On January 1, 2020, the California Consumer Protection Act (CCPA) came into effect, following in the footsteps of the European Union's General Data Protection Regulation (GDPR)—and ushering in a new era of data privacy protections in the United States. The CCPA expands the rights of California consumers by requiring companies to be more transparent about how they collect, use and disclose their personal information.
This sweeping legislation presents significant implications for businesses of all kinds, but for financial institutions—who are already bound by strict regulation such as the Gramm-Leach-Bliley Act (GLBA), the California Financial Information Privacy Act (CalFIPA) and the Fair Credit Reporting Act (FCRA)—the ramifications of the CCPA become even more complex. As such, financial institutions need to carefully assess their data use and protection practices, and proactively implement policies and procedures to ensure compliance.
What is the CCPA?
The CCPA applies to any business, anywhere in the world that collects, receives or sells a California consumers’ personal information (PI). It also governs service providers who process PI on behalf of a business, and to other third parties who receive sales of such information from a business. Hence, CCPA laws are deeply intertwined with the financial services sector.
The CCPA regulates the collection, use and disclosure of personal information belonging to a consumer (defined as “a natural person who is a California resident,” including residents who are temporarily out of the state). The act gives California residents several new rights over their personal information, summarized simply as the right to:
- Know how personal information is being used and sold
- Opt out of the sale of personal information
- Non-discrimination based on personal information
- Delete personal information
To comply, businesses and service providers must:
- Disclose the ways they use and sell consumers’ personal data
- Enable California residents to opt-out of their personal data being sold
- Disclose data collected from the consumer
- Delete data associated with an individual when asked to do so
CCPA implications for financial services institutions
As a general rule, the CCPA applies to financial institutions in the same way that it applies to other businesses. However, given the GLBA, CalFIPA and FCRA requirements already in place for these companies, the situation becomes a bit more complicated. Because CCPA provisions include certain limited exemptions for PI that is regulated by the three acts, it affects financial institutions somewhat differently from other businesses.
However, these exemptions are not absolute. Most financial institutions collect and use various types of PI that are not regulated by GLBA, CalFIPA or the FCRA, so it’s critical that they carefully examine the types of data they collect, how they use it and what their obligations are under the CCPA. Let’s take a closer look.
GLBA and CalFIPA exemptions
Both GLBA and CalFIPA regulate the sharing of nonpublic PI—essentially any information received from or about individuals who seek to obtain a financial product or service used primarily for personal, family or household purposes. For PI that is collected, processed, sold or otherwise disclosed under the GLBA, the exemption applies. Hence, the GLBA/CalFIPA exemption generally applies to:
- Data that a consumer provides to obtain a financial product or service
- Data about a consumer resulting from any transaction involving a financial product or service with a consumer
- Data that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer
However, not all GLBA and CalFIPA-protected data are exempt from the CCPA. For example, the following types of personal information are not exempt:
- General advertising and online marketing
- Information procured via non-financial institution partners
- Information shared with, or procured from, an affiliate resource
The FCRA was enacted to protect the accuracy, fairness and privacy of consumer information used for sensitive purposes such as credit granting, insurance underwriting and employment screening. It regulates the collection, dissemination, and use of this information.
As such, the CCPA exempts the collection, maintenance, disclosure, sale, communication or use of any PI already protected under the FCRA. This includes data that applies to a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency, by a furnisher of information who provides information for use in a consumer report, and by a user of a consumer report.
The FCRA exemption from CCPA is limited and applies only when the personal information in a consumer report is:
- Sold to or from a consumer reporting agency
- Used to generate consumer reports
- Secured under the FCRA
The bottom line on exemptions
Most financial institutions collect data that is not regulated by the GLBA, CalFIPA or the FCRA. For example, the GLBA and CalFIPA do not protect the data of consumers who obtain financial products or services for business, commercial or agricultural purposes, or to PI collected from consumers who do not have and are not seeking a financial product or service. In these cases, the data is subject to the CCPA.
Also, there are circumstances when financial institutions could gather PI that is subject to GLBA or CalFIPA at the same time as PI that is not. For example, information gathered online via your institution’s web site could commingle the PI of consumers subject to GLBA (such as investors downloading your annual report) with PI gathered through marketing activities (such as lead lists). In this case, it could be impossible to separate the GLBA/CalFIPA data from that which falls outside their scope and could qualify for CCPA exemption. Similarly, compliance issues could arise with PI derived from combined exempt/non-exempt data sets.
For this reason, to fully understand their exposure to the CCPA and comply with its requirements, financial institutions must meticulously assess precisely what data they are collecting, how they are storing and using it, and which specific regulations it is subject to.
Key steps towards CCPA compliance
It’s critical that financial institutions take a proactive approach to CCPA compliance—or face the consequences. Non-compliance penalties start at $2500 for an unintentional violation, and a security incident under the CCPA could cost your business up to $7500 per day.
Other key steps include:
- Evaluate your data. To become CCPA compliant, your financial institution must establish which data sets you collect fall under the GLBA, CapFIPA or FCRA legislation—and which don’t. This will involve assessing your data practices and conducting or updating data inventory and mapping records. If you’ve already mapped the PI that you collect for compliance with other laws, you may be able to leverage those efforts for CCPA compliance. But any data that isn’t already governed by GLBA, CalFIPA or FCRA should be considered potentially subject to the CCPA.
- Conduct a security audit. Review existing security procedures and ensure that “reasonable” security measures are in place to protect all PI, including CCPA-covered PI, from data breaches. Remember: financial institutions are subject to liability under the private right of action under the CCPA for certain types of data breaches, regardless of whether the kinds of PI involved in the data breach are regulated by the GLBA, CalFIPA or FCRA.
- Review record retention policies and practices. Evaluate policies and practices to identify how long you’re required to retain your customers’ personal data—and how long you actually do. Limiting your retention as much as legally possible can ease the burden of compliance with CCPA and also mitigate your company’s risk in the event of a security breach.
- Review contracts with vendors. Identify and review contracts with any vendors that process any data subject to CCPA. While the CCPA doesn’t require adding specific language to these contracts, there are safe harbors for those who do. Also, you’ll need the cooperation of vendors and partners to operationalize CCPA rights (such as deleting data, etc.).
Zennify: Your partner in CCPA compliance
Zennify understands that the CCPA and other emerging data protection legislation present a myriad of challenges for financial services institutions. With our deep industry experience and knowledge of best practices, we can help you navigate the complexities of the CCPA and beyond. Our team of experts will help you assess your systems and data, and successfully implement the changes necessary to ensure CCPA compliance and mitigate risk.
To learn more about Zennify’s approach to CCPA compliance, visit https://www.zennify.com/contact-us