When I started working for Chrysler Credit Thirty-Four years ago today, there were no rules centered around the acquisition of public record data, or how it was used. The FDCPA was released in 1977, but I don’t recall hearing that term until at least the mid 80s. The word compliance was not a part of my training, and frankly, we pretty much did what we wanted to find people and get our cars back.
SB34 was passed by California Legislature and signed into law by Governor Jerry Brown in Oct, 2015 and it went into effect Jan 1, 2016.
This law specifically requires everyone who looks at License Plate Recognition Data (LPR or ALPR) to keep detailed logs of all access and usage for each piece of data, piece by piece. If you don’t, the fine is a minimum of $2500 plus punitive and other damages, per occurrence.
The personal injury lawyers fresh off the TCPA bandwagon are once again licking their lips.
This the first time a legislative body has stepped up to mandate that end users of “public record data” take accountability and responsibility during the process of gathering data they use for skip, collection and repossession purposes, and they are mandating you use a system that efficiently gathers, organizes and tracks all LPR data, specifically by writing this new law (with teeth) that requires you track: :
- Exactly who is requesting what specific piece of data and what is their permissible purpose
- What is their name and job title
- Yes, SB34, section 1798.90.52 requires the job title or job description of the person accessing the data, each time they access the data, be kept in a log
- Most non LPR public record data providers, i.e. LexisNexis, Experian, etc. have you check permissible purpose when you log into their site, or when you sign their contract, but with SB34 setting the tone of where the FDCPA rewrite may be going, California Legislature just ramped the stakes up quite a bit for end users of data by also requiring…
- What is their name and job title
To read more, click here.
- Details of every piece of data accessed and/or used must now be tracked and stored in easily accessible logs
- SB34 requires logs be kept that show:
- When was the data requested, accessed, and or used, with the exact date and time documented, which pretty much means you can’t get by with a blanket one time DPPA permissible purpose agreement at the beginning of an online session or in a contract and then view hundreds or thousands of records in a session or a day without specific tracking tools built in to record the required information you now have to track piece by piece and document in these logs.
- You also now have to capture, track and log the permissible purpose and a bunch of other info at the moment you access and/or use the LPR data, or be ready to answer to a Class Action atty. smart and shrewd enough to understand no one is doing this now, and those not scrambling to make this happen have a lot of exposure themselves, or else they have just opened a can of worms for their clients who they expose the data to in a software, raw data feed, or worse of all, via email.
- Who accessed or used the data, including their exact name and job title or job description
- What was the exact permissible purpose for accessing and/or using the data
- Again, we’re not talking about a blanket, one and done permissible purpose checkbox you mark in a contract, or have to check in a box when you log into the data providers web site, at least that was the interpretation of a few of our conservative clients legal teams, and they wanted a specific permissible purpose documentation to take place for each piece of data accessed at the moment it was accessed and then it needed to be tracked and acknowledged before the end user could access the account that contained any LPR data
- Ever since they formed the CFPB I saw this type of regulatory scrutiny coming, and it seems we’re finally getting to where I envisioned
- What California has started is what I’m sorry to tell you, in my opinion, is likely to eventually occur whenever you go to access a persons PII, as I believe it should be.
- Personally, I don’t want people calling me without a permissible purpose, or even accessing my data unless they have a permissible purpose. Don’t you agree?
- To be “compliant” in using LPR data in Calif. you need to pay attention to this law, and frankly, if you still allow your staff to just arbitrarily look at and gather and use any data, LPR or any form of public record without some level of systematic tracking, I believe you have increased risk until you find a way to move in directions like this law is forcing those of us looking at LPR data to move into.
- As an example, when a phone call is made from data gathered, you need to know who made the call, when, why, what was the permissible purpose for that call, and you’ll also want to know it was done with strict TCPA compliance and it was recorded and stored inside the account notes in your system of record and not in a stand alone system, and the record of this activity needs to be tracked and available in real time dashboard reporting and ad-hoc instant reports. You have that in place now, right?
The eventual ramifications of this level of scrutiny creates significant exposure for those companies with their heads in the sand, or for those unwilling to look for opportunities to embrace these laws and seek out solutions to protect themselves from the attys and regulators coming their way.
One blatant example of a law that’s abused on nearly every account that goes seriously delinquent happens when you call a person under FDCPA section 804 to gain location information on a customer you’ve lost touch with. The law clearly states you are not allowed to call the person back “unless requested to do so by such person or unless the debt collector reasonably believes that the earlier response of such person is erroneous or incomplete and that such person now has correct or complete location information.”.
The problem here is the documentation from when a collector called the brother, cousin, ex-wife etc. Unfortunately, its buried somewhere in the collection notes, and when the customer goes delinquent again, no one is going back and researching the notes history to make sure they don’t call the brother again. Additionally, because the gathering of the public record that provided the brothers phone number is not being tracked in a system, there is no system to stop them from gathering the number again, and again, and again. Worse, when the account gets outsourced to a repo company, then a skip company and then a collection agency, and another and another, that brother may get 10-15 calls during the life of the loan, when legally, you’re only supposed to call him once.
In the past, those calls we’re on the shoulders of the outsourced vendor if a lawsuit was filed, but with the CFPB now stating the lender is responsible for their vendors actions, and with hundreds of millions in fines already having been issued to prove they weren’t joking, the stakes for lenders using outsourced vendors is higher than ever. Richard Codray, Head Honcho at the CFPB was quoted in an April 2012 Press Release saying:
“Consumers are at a real disadvantage because they do not get to choose the service providers they deal with—the financial institution does,” said CFPB Director Richard Cordray. “Consumers must not be hurt by unfair, deceptive, or abusive practices of service providers. Banks and nonbanks must manage these relationships carefully and can be held accountable if they break the law.”
The challenge is the service providers usually work in different software platforms than the lender works in, so there is not the level of transparency you have when both the lender and service provider work in the same system. That’s not a foolproof solution, but it gives the lender a huge head start when they mandate their vendors perform high risk work in a system they also use, and one they mandate the vendor uses. The other advantage is the system will have been checked for security by the lenders skilled team of security and compliance staff who likely have more resources than the service provider has, so the customers PII is at less risk than if its in a foreign system.
SB34 1798.90.53 also requires the end user to go through documented training to properly use LPR data, and the company using the LPR data must have a written policy of how the LPR data and system will be monitored to ensure the security of the information accessed or used, and a compliance policy to ensure all applicable privacy laws are being followed and there must be a documented process for periodic system audits and policies and procedures for how and when the data will be retained and destroyed.
If your head isn’t spinning already, they also want a policy to show how and why you share, transfer or sell this data, and what are the restrictions around this. Additionally, they want a policy describing the process the end user will use to validate and authenticate the data you gathered is the correct data, and if not, how will the errors be corrected.
Then in section 1798.90.54 is states the minimum fine is $2500 with additional punitive and other damages for willful or reckless disregard of these laws. Consider yourself warned as “ignorance is not a defense”, right?!
Additionally, it wants the specific name of the custodian responsible for implementing this section and it says anyone harmed by a violation of this title “may bring a civil action in any court of competent jurisdiction against a person who knowingly caused the harm”.
I’m sure you’re protected by the company you work for, but the way its written is kind of scary as it says they can bring civil action “against a person” and then it says They want your name!
When I decided to get back in the industry in 2007, I chose to move away from starting a forwarding, skip or repo company, which was where the bulk of my experience came from. I wanted to build a cool skip tracing software that could integrate all the data into one web site and then incorporate algorithms and predictive analytics and automation and workflow to use BigData to make the skip and repossession process more efficient.
We launched masterQueue in the Spring of 2011 at Finovate in San Francisco and when they launched the CFPB two months later, we didn’t blink. Within a year, not only did we blink, but we had to completely shift our direction to become a compliance software first, and a skip tracing software second, because without compliance, everything else is a non starter.
We’ve been waiting for laws like this to come into play for a couple years, and as a result, we’ve built our mission statement around these three core competencies:
- Gather – why leave the data gathering up to manual processes where errors or compliance or permissible purpose issues can arise?
- In mQ, the system automatically gathers the data you need through multiple direct interfaces with every major data provider, and it can be set up to only gather data based on permissible purpose and efficiency trends in using data that our algorithms model for you.
- Organize – With all these regulatory requirements on top of your own internal efficiency needs, you need to use predictive analytics and workflow automation to gather and organize all your data so you can…
- Track –every piece of data, so you know when, why and by whom was it accessed, and how was it used with automated rules built in to prevent regulatory landmines that can cost you millions in fines and reputational damage.
We’re still a skip software, and this 2 min news video will demonstrate we’re still pretty good at finding people who don’t want to be found…
…but if laws like this will keep you up at night, you may be interested in seeing a demo of masterQueue, and if so, please click here to fill out a demo request form and we will contact you to set up a meeting, or call us at 1-866-563-7547 if you have any questions or to schedule a demo today.