Is Your Bank Ready for the California Consumer Privacy Act?

Jameson Miller, CPA | Mauldin & Jenkins, LLC

If you spend time online, as most of us do these days, you have probably noticed an uptick lately in the number of websites informing you that they are updating their privacy policy. The recent spate of changes is a response to the soon-to-be-implemented California Consumer Privacy Act (CCPA). Passed in 2018, the law goes into effect as of January 1, 2020 and applies to many businesses that collect or maintain data on any California consumers, including data gathered through websites. This means that even if your bank does not have a presence in California, you need to understand how to comply with CCPA.

Do you recall the near-frantic preparations that website owners went through getting ready for the General Data Privacy Regulation that governs data collection relating to web users in the European Union? Well, CCPA could create even more legal obligations and limitations than its European cousin. There is no need to panic, but there is an urgent need to ensure your bank knows what CCPA covers and how to comply with it.

The new law grants four rights to all California consumers regarding Personally Identifiable Information (PII) about individuals (including employees) that businesses collect, retain, use, share or sell:

  1. The right to know (what types as well as the specific data points)
  2. The right to delete the information companies and their business service providers possess about them
  3. The right to opt-out of having that information sold
  4. The right to non-discrimination based on their choice to exercise privacy rights (meaning a business may not charge different prices or deliver different levels of service to these customers than to others)

In addition, the law requires businesses that collect such information to implement and maintain reasonable security procedures and practices. That is a vague standard to go on, leaving plenty of room for attorneys to quibble about just what does and does not constitute ‘reasonable’ under the law. But, while the lawyers are having a field day arguing it out, banks and other business organizations must prepare for CCPA’s imminent enactment despite the lack of clarity.

Preparations should include at a minimum the following steps:

  • Identifying relevant data – Whose data does the company currently possess? Is there any chance that California consumers are represented in one or more databases? CCPA utilizes a very broad definition of PII in establishing the scope of what is covered under the act.
  • Performing risk analysis and preliminary research – Does the bank have operations in California? Does it qualify for an exemption? State legislators have added a number of exemptions and qualifying conditions, some specifically applicable to financial institutions. Even where an exemption exists, however, it does not provide banks with free rein to use consumers’ personal data as they wish. Typically, only certain data and activities covered by other laws such as the Gramm-Leach-Bliley Act, California Financial Information Privacy Act and Fair Credit Reporting Act are affected by the exemption.
  • Assessing existing security procedures – Are current security measures sufficient to qualify as reasonable for the purposes of CCPA?
  • Developing appropriate systems and protocols – How will the bank store consent records and process and retain opt-out requests? What will it do to ensure that data is deleted properly upon request?
  • Updating websites and privacy policies – Do the bank’s data collection tools need to be altered to meet the law’s requirements? Does its consumer-facing privacy policy accurately describe updated policies and procedures, including those regarding opt-out choices?

Bank leaders will likely want to seek expert advice as part of their preparation for CCPA. In addition, they should be aware of other privacy laws governing collection, retention and use of consumers’ personal data. These include the Children’s Online Privacy Protection Act (COPPA), Driver’s Privacy Protection Act (DPPA), Video Privacy Protection Act (VPPA), Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), Telephone Consumer Protection Act (TCPA) and others.

Another complicating factor may soon arise due to the absence of a federal law similar to CCPA. While no such law is on the horizon at this point, a handful of other states are beginning to develop their own versions of California’s consumer privacy legislation. A patchwork of state laws could seriously hamper banks’ efforts to comply with differing requirements and severely limit the practical possibility of collecting the types of data covered under them at all.

Consumer privacy concerns in the digital age are certain to increase, and businesses must remain alert to a changing landscape of legal obligations. For help keeping your bank in compliance with CCPA and related data privacy regulations, contact the experienced business consultants at Mauldin & Jenkins.