control the timing within which the credit reporting agencies process our requests. For further assistance pertaining to your credit report, please contact the credit reporting agencies.”

As for the Encore policy, here is a direct link to their January 10, 2017 press release (it was hard~ish to find, as it’s no longer referenced on their Newsroom page), which begins:

Encore Capital Group, Inc. (NASDAQ: ECPG), an international specialty finance company, today announced it has enhanced its credit reporting policy for collections tradelines, dramatically shortening the time certain negative information remains on a consumer’s credit report. Now, after only two years, rather than the current industry-standard seven-year period, all of Encore’s U.S. subsidiaries (Midland Credit Management, Midland Funding, Asset Acceptance, Atlantic Credit & Finance) will remove credit report tradelines (the payment history of a consumer’s credit account provided to the major credit reporting agencies) on accounts where the consumer has paid or otherwise settled their debt. Encore is the first debt recovery solutions company to adopt such a consumer-centric policy. This policy change is important for consumers seeking to re-establish their financial independence after working hard to pay off a debt.

Two consumer groups provided positive comment for the release about the policy and how it helps consumers to earn a second chance:

“Encore’s tradeline policy change is a huge benefit for consumers who have stepped up to pay off their debt obligations,” said Steve Rhode, consumer advocate and author of GetOutofDebt.org. “I know personally how important this can be to those who are trying to earn a second chance.”

“Many times people find themselves in a position to bounce back from financial setbacks, but there remain hurdles like the standard tradeline policy that hinder recovery,” said John Fisher, chief relationship officer of Money Management International, a nonprofit, full-service credit counseling agency. “With this decision, Encore is helping remove a barrier for people working hard to make progress in their financial lives.”

I gathered input for this article from Debb Gordon, Ph.D. She was formally the CFPB Program Manager for Markets for Credit Reporting, Scoring, Big Data and Alternative Data. She also is a statistician, and worked at FICO for 9 years. She offered the following thoughts on the consumer advocates’ perspective:

“It may be true that the deletion enables a consumer to have a second chance, however, because many of the credit issues consumers encounter are derived from job loss or medical issues, they are not in a viable position to graduate from a credit score that reached sub-prime to a score that was artificially generated by the deletion to be Prime or Super Prime. 

This creates significant issues for the credit economy in general. When a financial institution validates their credit scores, this will place two very different credit-worthy individuals in the same score band. The ability to offer prime rates and terms to one client who can well afford the credit will be negatively impacted as the probability of reoccurrence of default or minor and major derogatories will occur for the other consumer due to the deletion.  There would be no way to distinguish one consumer from the other.

The lack of credit score validation will drive approval rates up and the benefitted consumer would soon find they were not credit worthy any longer. This will make the credit market tighter and will have a significant effect on the housing market, auto sales and credit card availability, rates and limits. In the long term, this will create a recession. The short term idea of a win-win will actually turn into a long term lose – lose scenario.”

The iA Perspective

On the promise of anonymity, I spoke with some credit bureau insiders. One individual mentioned that Encore/Midland’s policy is to delete paid tradelines two years after the first date of delinquency. I wonder how that is explained to the consumer. I suspect if we’re talking about purchased debt, it’s possible that two years has typically already elapsed by the time the organization receives a final payment. But still, it could be pretty confusing, and difficult to set expectations about when the deletion will happen.

Another practice I heard about is that some debt buyers’ policy is to not report newly purchased accounts to the credit bureaus for 120 days. This allows them to attempt to collect first, and to tell consumers there is a window during which they can pay, and the account won’t be reported.

Reacting to this, Gordon said, “If the debt buyer does not report to the credit bureaus, then the original tradeline MUST remain on the consumer’s record. The offer to the consumer can also be determined to be extortion and will violate the UDAAP statute. This is a threat to the consumer to pay.” 

A third point worth making highlights a discrepancy between a claim made by PRA’s CEO and what may actually be happening. Stevenson said in his letter that “…all sellers, except for one, delete the tradeline upon sale.” I was told by one of those insiders that a majority of major issuers in fact leave their charge-off trade line on the credit file with a remark code of “SOLD.” While I don’t have data to support this, the latter practice certainly makes more sense to me, as it is an accurate reflection of what happened with the account.

Gordon said that many of the issuers will delete their tradeline once the sale is complete. The debt buyer is required by Metro 2 to list the originator so the consumer can identify the origin of the debt.  

Finally, it was conveyed to me that credit bureaus have a responsibility to review and execute any complete/accurate requests for tradeline updates; their mission is to create an environment where the consumer’s file is as complete and accurate as possible. They could threaten to exclude a furnisher for violations like Pay for Delete, but then they would also likely be excluding millions of tradelines that are not ultimately deleted (evidently, the lion’s share of purchased accounts). This would cause greater credit report inaccuracy than deleting the delinquent but ultimately paid tradelines. So, they claim they don’t really have the teeth required to enforce all of the CDIA’s guidelines.

What does the Fair Credit Reporting Act (FCRA) say about this? The law says creditors who furnish information about consumers to consumer reporting agencies must:

• Provide accurate information, which includes the duties to:
• correct and update information;
• provide notice of dispute or closed accounts;
• provide notice of delinquency of accounts; and
• provide notice of identity theft-related information
• Inform consumers about negative information which will be or already has been furnished to a reporting agency (no later than 30 days after furnishing).
• Investigate certain disputes submitted directly by consumers.

According to Gordon, it is clear that deletion only pertains to disputes or fraud. Deleting the tradeline in full should only occur in a case of identity theft and/or fraud. She referenced Metro 2, page 2-7: (Note: Paid in full collection accounts must not be deleted.) 

Finally, Debb Gordon offered this comment,

“I spoke with PRA Group previously and they delayed ‘pay for deletion’ as long as they could and still stay competitive in their market. If the CFPB, FTC, or the Federal Reserve is not monitoring or issuing consent orders on this topic, they needed to match Encore’s behavior to stay competitive.

This problem has a wholesale effect on the entire credit score-based industry that will result in tightening credit across the board. As financial institutions realize that a score does not mean what they thought (due to poor credit individuals’ tradelines being cleansed from the credit bureaus), they will need to increase reserves, increase CECL calculations and restrict credit to meet their regulatory requirements to lend. This will ultimately show up in the model risk management validations going forward, and will also have a direct effect on Fannie Mae, Freddie Mac, and Sallie Mae credit models. Ultimately, this could result in a widespread recession similar to that of 2008.”

The FCRA does grant the Consumer Financial Protection Bureau (CFPB) both enforcement and rulemaking authority in connection with those it supervises, which would include debt buyers and debt collectors, and many — but not all — data furnishers. So the CFPB could address this policy if it chose to. 

Download the accompanying whitepaper: On the Horizon? Delete-for-Pay Lawsuits

On February 12, Sen. David Perdue (R-GA), a member of the Senate Banking Committee, introduced Senate Bill 453, also known as the CFPB Accountability Act of 2019. According to the text of the bill, it would amend the Consumer Financial Protection Act of 2010 to subject the Consumer Financial Protection Bureau (CFPB) to the regular appropriations process.

A press release issued the same day that the newest bill was introduced, Sen. Perdue stated:

Dodd-Frank gave the CFPB unprecedented power with no Congressional oversight. Despite the new Director’s efforts to bring transparency to the Bureau, its structure is still completely unconstitutional. The American people deserve a closer look at the CFPB to understand how its actions will impact consumers.

The bill is co-sponsored by seventeen republican senators.

Sen. Perdue has introduced a similar bill in the past. In 2015, Sen. Perdue introduced S. 1383 (114^th Congress). In 2016, Sen. Perdue sponsored S. 3318 (114^th Congress). Both bills were likewise titled as the Consumer Financial Protection Bureau Accountability Act, the only difference in the titles was the year. The House of Representatives saw a similar bill in 2015 in H.R. 1261 (114^th Congress), sponsored by Rep. Sean Duffy (R-WI).

[article_ad]

insideARM Perspective

The CFPB not being subject to Congress’ power of the purse is one of the two main arguments over the past year or so in court cases arguing that the structure of the CFPB is unconstitutional. Three main cases come to mind.

1. The argument was first introduced in PHH Corp. v. Consumer Financial Protection Bureau, which founds its way through the D.C. Circuit Court of Appeals. At the en banc review phase, ultimate the D.C. Circuit found the structure of the CPFB is constitutional in January 2018.
2. In September 2018, a petition for writ of certiorari – a request for the U.S. Supreme Court to hear the case – was filed in State National Bank of Big Spring v. Mnuchin. The Supreme Court denied that petition on January 14 of this year.
3. A similar case, CFPB v. RD Legal Funding, has been brewing in New York. The district court found that the Bureau’s structure is unconstitutional. The CFPB appealed to the Second Circuit, where the case is still pending.

While the issue seems stalled in the court system, Sen. Perdue continues his efforts to challenge the CFPB’s structure – at least its appropriations – through the legislative branch. Of note, the prior two iterations of Sen. Perdue’s bill were introduced while Former Director Cordray still ran the Bureau. It seems that the change in Bureau leadership has done little to assuage Sen. Perdue’s efforts on the issue.

As I have written repeatedly, the TCPA is quite unfair to corporate officers who would usually have no liability for the acts of a corporate entity. In most tort situations, a corporate officers knowledge and participation in a company’s illegal conduct would—at most—make the corporation subject to enhanced (punitive) damages, but the corporate officer herself would suffer no personal exposure.

The TCPA is so so very different. TCPAland is full of stories of individuals facing unfair personal liability for the acts of corporate entities—often to the tune of millions in personal exposure. The most common line of cases holds that if a corporate officer “directly participated” in the illegal fax or call campaign that she may be held liable for those calls as if she made the calls herself. At $500.00 (minimum) per call those damages can add up fast—and personal liability for treble damages ($1,500.00 per call) is not unheard of.

Making matters even scarier, a Plaintiff recently sued the CEO of a medical supply company arguing that he was liable for illegal faxes sent by the company merely by virtue of his not implementing TCPA policies! In Arwa v. Med-Care Diabetic & Med. Supplies, 14 C 5602, 2019 U.S. Dist. LEXIS 22087  (N.D. Ill Feb 11, 2019) the court was asked to determine whether faxes sent to complete the process of filling orders previously placed by customers contained advertising materials as defined by the TCPA. The Court held that the faxes were not advertisements to begin with, but also paused to address the allegations against the Defendant’s CEO who was being personally pursued in the action. After determining that the corporate officer has no direct participation in the illegal conduct the Court refused to hold him liable merely because he knew the illegal conduct was ongoing.

Most importantly, however, the Court rejected the Plaintiff’s argument that the officer was liable for the faxes because he failed to implement TCPA compliance policies. The Court rejected this proposition however, noting that the case cited by Plaintiff was off point and the Arwa court would not abide the expansion of direct liability to so great an extent.

It is also notable that Arwa makes mention of City Select Auto Sales Inc. v. David Randall Assocs., Inc., 885 F.3d 154, 159-161 (3d Cir. 2018) wherein the “direct participation or authorization” standard for TCPA liability was “questioned” by the Third Circuit, which suggested that officers should rarely be held liable under the TCPA if acting in their corporate, rather than personal, capacities. As TCPAlanders know, I have been trumpeting City Select for some time and it is nice to see a district court outside of the Third Circuit take notice.

So there you have it. Stay safe TCPAland.

—

Editor’s Note: This article is published on insideARM with permission from the author.

On February 7, Rep. Maxine Waters (D-CA) and Rep. Al Green (D-TX) submitted a request for documents to the Consumer Financial Protection Bureau (CFPB or Bureau) related to recent settlements the Bureau entered with certain financial services companies. This request was included in a three-page long letter to the Bureau’s Director Kathy Kraninger.

The letter opens with:

The Consumer Financial Protection Bureau (“Consumer Bureau”) has recently announced several settlements against entities for engaging in unlawful practices without requiring the payment of redress to consumers harmed by the illegal conduct. This stands in stark contrast to the Consumer Bureau’s practice under the leadership of former Director Cordray. During Director Cordray’s tenure, the Consumer Bureau recovered nearly $12 billion in relief for harmed consumers over its first six years. American consumers deserve a Consumer Bureau that will fight to recover their hard-earned money when they are cheated.

The letter goes on to outline three settlements entered into since the beginning of the year where, according to the letter, redress to consumers was missing. The three settlements include:

1. Sterling Jewelers Inc., where the company was accused of enrolling credit card customers into a payment protection plan without consent. The settlement includes a $10 million penalty payment, but does not include a refund for consumers impacted by the company’s actions.
2. Enova International, Inc., where the company was accused of debiting consumers’ bank accounts without authorization. The settlement included a $3.2 million penalty, but does not include a redress to consumers for “extract[ing] millions of dollars in unauthorized debits from consumers’ accounts.”
3. NDG Financial Corp., where the company is accused of collecting on payday loans made in violation of state law. The settlement did not require the company to provide relief to impacted consumers.

The documents requested include any communications the between the Bureau and others, including the accused companies listed above, related to restitution or redress to impacted consumers.

[article_ad]

insideARM Perspective

Rep. Waters made it clear that she would focus her attention at the CFPB if she were to become the Chair of the House Financial Services Committee. As far back as October – shortly before the midterm election that resulted in Democratic control of the House of Representatives – Rep. Waters took action directed at the CFPB by introducing a bill that would require the CFPB to meet its statutory purpose. A month and a half after being chosen to serve as the Chair of the Committee, it seems Rep. Waters is keeping true to her word.

Editor’s Note: This article was originally published on the Maurice Wutscher blog and is republished here with permission.

Newly introduced legislation in Texas, House Bill 996, addresses when a debt buyer can initiate legal action or arbitration to collect a consumer debt and requires specific notices with respect to out-of-statute debt.

“Debt buyer” is defined as “a person who purchases or otherwise acquires a consumer debt from a creditor or other subsequent owner of the consumer debt, regardless of whether the person collects the consumer debt, hires a third party to collect the consumer debt, or hires an attorney to pursue collection litigation in connection with the consumer debt. The term does not include:

• a person who acquires a charged-off debt incidental to the purchase of a portfolio that predominantly consists of consumer debt that has not been charged off; or
• a check services company that acquires the right to collect on a paper or electronic negotiable instrument, including an Automated Clearing House (ACH) authorization to debit an account that has not been processed.”

The legislation provides that a debt buyer cannot commence legal action or initiate arbitration “later than the earlier of:

• the fourth anniversary of the date of the consumer’s last activity on the consumer debt; or
• the expiration date of any otherwise applicable statute of limitations.”

Unlike several other states that require one of two notices for collecting out-of-statute debt, determined only by age of the debt, the Texas debt buyer legislation provides an additional option to account for debt buyers that do not credit report.

First, if the credit reporting period has not expired and the debt buyer does credit report:

THE LAW LIMITS HOW LONG YOU CAN BE SUED ON A DEBT. BECAUSE OF THE AGE OF YOUR DEBT, WE WILL NOT SUE YOU FOR IT. IF YOU DO NOT PAY THE DEBT, [INSERT NAME OF DEBT BUYER] MAY CONTINUE TO REPORT IT TO CREDIT REPORTING AGENCIES AS UNPAID FOR AS LONG AS THE LAW PERMITS THIS REPORTING. THIS NOTICE IS REQUIRED BY LAW.

Second, if the credit reporting period has not expired but the debt buyer does not credit report:

THE LAW LIMITS HOW LONG YOU CAN BE SUED ON A DEBT. BECAUSE OF THE AGE OF YOUR DEBT, WE WILL NOT SUE YOU FOR IT. THIS NOTICE IS REQUIRED BY LAW.

Third, if the credit reporting period has expired:

THE LAW LIMITS HOW LONG YOU CAN BE SUED ON A DEBT. BECAUSE OF THE AGE OF YOUR DEBT, WE WILL NOT SUE YOU FOR IT, AND WE WILL NOT REPORT IT TO ANY CREDIT REPORTING AGENCY. THIS NOTICE IS REQUIRED BY LAW.

The notice would need to be “in at least 12-point type that is boldfaced, capitalized, or underlined or otherwise conspicuously set out from the surrounding written material.”

[article_ad]

WILMINGTON, Del. — Phillips & Cohen Associates, Ltd., the international deceased account management specialist, servicing creditors in the US, Canada, UK, Ireland, Australia, Spain and New Zealand, reaffirms its commitment to the importance of data and information analysis with the appointment of Dani Shi as Senior Vice President of Global Data Systems & Analytics.    

In this newly created position, Ms. Shi will lead PCA’s growing analytics, MIS and platform management teams in all markets served by the company.

“We are thrilled Dani has joined our executive leadership team as we take another step forward in the use of analytics to drive our global strategies and innovations.  With her considerable experience and education, she is ideally situated to lead our data-driven, strategic vision,” said Howard Enders, President and CLO.

Ms. Shi possesses extensive experience in process, strategic and quantitative analytics in the collections space for multiple large-scale financial institutions, most recently serving as SVP – Risk Analytics for Citi.  She earned a Bachelor (Honours), Economics and International Studies from La Salle University and a Masters, Economics from Temple University.

About Phillips & Cohen Associates, Ltd.

Phillips & Cohen Associates, Ltd. is a specialty receivable management company providing customized services to creditors in a variety of unique market segments.  Phillips & Cohen Associates, Ltd is domestically headquartered in Wilmington, DE, with additional offices in Colorado and Florida as well as international offices in the UK, Canada, Australia and Spain.  For more information about Phillips & Cohen Associates visit www.phillips-cohen.com.

PCA provides Equal Employment Opportunity for all individuals regardless of race, color, religion, gender, age, national origin, disability, marital status, sexual orientation, veteran status, genetic information and any other basis protected by federal, state or local laws.

BOCA RATON, Fla. — RSource Healthcare announces the promotion of Lane Baker to the position of Chief Development Officer. RSource CEO, Larry Reid, made the announcement on Wednesday and said; “We are very pleased to announce the promotion of Lane Baker to the position of Chief Development Officer. Lane has been with RSource almost 7 years, and most recently in the position of Executive Vice President of Client Development. Lane’s efforts as a member of our executive team have greatly contributed to our company’s growth, client satisfaction, and client development. In Lane’s new position, he will play a lead role with client development, corporate strategies, strategic partnerships and integration of RSource’s services within hospital systems nationwide.”

About RSource

RSource Healthcare provides increased revenue along with financial-enhancing improvements in connection with a healthcare system’s revenue cycle. Solutions include denial recovery and prevention for Coordination of Benefits and other issues requiring patient involvement, Clinical Denials, and MVA and Workers Compensation programs.  All RSource programs are designed to maximize netback, enhance patient satisfaction, and provide actionable knowledge feedback to a healthcare system to improve front-end processes.  For more information visit RSource’s website at www.rsource.com.

CHANDLER, Ariz. — LucentPay, a full-service payment processor leading the way with the industry’s most compliant fee-enabled solution, announces its No-Cost-to-Biller™ solution is now integrated with Latitude by Genesys (“Latitude”). The integration enables Latitude customers to automatically direct fees to LucentPay instead of routing them through the collection agency. Genesys® (genesys.com) is the global leader in omnichannel customer experience and contact center solutions that power 25 billion of the world’s best customer experiences each year.

Rob Kennedy, Co-Founder and CEO of LucentPay said, “We are extremely pleased our No-Cost-to-Biller software solution is now fully integrated with Latitude so clients can access to the most compliant fee model available. LucentPay’s No-Cost-to-Biller software solution is compliant with Card Brand rules, FDCPA, CFPB and state laws.”

“Genesys has a rich history of collaborating with industry leaders to extend the value of our solutions” said Ian Winder, Product Line Manager and Business Owner of Latitude by Genesys. “We are pleased to work with LucentPay, an industry leading payment processor, to offer our customers their No-Cost-to-Biller software solution through our Latitude by Genesys accounts receivable suite.”

About LucentPay

LucentPay (lucentpay.com) is a full-service payment processor revolutionizing merchant services by providing best-in-breed payment solutions. The leaders in integrated fee-enabled processing and creators of the No-Cost-to-Biller™ solution which focuses on eliminating processing costs in a compliant manner. We’re excited to simplify payments through our full suite of solutions, PCI Level 1 technology, next day funding, software, education, and community. LucentPay also offers competitive pricing for standard payment processing through a number of great banking relationships to mitigate risk, next-day funding, and comprehensive payment acceptance (Visa, MC, Discover, AMEX, HSA/ Flex Cards, etc.).

Editor’s Note: This article was written by Lauren Valenzuela, Compliance Counsel at Performant Financial Corp., and June Coleman, Of Counsel at Carlson & Messer LLP. It is published on insideARM with permission from the authors. 

On February 5th, the California Attorney General’s (“AG”) Office held its fifth public forum in Sacramento to collect feedback about the California Consumer Privacy Protection Act (“CCPA”). Under the CCPA, the AG is responsible for developing regulations to support the CCPA. The Sacramento forum was well attended and active – people from coast to coast participated.

Even if you are a business outside of California that collects personal information for any California residents, you should pay attention to this law.  In case anyone reading this article needs an orientation to the CCPA, essentially it gives California residents unprecedented rights over their personal information:

1. The right to know what personal information is being collected about them.
2. The right to access the personal information collected about them and request it be deleted, although there are exceptions to the right to delete.
3. The right to know whether their personal information is sold or disclosed and to whom.
4. The right to opt-out of the sale of their personal information.
5. The right to have equal service and pricing even if they exercise their rights under the CCPA.

Although people at the forum expressed support for the CCPA and recognized the value of what it is trying to achieve, many people voiced concerns surrounding its current design and asked the AG to provide guidance on many of its provisions. Here are highlights of some issues raised at the forum.

[article_ad]

Expansive Definition of “Personal Information”

The CCPA’s definition of “personal information” is broad. It includes data which identifies, relates to, describes, or is capable of being associated/linked with not only a consumer, but also a household. Many people expressed concerns over the definition’s inclusion of “household.” For example, in theory a roommate or an estranged spouse could request “personal information” related to the household they are (or were) part of, thereby gaining access to information for everyone in the household for the 12-month period preceding the request. A person requesting personal information related to a household could conceivably result in a breach of the other people’s privacy who are in the household; not to mention, how do you authenticate the identity of a person in a household who is not the primary person on an account? People also highlighted safety concerns about disclosing information about a household.  Many commentators asked the AG to provide clarification, and perhaps rein in, how to approach households within the definition of personal information.

Commentators also asked the AG to rein in the definition’s inclusion of employment-related and education information included in the definition of “personal information.” For example, could an employee request that an employer delete any part of their employment records – can an employee found in violation of a company’s anti-harassment policy request their employer to delete that information about them? Can a student request that a school delete their bad grades? Under the CCPA’s current unregulated design, these things are conceivable. Under the CCPA, it is not hard to imagine a consumer requesting that a debt collection agency delete their personal information. Luckily the CCPA does provide nine exceptions to consumers’ right to request deletion of their personal information, and we believe that debt collection agencies and law firms would most likely fall into one or more of those exceptions.  However, it would be helpful for the AG to tease out those exceptions so that a myriad of industries know how they apply (or don’t apply) and consumers will know when their request falls within an exception.

Safe Harbor if a Company Provides Information to a Fraudster 

If a consumer’s identity is stolen, how does a business protect that consumer from a fraudster who has enough information to “verify” the consumer’s identity, potentially giving a fraudster the ability to gather more information on their victim? Given the expansive definition of “personal information,” a fraudster could in theory gain access to an enormous amount of consumer personal information by using the CCPA. One public commentor asked the AG to provide a safe-harbor to businesses that respond to a verified consumer request when that request was made by a fraudster.

Scope of Exceptions

The CCPA does not apply to certain types of personal information. For example, protected health information collected and governed under the Health Insurance Portability and Accountability Act (“HIPAA”) and personal information collected, processed or sold pursuant to the Gramm-Leach-Bliley Act (“GLBA”) is not subject to the CCPA. At first glance this is a relief to many; however, upon closer examination, there is ambiguity around whether these exceptions would cover, for example, a financial institution selling a debt portfolio.  The personal information contained in that portfolio is subject to GLBA, but the overall transaction may not be. If the GLBA exception does not extend to this kind of transaction, the CCPA requires that the consumers in that portfolio be given notice and the opportunity to opt-out of the sale. Accordingly, it would be beneficial for the AG to provide clarification of the scope of the CCPA’s exceptions.

Timeline for Compliance

The CCPA is regarded as the first law in the U.S. to adopt privacy rights like those provided in the European Union’s General Data Protection Regulation (“GDPR”). The EU had two full years to gear up for compliance with the GDPR, and compliance was arguably a light lift since it was built upon an existing privacy directive in the EU. By comparison, the CCPA was signed into law in June 28, 2018, was amended on September 23, 2018, became effective January 1, 2019, and is operative January 1, 2020. Comments swirled around the short time period that companies have to prepare for compliance and how this creates a heavy lift (and cost) for small and mid-size businesses. Many businesses need to modify how they collect, record, retain, and retrieve consumer data in order to comply with the CCPA. One commentator proposed that each aspect of the rule be given a different implementation date/timeline in order to make integrating compliance with the CCPA manageable for businesses.

CCPA Interfacing with Existing Privacy Laws

Commentators from various industries explained how there are existing laws and regulations governing consumer privacy and the sale of consumer information.  Many commentators want guidance and clarification on how existing privacy laws will interface with the CCPA. For example, education information is included in the definition of personal information under the CCPA. However, many education records and related personal information is already governed by the Family Educational Rights and Privacy Act (FERPA). How will the CCPA and FERPA interface?

Conslusion

In summary, commentators asked the AG to provide clear and practical guidance on how they balance their responsibility to protect consumer information and privacy with consumers’ CCPA rights.

The AG is hosting two more public forums.  The next one is in Fresno on February 13, 2019, and the last one is in Stanford on March 5, 2019. The AG is collecting written comments from the public until March 8, 2019. The AG’s staff encouraged the public to visit its website for news and updates related to CCPA. They also reminded the forum that once the AG publishes proposed rules (which the AG Office anticipates doing in the Fall of 2019), the public will have an opportunity to provide comments on those rules. The AG will then review the comments and revise the rules as necessary to address relevant comments, before issuing the AG’s regulations.

CCPA poses many questions for the ARM industry: will this impact how we collect and store data, especially data found during skip-tracing?  How will the industry be able to comply with the obligation to provide information to wrong-party contacts and third parties? How will the industry be able to honor requests to delete information about wrong party contacts and third parties, especially when the exceptions might not include people who are not debtors.  How does this impact how we furnish data to credit reporting agencies, especially when providing information to credit reporting agencies might be considered the “sale” of information? How will this impact how we exchange data with our vendors? How do the privacy rights given to consumers under the Fair Debt Collection Practices Act (FDCPA) and the Fair Credit Reporting Act (and their state law counterparts) interface with the CCPA?  How will this impact debt buying? Everyone should continue to watch how the CCPA develops (and participate in its development!) The CCPA is ushering in a new privacy regime in California since many federal and state legislators are looking at the CCPA as a model and pioneer in this new regime, to potentially enact identical or similar legislation in other states or even federally.