How to Prepare for Consumer Data Privacy Laws

January 14, 2021

Comprehensive data privacy laws have become hot topics in state legislatures across the country, as well as in the halls of Congress. Laws like the California Consumer Privacy Act (CCPA), which establishes consumer rights related to personal information, are expected to be widely enacted across the country over the next few years.

In addition, California passed a ballot initiative in November that adds new wrinkles to privacy law in the state. Proposition 24 expands the CCPA beginning in 2023, giving Californians the ability to restrict how companies may use their "sensitive" personal information while also allowing them to block the sale and sharing of personal data.

Already in 2021, comprehensive data privacy and security bills have been introduced in Minnesota, New York, Virginia and Washington. Meanwhile, several states have already passed the model data security bill developed by the National Association of Insurance Commissioners (NAIC).

With many states now considering laws addressing consumer privacy rights, now is the time for title and settlement companies to develop a plan to comply with these regulations. ALTA recently held a webinar that outlines steps companies should consider to with compliance to the CCPA or similar regulations. The law in California, along with bills in many states, retains the exemption for companies that already must comply with the Gramm-Leach-Bliley Act (GLBA). ALTA has advocated that any comprehensive data privacy legislation should include a full entity exemption for entities subject to the GLBA. Since 1999, this federal law has strictly limited financial institutions’ use and sharing of customers’ personal information. Additionally, financial institutions are required to assure the security of this information and provide comprehensive disclosures to consumers. Last year, In February, ALTA released its data privacy principles. The principles recommend the development of a single, national standard to help protect consumer private information uniformly and consistently.

The first thing to do when preparing for compliance is to determine if the law is applicable to your business. This involves knowing the type of data that’s being collected, where it goes and how it’s being used and if it’s shared.

Going through a data mapping process will help understand the data collection process. Data mapping is discovering what data you collect, where it’s stored, with whom it’s shared, how long it’s retained and for what purposes it’s used. This requires a formal inventory of data ingress—such as customer registration, systems, fields within the systems and connections between systems. This data needs to be actively maintained as an organization grows and evolves.

A data map may contain:

  • Source(s) of data intake (for example, a marketing form)
  • What data you are collecting (name, phone and email)
  • The purpose of the data (send relevant marketing email)
  • The handling of the data
  • The retention period for the data

The CCPA requires covered businesses to provide several disclosures. Specifically, upon receiving a “verifiable consumer request,” a business must disclose the following related to the preceding 12 months:

  • the categories of personal information the business has collected about the consumer
  • the categories of sources from which that information about the consumer was collected
  • the business/commercial purpose for collecting or selling the consumer’s personal information
  • the categories of third parties with whom the business shares personal information; and
  • the specific pieces of personal information the business has collected about that consumer.

Website and application notices are important from an operational standpoint. Additional things to consider include:

  • Enabling “do not sell” capabilities if selling data
  • Developing consumer rights response process
  • Setting up multiple contact points for consumer requests
  • Requiring training for all employees handling consumer requests
  • Benchmarking information security program against industry standards
  • Creating and testing incident response plan

A final recommendation is to review all third-party contracts and to understand how those companies handle consumer data. Things to ask include:

  • Do service provider contracts meet regulatory requirements?
  • Do they restrict information use and prohibit sale of personal information?
  • Do contracts require cooperation with consumer requests and compliance obligations?

For more information, check out ALTA’s data privacy page.

Contact ALTA at 202-296-3671 or [email protected].