What You Need to Know About Address Confidentiality Programs

The High-Stakes Compliance Risk You Probably Haven’t Heard Of

This is the first installment in Bradley’s series on Address Confidentiality Programs.

While many businesses have been focused on CCPA compliance, there is another set of state privacy laws that may be flying under your organization’s radar. These lesser known statutes are often referred to as “Safe at Home” or address confidentiality programs (ACPs). ACPs are state-sponsored programs designed to protect victims of crimes such as domestic abuse, sexual assault, stalking, or human trafficking from further harm. By keeping victims’ home, work, and/or school address confidential, ACPs act as a shield to prevent perpetrators from finding – and continuing to harm – their victims. ACPs operate by providing a “designated address” for victims to use instead of their physical (or actual) address. When used properly, the designated address diverts a victim’s mail to a confidential third-party location (often a P.O. Box and/or a “lot number”), after which a state agency forwards the mail to the victim’s actual address. Additionally – and perhaps most importantly – ACPs prohibit those with knowledge of a victim’s location information from disclosing it to other parties.

In 1991, Washington state was the first to adopt an ACP law and, since then, dozens of states have followed suit. Right now, 38 states have ACP statutes on the books, with a handful more states considering similar bills. And while in most states ACP obligations apply only to government agencies, some of those state statutes apply to the private sector. Among a growing (non-exhaustive) list of those states is Indiana, Iowa, Minnesota, Maryland, and Wisconsin.

This is where your work comes in. Do you know whether your company is complying with requests from ACP participants? Do you know how many of your customers or clients are ACP participants? Had you even heard of ACPs before this blog post? If you aren’t sure how to answer those questions, don’t panic — there is a clear path forward.

State ACPs are administered by either the state’s attorney general or the secretary of state, depending on the jurisdiction. The administrator promulgates rules for ACPs, accepts applications for inclusion in ACPs, assigns designated addresses, and forwards correspondence (including service of process) to participants. The administrator also serves as a resource for private companies and others seeking guidance on how to comply with the local ACP.

While the rules vary from state to state, there are a few baseline commonalities to build from. For starters, your company needs a clear way to flag clients who have either (a) given you a designated address; or (b) given notice of their participation in an ACP program. Many states provide participants with ACP membership cards that, when provided during a transaction (for example when opening a bank account), put the company on notice that it must use the designated address. Once a customer is flagged as an ACP participant, it is important to ensure there are processes in place to only communicate with that customer using the designated address. Depending on the state, other obligations are also invoked, such as the requirement not to disclose the customer’s personal information to third parties, or the requirement to obtain consent before using the customer’s actual address (and then, the requirement to only obtain consent for a necessary business purpose.)

If this sounds complicated, that’s because it is. But that is no reason to ignore ACPs. Not only are these programs growing exponentially in the states where these laws are on the books, but more states are also primed to pass similar laws and apply these laws to private businesses. ACPs are not going away and your planning now could save you from liability in the future and – quite frankly – could even save lives.

Stay tuned for our next few installments about ACPs – we will discuss more about the details of assessing applicability and risk, getting your program started and practical suggestions for compliance.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.

Photo of Leah M. Campbell Leah M. Campbell

Leah Campbell is a senior attorney in the Banking and Financial Services Practice Group. Leah has significant experience representing financial services and insurance company clients in both federal and state courts, as well as before state regulators. She has advised national mortgage servicers…

Leah Campbell is a senior attorney in the Banking and Financial Services Practice Group. Leah has significant experience representing financial services and insurance company clients in both federal and state courts, as well as before state regulators. She has advised national mortgage servicers on FDCPA claims, loan finance companies on UDAAP claims, and banks on OFAC- related issues.

In addition, Leah has provided intellectual property guidance in M&A and corporate structuring matters and advised on GDPR implementation and cross-border encryption issues.