Compliance with the CCPA will be challenging because it represents major changes in how financial institutions conduct their business.
Consumer personal data is often scattered across multiple internal platforms and shared with many third parties. Firms may not have a full picture of where this information is stored and how it is controlled.
Firms use consumer personal data to identify and qualify prospects, cross-sell and up-sell to existing customers, and create targeted outreach messages. Many of these processes will have to be reviewed to ensure their compliance with the CCPA.
Financial institutions are liable for penalties up to $750 per consumer, per incident of noncompliance. This can add up to a massive fine for institutions with hundreds of thousands of consumer
records. In addition, institutions are subject to lawsuits by consumers.
Firms will be liable if their third parties do not comply or are subject to data breaches. A comprehensive customer personal data program will therefore have to cover both the firm’s internal processes and third-party relationships.
Some sections of the CCPA may be modified prior to implementation. For example, there are ambiguities in certain areas such as what constitutes personal information, and the legitimate uses of that information.
We recently published a guide examining the California Consumer Privacy Act of 2018, and the steps any financial institution must take in its response to the new law to evaluate its exposure and current state of readiness. You can download the guide below.