The state of California has passed a digital privacy law that requires businesses to make disclosures about their collection, use, and dissemination of consumer personal information.
The California Consumer Privacy Act (CCPA) will have far-reaching effects on how financial institutions manage their customer data. Compliance will be difficult for firms with disparate silos of customer data, nascent data governance and retention policies, multiple third-party relationships, and marketing programs based on personal information.
It is critical to get started with a compliance program, both because of the effort involved and the fact that other states are expected to follow California’s lead with their own versions of the CCPA.
CCPA Objectives and Expectations
The CCPA seeks to provide consumers with the right to:
- Know what personal information is being collected and with whom it is being shared
- Decline the sale of their personal information
- Gain access to their personal information and request its deletion
- Receive equal service and price even if they exercise their privacy rights
As a result, a financial institution will need to keep track of:
- Categories of consumer personal information that it collects
- Specific personal information data elements
- Sources of the personal information
- Where this information is stored
- Third parties with whom it provides personal information
- The business purpose for collecting and sharing this information
Some risks to be aware of:
- Violations of the CCPA can lead to large fines and lawsuits
- Data breaches can be prohibitively expensive for companies with large amounts of consumer data
- Compliance requirements extend to third-party providers
Deadlines are not far away
The CCPA will take effect on January 1, 2020. It affects all for-profit companies doing business in California that generate revenues over $25 million, or receive more than 50,000 unique personal records per year.
As such, all medium-to-large financial institutions are within its scope. Data aggregators that collect more than 50% of their revenue from selling personal information are also required to comply with the CCPA.
Although the CCPA only applies to California, financial institutions that operate across multiple states must come up with a consistent set of privacy protections to avoid having to maintain separate business processes for California and everyone else. In addition, other states are expected to introduce their own consumer data privacy acts that will be similar to the CCPA.
We recently published a guide examining the California Consumer Privacy Act of 2018, and the steps any financial institution must take in its response to the new law to evaluate its exposure and current state of readiness. You can download the guide below.