On the heels of the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) is the latest regulation to address the perceived imbalance in power that exists between companies and consumers when it comes to data management.
CCPA is considered to be the most comprehensive data protection law in U.S. history. The act applies to any business that collects data from residents of California, not just those companies headquartered there. CCPA goes into effect Jan. 1, 2020, but there is still time to be better prepared for its enforcement, which will begin around July 2020.
While California’s Attorney General Xavier Becerra’s proposed regulations give businesses some additional guidance, many impacted companies — including financial institutions — lack a sense of the full requirements for compliance. Nevertheless, experts predict the act could serve as a “quantum leap” with respect to privacy, data management, and consumer empowerment, and may ultimately roll outward into federal or other states’ laws, as covered in the box below.
At a high level, CCPA will give California residents the right to:
- Know what personal information is being collected about them
- Know whether and how their personal data is sold or disclosed and to whom
- Prohibit the sale of their personal data
- Request access to their personal data online or by phone and in some circumstances, in person, email, or postal mail
Beyond those main points, there are numerous other requirements, such as the consumers’ right to know the collecting organization’s purpose and use for their data. Additionally, the statute mandates that residents not be discriminated against for exercising their privacy rights. Organizations are also required to implement and maintain reasonable security procedures and practices in order to protect consumer data.
New Law Targets Use of Data for Marketing
CCPA will have significant impact on the way banks, credit unions, and other financial services businesses handle Californian consumer information. This especially pertains to marketing and advertising activities within these industry segments, since CCPA was originally drafted to help address targeted and behavioral advertising. While it’s still unclear exactly how data collection for these types of online activities will shake out, at the least, the do-not-sell and opt-out portions of the law will dramatically change the way information in the data pool that advertisers rely on is used.
“At the least, the do-not-sell and opt-out portions of the law will dramatically change the way information in the data pool that advertisers rely on is used.”
In an IDology survey conducted in October of 2019, more than a third of responding companies reported they were non-compliant with CCPA and still in the assessment phase, yet 85% expected their company will be compliant by the July implementation deadline. In addition, 28% believe CCPA compliance will be more burdensome than GDPR while 30% believe it will be equally as burdensome.
Here are three things your retail bank or credit union can do now to be better prepared for CCPA:
1. Understand Your Institution’s Data Collection Activities
With so much data being generated (over 2.5 quintillion bytes of data every single day, according to Social Media Today), getting your arms around just the data your banking organization collects and maintains can seem like an insurmountable task. Still, to better assure compliance with CCPA, businesses need to know the many different types of data they collect on individuals and where each type falls in regard to the act. While some data collected may be exempt under the Gramm-Leach Bliley Act (GLBA), other data types won’t be.
Also, know that the CCPA definition for personally identifiable information (PII) is broad. It goes beyond the traditional PII of social security number, driver’s license number, bank account number, passport number, and email address to also include any information that can be identified with an individual, a household, or a device. This includes a home computer or mobile device’s IP address, for instance. So, even if you’re simply collecting a device ID when someone logs onto your website, that data is considered “personally identifying” even if there is no actual name associated with it, making it likely to fall within CCPA’s scope.
CCPA-specific data mapping can be beneficial to your organization in helping it to know exactly what records and data it has on any and all individuals.
- Growing Privacy Fears Threaten Financial Marketers’ Use of Data
- Artificial Intelligence, Algorithms, Big Data & The Future of Banking
2. Assess Your Security and Fraud Prevention Processes
CCPA has security as well as compliance implications, which is of particular importance to financial institutions. In addition to penalties for non-compliance, consumers will have the right to bring lawsuits in respect to security breaches affecting their personal data. Under CCPA, consumers can collect from $100 to $750 for each event, or more if the damage is considered to be greater. This means that a breach impacting thousands of consumers or more can have catastrophic penalties.
Ensure that your bank or credit union’s security processes and fraud prevention measures are up to date, well ahead of CCPA implementation. It’s also a good idea to evaluate privacy policies and notices that are part of other federal and state regulatory requirements specific to financial services. With the ever-increasing focus on privacy, it’s almost a certainty that regulators will start paying closer attention to adherence with other acts, such as GLBA and the California Financial Information Privacy Act (CalFIPA), in addition to CCPA.
In regard to fraud prevention, one of the most challenging and complex issues associated with CCPA relates to identity verification. At the heart of CCPA is a requirement to provide consumers with access to the personal information held on them by a company. To do so, organizations must engage in identity verification. The law states specifically:
“A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section.”
To complete such requests financial institutions will need systems that can handle multiple identity verification methods. They will also need to be able to detect and deter fraudulent requests and have the ability to match the IDV method to the sensitivity of the data that the consumer requested.
Depending on how a given organization is structured, CCPA compliance may mean authenticating identities online, over the phone, in person, and even by postal mail along with a combination of methods for two-factor authentication. Keep in mind that in an era where organizations experience breaches routinely, fraudsters may use the breached data in their possession to initiate a verifiable consumer request to round out the data they hold on an individual.
The bottom line: Don’t let CCPA identity verification become a new point of entry for fraudsters.
3. Know That Compliance Impacts Valuable Brand Trust
There is an increasing correlation between data privacy and the ethical obligations of companies, and that correlation is one that financial marketers in particular should care about. When a bank or credit union experiences a data breach, it isn’t just a potential violation of CCPA and other statutes. Such incidents do great damage to both consumer trust and brand reputation. It can take marketers years to reestablish that trust and repair a brand’s image once tarnished.
There is a rising belief that organizations have a duty to protect sensitive personal data. This is especially true for banks and credit unions since consumers are not only trusting them with their data but with their finances as well. Failure to protect consumer data, or giving it away to the highest bidder, reflects poorly on any organization.
Where else privacy heat is rising
Other states are following California’s lead in drafting their own privacy regulations to give their citizens more control over personal data. Several bills are pending including New York (S5642), Massachusetts (S-120), Maryland (SB613), Hawaii (SB418) and South Dakota (HB1485).
Some of these regulations are more stringent than CCPA. For example, the Massachusetts Data Privacy Law states its residents do not need to suffer a loss to bring a civil action (up to $750 per violation per customer). The New York Privacy Act applies to all business without a revenue threshold, such as that of CCPA ($25M).
At the federal level, some bi-partisan headway was made earlier this year to enact a new federal law to protect online privacy. But as other contentious partisan issues confronted lawmakers, the momentum fizzled.