Financial institutions prepare for the impact of the California Consumer Privacy Act (CCPA)
At the beginning of 2020, the California Consumer Privacy Act (CCPA) will go into effect. Heralded as one of the most comprehensive U.S. privacy initiatives to date, the CCPA is expected to inspire similar legislative changes beyond California’s borders as the nation turns an eye toward improved handling of consumer private data.
What Does the CCPA Cover and Who Must Comply?
The CCPA enacts several mandates that govern the personal information a business may collect about a consumer and how that information is used.
Designed to give consumers greater control over their own personal information, the CCPA can be broken down into 3 segments:
- Ownership: Under the CCPA, a business will be required to inform California consumers of their privacy rights prior to collecting their personal information and will also be required to annually update privacy policies to disclose detail around the collection and intended use of any personal information they collect.
- Control: The CCPA is designed to give consumers control over how a company uses personal information they collect. Under the CCPA, businesses will need to provide consumers with a simple way to opt-out of the sale or sharing of their personal information under certain circumstances. It is illegal for businesses to discriminate in any way, be it through price increases or other methods, against individuals who prohibit the sale of their personal information. Consumers may also make requests to get their personal information from businesses that have collected it, in order to take and reuse that information elsewhere.
- Security: Beyond control and ownership of data, consumers value security of their personal information, and 92 percent expect companies to be proactive in protecting it.i Under the CCPA, protection goes a step further by holding businesses accountable for security breaches if the company is found not to have implemented and maintained “reasonable security procedures and practices”.
For businesses, even an accidental breach of a California consumers personal information could result in hefty consequences, up to a $2,500 fine per unintentional infraction. If you are found to be intentionally violating the law, a $7,500 fine could await. But not all businesses will need to comply with the new regulations.
The CCPA applies to businesses that do business in California and collect the personal information of California residents. Those businesses must also have annual gross revenues of $25 million or more, annually buy, receive, sell, or share personal information of 50,000 or more California consumers, households, or devices, or derive 50 percent or more of their annual revenues from selling consumers’ personal information. That means that a bank in Oregon, Nevada or even Portland, Maine could be subject to the CCPA if they collect the personal information of California residents and, for example, meet the minimum revenue threshold.
In a recent survey, 67 percent of consumer respondents said they think the government should do more to protect data privacy.ii Given consumer sentiment, the California law is likely to be the crest in a long wave of data privacy regulations set to engulf the country in the near future. As such, it is something that all banks and credit unions should have on their radar.
Complying with the CCPA in Banking
Despite the fact that the deadline for CCPA compliance is mere months away, only 8 percent of businesses say they are prepared, and only a third will be able to meet the January 2020 timeline.iii For 11 percent of businesses who say they will miss the compliance date, cost is the major factor.iv
The CCPA will require financial institutions to deal with several established processes, such as data inventory/mapping and establishing applicability of full and partial exemptions. Financial institutions will also need to establish a process for verifying and responding to consumer requests regarding personal information usage, as well as opt-out requests.
The quickest and most cost-effective road to compliance will be through the use of technology designed to document, track, assess, and monitor these consumer requests. Technology can also aid financial institutions by simplifying annual CCPA risk assessments as well as the documentation of controls.
While the CCPA represents a major change in how financial institutions approach a number of established processes, it also offers an opportunity. Through fair and transparent data sharing, financial institutions provide assurance to their customers and members around the topic of data security.
As more states begin investigating the issue of data privacy, it is important for financial institutions to anticipate new and emerging regulations. Working with a technology partner now can prepare you for CCPA compliance and adapt your institution for future changes as they occur across the nation.
i “Consumer Intelligence Series: Protect.me.” PwC. Pwc.com/CIScyber, 2017. Web.
ii “SAS Survey: 67 Percent of US Consumers Think Government Should Do More to Protect Data Privacy.” SAS, Dec. 10, 2018. Web.
iii Amy He. “Very Few US Businesses Are CCPA_Ready.” cMarketer, Sep. 10, 2019. Web.
iv Amy He. “Very Few US Businesses Are CCPA_Ready.” cMarketer, Sep. 10, 2019. Web.