CARY, N.C. -

“What have you got on me, and why? And what are you doing with it? Who did you share it with?”

That’s the succinct way that John Lewis sums up what consumers have the right to know under the California Consumer Privacy Act.

The CCPA gives Californians the right to find out what personal information a business is collecting on them and gives them rights such as the ability to opt out of the sale of their personal information.

Lewis is founder and chief executive officer of Intellaegis/masterQueue, which offers skip tracing and collections software. He thinks CCPA is a great law.

“We all should know where our data is. And we should be careful with who has our data, because if they’re not protecting it in a secure manner, then we’re exposed. And nobody wants … to have their data exposed to bad actors.”

Lewis will be a panelist during a discussion titled, “Data Privacy Meets Regulatory Oversight in Debt Collection” on July 24 at the Automotive Intelligence Summit in Raleigh, N.C. Rebecca Kuehn — partner and chair of the credit, reporting, privacy and data security practice group at Hudson Cook — will also participate on the panel, as will David Lincicum, who is the general attorney for the Federal Trade Commission. 

Another panelist, Mary Ross, is actually co-author of the initiative that would become the CCPA. Ross is a former CIA counterintelligence analyst and former counsel on the U.S. House Intelligence Committee.

It will be moderated by Rod Arends, who is vice president for Southeast Toyota Finance Service Center Operations.

About the CCPA:  Focus on enforcement

San Francisco real estate developer Alastair Mactaggart wanted to create a consumer privacy law using the initiative process. But he did not have a policy background, so about three years ago he hired Ross to, as she put it, “figure out what a good consumer privacy law should look like.”

Ross explained that an existing California law known as “Shine the Light” gave Californians some transparency into how their information was being collected. But the law was very limited, only covering information collected for direct marketing purposes, she said.

“And there is no enforcement of the law,” she said. “That was why one of the things we focused on in drafting the CCPA was to make sure it had truly meaningful enforcement.”

CCPA was signed into law on June 28 of last year and is set to go into effect Jan. 1, 2020.

Ross said the law gives all Californians the right to find out what information is being collected about them and their households. She added that under the law, Californians have the right to opt out of the sale of their personal information. Ross explained that the CCPA also gives them the right to delete their personal information and provides them with the private right of action for a data breach of certain categories of personal information.

Her career path gave her plenty of experience to write the initiative. Her positions have covered various aspects of privacy, including her time working on counterintelligence for the CIA.

“I was in charge of figuring out what other countries’ spy agencies were doing to spy on us,” she said. She later served as counsel for the U.S. House Intelligence Committee, and the committee had oversight of the NSA wiretapping program that CIA employee Edward Snowden later disclosed.

Now, she runs MSR Strategies, a consulting company that she said helps businesses navigate the CCPA and helps them think strategically about how privacy “can in fact be good for their business,” she said.

How? They can use it as a marketing tool.

“You can say, ‘Look, we’re only collecting the information we need to provide the service that we are holding ourselves out to provide to you, and you can trust us.’ Also, just working with businesses to think about how much information do they in fact need and not to collect extra information,” Ross said. 

Privacy trends: Other states and … a national law?

Ross sees another trend in the area of consumer privacy laws: Other states are following California’s lead. A Vermont law established a data broker registry. Nevada passed a consumer privacy law in late May providing a mechanism for consumers to opt out of the sale of their personal information.

“New York has introduced one that I would argue goes much further than the CCPA,” she said.

“The biggest question is: Will Washington be able to pass anything? Because really, there should be some sort of federal consumer privacy law.”

No such law currently exists at the federal level, and that is one reason why the California law was necessary, Ross said.

“But I think as more states end up passing their own version of the CCPA, there will be more political will on Capitol Hill to do something at the federal level,” Ross said.

She said that some work is being done in that area, noting that “there are a bunch of bills that have been circulating.” U.S. Sen. Josh Hawley of Missouri, who describes himself as “a top critic of big tech’s data collection practices,” introduced the Do Not Track Act, which gives people control over their personal data.

But Ross is also tracking 23 different bills that she says could end up weakening the CCPA.

“We don’t know what the ultimate outcome of those will be,” Ross said. “They’re progressing through the state legislature now.”

New rules in privacy and debt collection

Lewis of Intellaegis has worked in debt collections for 40 years, starting before the era of cell phones and computers. The Fair Debt Collection Practices Act was written two years before he started out.

“It hasn’t been changed since,” Lewis said.

He said that in May of this year, however, the Consumer Financial Protection Bureau issued a Notice of Proposed Rulemaking to implement the FDCPA. The regulations would protect consumers against harassment by debt collectors. One of those rules would clarify how collectors are allowed to communicate using technologies that have developed since the 1977 passage of FDCPA, such as voicemails, e-mails and text messages.

“Now you’ve got a lot of rules that have to be followed in regards to specifically how you contact people, whether it’s the consumer or someone you’re contacting to locate the consumer in regard to debt collection,” Lewis said.

Debt collectors: Take a data inventory

“There’s not much you do in this world without data,” said Kuehn, the Hudson Cook partner. “The CCPA all relates to the consumer relationship and rights with respect to data about them.”

Debt collectors gathering data from various sources should determine whether the data they are obtaining is exempt from coverage under the CCPA, Kuehn said. “The first step is, you’ve got to figure out what kind of data you have.”

To do that, debt collectors should take a data inventory. For the purposes of this discussion, Kuehn defined a debt collector as anyone who is using information about consumers and who has “the nexus” to California.

“So, if you’re not in California and don’t have data on California consumers at all, you’re fine,” she said.

To take a data inventory, debt collectors should look at different types of data they are collecting, Kuehn said, such as whether they are getting a skip trace product from vendor A, updated phone listings from vendor B and asset searches from vendor C. Also, the collector might have looked at social media and other sources.

Then the debt collector should look at each of those sources and determine how each of them is regulated. For example, many skip tracing reports are covered under the Gramm-Leach-Bliley Act, which requires financial institutions to explain how they share and protect their customers’ private information. Credit reports are another example. Those are covered under a different law, the Fair Credit Reporting Act, and collectors can only use them in connection with collection of a debt.

Kuehn said taking a data inventory will help debt collectors “know what those buckets are,” and know how each of them are regulated.

“It also reminds me that because it’s Gramm-Leach-Bliley data for example, I cannot just give it to somebody else because I feel like it,” Kuehn said. “I can’t sell it to someone else because I feel like it. I have limitations on my ability to use or reuse that information and to give it to someone else.”

Speaking about the CCPA, Lewis said Ross and Kuehn will help those in attendance at the Automotive Intelligence Summit panel discussion learn about the law. Kuehn’s company, Hudson Cook, “is probably the top firm in the country when it comes to debt collection issues,” Lewis said.

He said people watching the panel discussion will see “the top people in the country to really get their understanding of what is a complex version of Europe’s Consumer Data Protection Regulation] coming to the United States.”

“The Europeans, they’re probably a little ahead of the U.S. in terms or recognizing that your data is your data, you should have control over your data, and you should have control or at least some input into the companies that collect your data and use it,” Lewis said. “And when you think about that and debt collection, it opens up an entire series of questions, and [Kuehn], we thought, was a great person to help navigate those questions.”