Many firms think they get a pass on CCPA.
Have you heard the buzz about CCPA?
Sure, most of us have heard about the new “California Consumer Privacy Act,” yet many companies will find themselves in serious trouble by not preparing properly. This will especially be true for financial services firms. A couple of important things to know: first, which companies are required to comply with CCPA (hint: this also includes firms located outside of California), and second, what data falls under the protections of the act.
California’s new privacy law will come into effect on January 1st 2020. This act is designed to give California residents a better way to control and to protect their personal information. California consumers will have the right to order companies to delete their personal data—similar to what Europe’s all-encompassing GDPR regulation calls for. Many U.S. states are now debating new privacy laws using CCPA and GDPR as models to protect the personal rights of individuals and consumers.
As we learned in the Winter, 2019 issue of IG World in an article by Osterman Research, privacy regulations are rapidly spreading worldwide in countries such as India, Brazil, and Australia.
Even the U.S. Congress has been working on a bill that could soon become federal law.
California consumers will have the legal right to force companies to not only delete their personal information but also disclose what Personally Identifiable Information (PII) has been collected about them, demand the reasons for collecting it, and order them to refrain from selling any of it. The personal information protected in these regulations contains a lot more than just financial or banking data; PII includes all “information that identifies, relates to, describes, associated with or could be reasonably linked, directly or indirectly, to a consumer or household.” This consists of many different types of information, including IP addresses, biometric data, personal characteristics, browsing history, geolocation data, and much more.
CCPA PASSED IN 2018
On June 28, 2018, California Congress passed Assembly Bill 375, the CCPA. The act will apply to any “for-profit” organization which grosses at least $25 million annually and interacts with 50,000 or more Californians, or derives at least half of its annual revenue from selling personal information. Most importantly, CCPA applies to businesses “regardless of location” who meet the above criteria. You must comply if you process personal information of Californians whether your corporation is located in California or not.
What was interesting is how CCPA was rushed into law and signed by Governor Jerry Brown in June of 2018, just days before a deadline to withdraw a state’s ballot measure on a privacy proposition coming up in the November election. Tech companies like Google and Facebook were ready to fight against this voter initiative because it would have been more strict—holding them more accountable with more far-reaching rules and heavier fines. These same tech giants are currently lobbying congress in Washington DC to create new federal privacy laws. Not surprisingly, big tech companies are only looking out for themselves to try to preserve their “surveillance” business model by watering down impending privacy legislation.
It is important to note the CCPA has already been amended and politicians promise to make more changes before the dust to settles and it goes into effect in January 2020.
FINANCIAL SERVICES COMPANIES
Do financial services companies have an exemption? Well, yes… to an extent. In September 2018, the CCPA bill was amended with carve-out language to address business information, including financial services data. This amendment provides a sweeping exception for financial institutions, including data regulated by the Gramm-Leach-Bliley Act (GLBA). You can almost visualize compliance officers at banks like Wells Fargo and B of A celebrating one less regulation to deal with. However, as I tell our financial clients: “don’t be complacent—you must be prepared.” While the carve-out language is no doubt welcomed by GLBA related entities, it really should not be interpreted as a full exemption. Financial services firms will remain subject to CCPA requirements if and when they engage in activities outside of the GLBA, which many most certainly do. The CCPA definition of “personal information” is much broader than that of the GLBA data, usually related to services performed in consumer financial transactions.
Since many financial services institutions believe they have full exemptions to CCPA, they could find themselves vulnerable to risks, fines, and any related law suits. This will happen because they did not prepare properly and protect non-GLBA related data. To be clear, the currently-drawn CCPA states that if a GLBA entity, “collects information beyond that of providing a financial service or product to a consumer” then the CCPA regulations will apply. Examples of data collected outside of a financial service or product includes data like website visitors and their locations, using analytics for targeted online advertising or collected geolocation information.
It is vital that financial services firms realize the need to pay attention and distinguish what data is regulated GLBA and by CCPA as they will inevitably be required to prove which data is exempt. More financial services organizations will find themselves struggling to stay compliant over most other industries because they did not prioritize CCPA compliance appropriately.
Just as we learned after the European GDPR came into effect last year, some companies were ready and many were not. We also learned how the companies that made the commitment with enterprise Information Governance (IG) and Privacy programs including software, systems, and organizational changes throughout were much better prepared for CCPA and will be for any new regulations coming soon.