With CCPA in Effect, What Does the Financial Industry Need to Know to Comply?
Happy Data Privacy Day from the Quarles & Brady Data Privacy & Security Industry Team!
We have rung in the New Year and the California Consumer Privacy Act (“CCPA”) has been in effect for twenty-eight days. The CCPA is the most comprehensive consumer-directed data privacy law in the United States to date. For background, please see our previous article for a summary of the CCPA.
The California Attorney General’s office, in its January 6 Advisory and fact sheet, makes clear that it will focus its enforcement efforts on consumer rights. As stated by California Attorney General Xavier Becerra: “knowledge is power, and in today’s world knowledge is derived from data. When it comes to your own data, you should be in control. In California we are rebalancing the power dynamic by putting power back in the hands of consumers.” The fact sheet also quantifies the incredible value of personal information, noting that CCPA will protect over $12 billion worth of personal information used for advertising in California each year.
Now that companies have breathed a collective sigh of relief after updating their website privacy policies, they need to stay alert to more changes coming down the road. Here are a few considerations for your Data Privacy Day, whether you are a CCPA beginner or a CCPA expert:
1. It Is Never Too Late To Work on CCPA Compliance
While the CCPA became effective on January 1, 2020, it is not too late to assess whether it applies to your business and to create a roadmap to compliance. First, determine whether your business is governed by CCPA.
- CCPA applies to you if you are (1) a for-profit business that does business in California that (2) collects California residents’ personal information and (3) meets at least one of the following thresholds: (a) has more than $25 million in revenue; (b) buys, receives, or shares personal information of 50,000 or more consumers, households, or devices; or (c) derives 50% or more of annual revenues from selling California consumers’ personal information.
- Even if your business is not governed by CCPA, your customers may be asking you to amend your services agreement to address CCPA compliance.
In the event you conclude that you are subject to CCPA, you can begin to chart the course for CCPA compliance in light of the unique circumstances of your business. As a reminder, consider including the following steps in your journey:
- Educate. Know your obligations and be alert to changing requirements.
- Project Roadmap. Create a plan to achieve compliance with CCPA.
- Data Map. Identify what personal information you collect, why it is collected, where it is stored, and with whom it is shared. Determine if your data is subject to any exemptions (more on this below).
- Create a "Do Not Sell My Information" link on your website to allow California residents to opt out of the sale of their personal information.
- Process for Responding to Consumer Requests. Create an efficient system for handling consumer rights requests.
- Train. Train employees on how to handle personal information and consumer requests.
- Data Security. Ensure the security of personal information to avoid breaches and security incidents, which may be actionable under a new private right of action for affected California residents. Make sure you have an incident response plan and follow it.
- Update your Service Provider Contracts. Evaluate your upstream and downstream contracts with third-party service providers and modify the underlying agreements for CCPA compliance.
- Do Not Look at CCPA in a Vacuum. Consider how compliance with CCPA obligations interplay with existing obligations under regulations specific to the financial services industry (e.g., Bank Secrecy Act, California Right to Financial Privacy Act, and the Federal Right to Financial Privacy Act).
2. The CCPA Proposed Regulations Will Soon Become Law
Businesses will also need to be agile in responding to additional compliance obligations which arise under the CCPA regulations. The California Attorney General issued a series of proposed regulations on October 11, 2019 which further expand compliance obligations under CCPA. The proposed regulations are in the comment period, and we expect to see final regulations in the next few months.
There are several provisions which are garnering a great deal of attention, including the requirement of a "Do Not Sell" Button" (being designed by the AG’s office), "just-in-time" notices on the website each time the Company places cookies, and whether privacy policies apply to both off-line and on-line activities.
3. Take Advantage of Exceptions For the Financial Services Industry
CCPA offers exemptions for data that is subject to Gramm-Leach-Bliley Act (“GLBA”), California Financial Information Privacy Act (“CalFIPA”), and the Fair Credit Reporting Act (“FCRA”).
CCPA exempts personal information subject to the GLBA and CalFIPA to the extent that the personal information is collected, processed, sold, or disclosed pursuant to those laws (because the GLBA and CalFIPA regulate sharing of personal information of individuals seeking to obtain a financial product or service). Similarly, because FCRA was enacted to promote the accuracy, fairness, and privacy of consumer information used for certain sensitive purposes, CCPA exempts the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, by a furnisher of information who provides information for use in a consumer report, and by a user of a consumer report.
These exceptions do not provide a wholesale carve-out for all data collected and used by financial institutions. For example, personal information collected by financial institutions that relates to services other than consumer financial products is not exempt from CCPA compliance though in some cases there may be a separate temporary exception available (e.g., the B2B moratorium described below).
Data outside the scope of the GLBA, CalFIPA, and FCRA are often collected by financial institutions in conjunction with other non-exempt data, including personal information related to website browsing data, geolocation, data collected as part of marketing activities, or data collected when an investor downloads an annual report.
Financial institutions should assess whether and how to segment data subject to CCPA from data that is exempt from CCPA (e.g., due to regulation under the GLBA, CalFIPA, or FCRA). Most financial institutions will need to comply with certain portions of CCPA, including notice, disclosure, and opt out obligations. Moreover, the financial industry exemptions do not apply to the CCPA’s private right of action for damages arising from data breaches.
4. Look for More Amendments to CCPA
We have every reason to believe that there will be more amendments to CCPA introduced in 2020. One member has already introduced an amendment designated as an "urgency statute" which means it will take effect immediately after it is signed by the California Governor.
5. Expect Constitutional Challenges to CCPA
While it is early in 2020, legal commentators are already expecting that there will be multiple constitutional law challenges to the CCPA. In particular, commentators seem to agree that the statute may be vague and/or that the statute violates the dormant commerce clause.
6. Get Ready to Respond to Consumer Requests under CCPA
Yes Virginia, you will quickly move past the legal theory into the reality of having to respond to real live requests from real life consumers. The California legislature gave California consumers a number of rights with regard to their personal information under CCPA, including: right to request deletion, right to access, right to know, and right to opt out of the sale of personal information. The right to opt out of the sale of personal information does not just mean sale in the traditional sense, but to share such personal information to another party for monetary or other valuable consideration.
These early requests present a great opportunity for companies to test their internal processes to ensure that you are responding in an accurate and timely manner. Make sure your company:
- Meets the time frames for response.
- Confirms the identity of a requestor before making a substantive response.
- Has a process for recording requests and responses.
- Is familiar with exemptions which do not require the deletion despite a consumer request.
7. Employee Data Is Exempt, But Maybe Not For Long
CCPA currently provides a temporary exemption – until January 2021 – with regard to the collection of employee data, including personal information derived from job applicants, employees, and contractors. However, despite the moratorium, businesses must still comply with certain CCPA obligations, including:
- Informing job applicants and employees about the categories of personal information to be collected (again, at or before the point of collection); and
- Implementing reasonable security procedures and practices with regard to employee data (note that businesses may still be subject to a private right of action from employees for unauthorized access and exfiltration, theft, or disclosure of their unsecured data).
We are confident this topic is going to be the subject of much debate over the course of 2020, so businesses should be giving further consideration of how to be ready to respond if this exemption expires.
8. Business-to-Business Data Is Also Exempt For Now
Like employee data, personal information collected from employees and contractors of business customers, suppliers, and vendors acting in their business capacity, i.e., business-to-business (“B2B”) data, is also subject to a temporary moratorium on most CCPA requirements. This moratorium is also giving businesses a temporary reprieve for B2B data until January 1, 2021. Those of you doing business in the EU already know how complicated life becomes when B2B personal information is subject to privacy law restrictions, so we expect this will also be the subject of much debate in 2020.
Stay tuned as we address what’s next for other states in our next article. Remain nimble and ready to adapt to an evolving law in California and similar but different consumer privacy laws in other states (e.g., Maine, Nevada, New York, Washington, and Wisconsin) with more on the horizon in 2020.
For questions about CCPA compliance or your data privacy and security program generally, please contact your Quarles & Brady attorney or