Financial institutions that are grappling with how the European Union’s General Data Protection Regulation (“GDPR”) may impact their U.S. operations should also be keeping a close eye on the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA, or Assembly Bill (“AB”) No. 375, which was passed on June 28, 2018 and is set to take effect in 2020, mirrors some GDPR protections by providing California residents greater control over the dissemination of their personal data, including the option of barring companies from selling their data.
Financial institutions in the United States are well versed in dealing with privacy regulations, particularly given the obligations imposed by the federal Gramm-Leach-Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“SB1”). Notably the CCPA does not include a blanket exception for financial institutions generally or for entities that comply with the GLBA or SB1. Moreover, with California being ahead of the pack in the area of consumer privacy, the national implications posed by the passage of the CCPA are abundant.
The current proposal includes an exemption for banking institutions and other small businesses that collect less than $25 million in annual gross revenue, which would likely exempt smaller banks and credit unions with less than $1 billion of assets; financial institutions that buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of less than 50,000 consumers, households, or devices; and financial institutions that derive less than 50% of its annual revenue from selling consumers’ personal information. As it stands, banking institutions operating in California that do not qualify for the exemptions would either have to create a separate process for handling the personal data of the state’s residents or apply the restrictive California standards nationwide. It is estimated that the CCPA will apply to more than 500,000 U.S. companies and has the potential to affect hundreds of thousands more companies worldwide.
The CCPA establishes several privacy rights for consumers, including the right to know what personal information is being collected; the right to know whether personal information is sold or disclosed and to whom; the right to say “no” to the sale of personal information; the right to access personal information; and, the right not to be charged extra for the exercise of any privacy rights created by the CCPA unless the entity can establish how the exercise of that right increases the cost of providing a good or service. Further, the CCPA would, in some circumstances, enable residents to bring a private right of action and sue businesses and to collect statutory damages of between $100 and $750 per consumer per incident, or actual damages if greater. For actions commenced by the Attorney General, the CCPA allows penalties to be imposed for intentional violations of any provision up to $7,500 per violation, or $2,500 for unintentional violations if the violation is not cured within 30 days of notice.
An industry coalition, led by the California Chamber of Commerce, sent the authors of AB No. 375 a 20-page letter in August 2018 expressing concerns regarding the quickly-passed legislation. The coalition, which includes the California Bankers Association, California Community Banking Network, and California Credit Union League, requested the removal of the privacy initiative from the November 2018 ballot and proposed amendments intended to address drafting errors and to fix aspects of the Bill that would be unworkable and result in unintended negative consequences. The proposed amendments were addressed to Assemblyman Ed Chau and Sen. Robert Hertzberg, who introduced the AB No. 375 and have committed to “technical fixes,” but the full scope the fixes are yet unclear. Reportedly, modifications will include a clean-up of the GLBA exemption. Broader amendments are expected to be proposed by industry groups in 2019. While the statute set a regulation implementation deadline of June 2019, and the current effective date for compliance with the CCPA is January 1, 2020, the California Attorney General, which has to promulgate significant regulations under the bill, has proposed pushing the regulation deadline back to July 2020, with a corresponding delay in effective date for compliance. Regardless of the ultimate implementation timetable, financial institutions wishing to be heard should act now.
An effective date of sometime in 2020 may seem sufficiently well in the future to delay serious consideration of the law’s requirements, but based on the last-minute flurry that accompanied the effective date of GDPR, financial institutions which will be potentially affected will have to evaluate promptly how the CCPA might impact their operations in order to be in a position to comply. This will include:
understanding what personal data is currently being collected;
mapping the flow of that data within the organization;
preparing an inventory of such data, including any information shared with third parties or vendors;
developing processes and procedures for responding to a consumer’s exercise of rights under the new law, including how to store, access and maintain records on consumers who may request information on how their data is being collected, used and shared, as well as demand to opt out of certain uses or sharing.
Understanding one’s own current practices in more granular detail, while daunting, will be essential for financial institutions to determine exactly how the CCPA will apply, and which policies and procedures or business practices will need to be updated.
For now, one thing is certain: financial institutions must to pay close attention to the CCPA, especially as it evolves. Most financial institutions almost certainly will need to put in place new privacy processes to provide California consumers with accurate disclosures regarding how their personal information is used or shared with others. Most critically, financial institutions will need to consider carefully whether they might wish to adopt across-the-board national processes to comply with California’s high bar.