How Should a BPO Handle a CCPA Request from a Client’s Customer?

The California Consumer Privacy Act (CCPA) is a hot topic right now for my clients. Many are receiving requests from consumers exercising rights under the CCPA, and are testing the processes they’ve implemented to comply. Many states will follow California’s lead, as well, so you can expect more and varying state privacy rules in the coming years.

One question has been how an agent company should handle a request received from a client’s customer, for example, a consumer makes a CCPA request during a telephone conversation with an agent employed by a business process outsource company (“BPO”) on behalf of a client company like a credit card issuer.

A BPO is the legal agent for its client with regard to consumer contact contemplated in the contract between them. The CCPA contemplates businesses having this type of relationship with “service providers” with whom they share customer data for legitimate business purposes.

So if the BPO gets a request on the telephone from a consumer requesting deletion of personal data, how should the BPO treat this request? Is it applicable to the BPO or solely the client on whose behalf the contact is made?

As an agent, the BPO stands in the shoes, legally, for the client, and the CCPA request is therefore to the client, not the BPO. This is the rule so long as the BPO is acting within the scope of agency for that client (not acting on its own behalf or for a different client, for example).

The BPO should address how it will handle privacy requests in its contract or statement of work with the client. It could either process the request (if the BPO is the only place the consumer’s data is stored for the client), or forward to the client to process. The contract should also require the BPO to delete consumer data received by the business or other service providers and prohibit the BPO from collecting, selling, or using the business’ consumers’ personal information except as necessary to perform its contractual duties.

Let me know if you would like to discuss CCPA compliance, responses to consumers or contract issues.