The High-Stakes Compliance Risk You Probably Haven’t Heard Of
This is the first installment in Bradley’s series on Address Confidentiality Programs.
While many businesses have been focused on CCPA compliance, there is another set of state privacy laws that may be flying under your organization’s radar. These lesser known statutes are often referred to as “Safe at Home” or address confidentiality programs (ACPs). ACPs are state-sponsored programs designed to protect victims of crimes such as domestic abuse, sexual assault, stalking, or human trafficking from further harm. By keeping victims’ home, work, and/or school address confidential, ACPs act as a shield to prevent perpetrators from finding – and continuing to harm – their victims. ACPs operate by providing a “designated address” for victims to use instead of their physical (or actual) address. When used properly, the designated address diverts a victim’s mail to a confidential third-party location (often a P.O. Box and/or a “lot number”), after which a state agency forwards the mail to the victim’s actual address. Additionally – and perhaps most importantly – ACPs prohibit those with knowledge of a victim’s location information from disclosing it to other parties.
In 1991, Washington state was the first to adopt an ACP law and, since then, dozens of states have followed suit. Right now, 38 states have ACP statutes on the books, with a handful more states considering similar bills. And while in most states ACP obligations apply only to government agencies, some of those state statutes apply to the private sector. Among a growing (non-exhaustive) list of those states is Indiana, Iowa, Minnesota, Maryland, and Wisconsin.
This is where your work comes in. Do you know whether your company is complying with requests from ACP participants? Do you know how many of your customers or clients are ACP participants? Had you even heard of ACPs before this blog post? If you aren’t sure how to answer those questions, don’t panic — there is a clear path forward.
State ACPs are administered by either the state’s attorney general or the secretary of state, depending on the jurisdiction. The administrator promulgates rules for ACPs, accepts applications for inclusion in ACPs, assigns designated addresses, and forwards correspondence (including service of process) to participants. The administrator also serves as a resource for private companies and others seeking guidance on how to comply with the local ACP.
While the rules vary from state to state, there are a few baseline commonalities to build from. For starters, your company needs a clear way to flag clients who have either (a) given you a designated address; or (b) given notice of their participation in an ACP program. Many states provide participants with ACP membership cards that, when provided during a transaction (for example when opening a bank account), put the company on notice that it must use the designated address. Once a customer is flagged as an ACP participant, it is important to ensure there are processes in place to only communicate with that customer using the designated address. Depending on the state, other obligations are also invoked, such as the requirement not to disclose the customer’s personal information to third parties, or the requirement to obtain consent before using the customer’s actual address (and then, the requirement to only obtain consent for a necessary business purpose.)
If this sounds complicated, that’s because it is. But that is no reason to ignore ACPs. Not only are these programs growing exponentially in the states where these laws are on the books, but more states are also primed to pass similar laws and apply these laws to private businesses. ACPs are not going away and your planning now could save you from liability in the future and – quite frankly – could even save lives.
Stay tuned for our next few installments about ACPs – we will discuss more about the details of assessing applicability and risk, getting your program started and practical suggestions for compliance.