Skip to main content

Financial Services

Guide: Complying with the California Consumer Privacy Act of 2018

The state of California has passed a digital privacy law that requires businesses to make disclosures about their collection, use, and dissemination of consumer personal information.

The California Consumer Privacy Act (CCPA) will have far-reaching effects on how financial institutions manage their customer data. Compliance will be difficult for firms with disparate silos of customer data, nascent data governance and retention policies, multiple third-party relationships, and marketing programs based on personal information.

It is critical to get started with a compliance program, both because of the effort involved and the fact that other states are expected to follow California’s lead with their own versions of the CCPA.

CCPA Objectives and Expectations

The CCPA seeks to provide consumers with the right to:

  • Know what personal information is being collected and with whom it is being shared
  • Decline the sale of their personal information
  • Gain access to their personal information and request its deletion
  • Receive equal service and price even if they exercise their privacy rights

As a result, a financial institution will need to keep track of:

  • Categories of consumer personal information that it collects
  • Specific personal information data elements
  • Sources of the personal information
  • Where this information is stored
  • Third parties with whom it provides personal information
  • The business purpose for collecting and sharing this information

Some risks to be aware of:

  • Violations of the CCPA can lead to large fines and lawsuits
  • Data breaches can be prohibitively expensive for companies with large amounts of consumer data
  • Compliance requirements extend to third-party providers

Deadlines are not far away

The CCPA will take effect on January 1, 2020. It affects all for-profit companies doing business in California that generate revenues over $25 million, or receive more than 50,000 unique personal records per year.

As such, all medium-to-large financial institutions are within its scope. Data aggregators that collect more than 50% of their revenue from selling personal information are also required to comply with the CCPA.

Although the CCPA only applies to California, financial institutions that operate across multiple states must come up with a consistent set of privacy protections to avoid having to maintain separate business processes for California and everyone else. In addition, other states are expected to introduce their own consumer data privacy acts that will be similar to the CCPA.

Click here to read our next blog in this series highlighting content about establishing a CCPA compliance program.

We recently published a guide examining the California Consumer Privacy Act of 2018, and the steps any financial institution must take in its response to the new law to evaluate its exposure and current state of readiness. You can download the guide below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Nilanjan Sen, Director, Financial Services, Perficient

Nilanjan Sen, asset management lead in Perficient’s financial services practice, joined the company in 2013 via the acquisition of ForwardThink Group. His areas of focus include data management, business intelligence, operational systems, and investment research and analytics. Nilanjan has over 20 years of experience in corporate and consulting roles. Prior to Perficient, he was VP of IT services at asset management firm AllianceBernstein.

More from this Author

Follow Us