With less than two months
before the effective date of the California Consumer Privacy Act (CCPA), banks
should ensure their operational and reporting processes will be in compliance.

CCPA is a wide-scope law written for modern durability and goes beyond traditional definitions of personal information. The act goes into effect on Jan. 1, 2020, and applies to institutions if they do business in California or collect the personal information of California residents for activities outside of Gramm-Leach-Bliley Act.

Your bank may need to
follow CCPA rules if it collects the personal information of California
residents unrelated to providing financial products or services and satisfies
other applicable provisions of CCPA regarding annual gross revenue, the aggregate
possession of personal information, or revenue derived from the sale of
personal information. (The exemption for institutions collecting information
within the Gramm-Leach-Bliley Act remains in place.)

It defines personal
information as information that identifies, relates to, describes, is capable
of being associated with, or could reasonably be linked, directly or
indirectly, with a particular consumer or household.

This goes beyond traditional definitions of personal information, which in the past has referred to data like account balances or credit scores. CCPA’s personal information includes a range of technology markers that can identify a consumer, like internet protocol addresses, biometric information, geolocation data, and electronic activity, like browsing and search history.

This definition of
personal information doesn’t end with your consumers’ digital fingerprints. It
also includes data profiles created using this collected personal information. Its
definition of “collects” includes buying, renting, gathering, obtaining,
receiving, or assessing any personal information pertaining to a consumer by
any means. This includes receiving information from the consumer, either actively
or passively, or by observing the consumer’s behavior.

This means that any inferences
that your bank draws from any of the information identified in CCPA that distinguishes
consumers based on their preferences, predispositions, behavior, attitudes,
aptitudes, and so on should be considered “collected personal information.”

Compliance begins with knowledge. Banks will need to coordinate with their IT department to determine what types of personal information they collect that are not exempted by the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act. They will also need to ensure that they can track when the data was collected or created to comply with the CCPA 12-month information lookback requirement.

Once they’ve determined their
bank’s collection practices, banks will need to ensure they have processes in
place to demonstrate compliance with CCPA’s rules for notification, access,
opt-out, and deletion of applicable data upon consumer request.

Notification: Consumers need to know what personal
information banks collect on them, if that information is sold or disclosed,
and to whom it is sold or disclosed. Banks should review their Privacy Policy
disclosures and other documents that contain California-specific descriptions
of consumers’ privacy rights and make modifications as necessary. Banks are
required to inform new and existing consumers of the categories of personal
information collected, and the purposes for which this information is to be
used, before or at the time it is collected.

Access and Deletion: Bank may need a toll-free phone
number and website, if applicable, to facilitate consumers’ information requests.
They may also need appropriate operations to verify and process consumer requests,
as well as how the personal information from only the preceding 12 months will
be provided to the consumer or deleted, depending on the consumer request. This
should be managed in a way that provides the bank with the appropriate
framework for demonstrating compliance.

Opt-Out: Bank websites must maintain a link
titled “Do Not Sell My Personal Information” that allows consumers to opt out
of the sale of their information. Banks must have processes in place to support
this opt-out, including mechanisms for notifying service providers to delete
the consumer’s personal information from their records when requested. Additionally,
they need to make sure that they can not only fulfill opt-out requests, but also
demonstrate compliance with this opt-out provision of CCPA.

Digital data management should
already be part of a bank’s business strategy. CCPA compliance could be an opportunity
to more fully examine your bank’s operations in consumer data tracking and


Kevin Polinsky