Issues : Regulation

How to Prepare for California’s New Privacy Rules

With less than two months before the effective date of the California Consumer Privacy Act (CCPA), banks should ensure their operational and reporting processes will be in compliance.

CCPA is a wide-scope law written for modern durability and goes beyond traditional definitions of personal information. The act goes into effect on Jan. 1, 2020, and applies to institutions if they do business in California or collect the personal information of California residents for activities outside of Gramm-Leach-Bliley Act.

Your bank may need to follow CCPA rules if it collects the personal information of California residents unrelated to providing financial products or services and satisfies other applicable provisions of CCPA regarding annual gross revenue, the aggregate possession of personal information, or revenue derived from the sale of personal information. (The exemption for institutions collecting information within the Gramm-Leach-Bliley Act remains in place.)

It defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

This goes beyond traditional definitions of personal information, which in the past has referred to data like account balances or credit scores. CCPA’s personal information includes a range of technology markers that can identify a consumer, like internet protocol addresses, biometric information, geolocation data, and electronic activity, like browsing and search history.

This definition of personal information doesn’t end with your consumers’ digital fingerprints. It also includes data profiles created using this collected personal information. Its definition of “collects” includes buying, renting, gathering, obtaining, receiving, or assessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

This means that any inferences that your bank draws from any of the information identified in CCPA that distinguishes consumers based on their preferences, predispositions, behavior, attitudes, aptitudes, and so on should be considered “collected personal information.”

Compliance begins with knowledge. Banks will need to coordinate with their IT department to determine what types of personal information they collect that are not exempted by the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act. They will also need to ensure that they can track when the data was collected or created to comply with the CCPA 12-month information lookback requirement.

Once they’ve determined their bank’s collection practices, banks will need to ensure they have processes in place to demonstrate compliance with CCPA’s rules for notification, access, opt-out, and deletion of applicable data upon consumer request.

Notification: Consumers need to know what personal information banks collect on them, if that information is sold or disclosed, and to whom it is sold or disclosed. Banks should review their Privacy Policy disclosures and other documents that contain California-specific descriptions of consumers’ privacy rights and make modifications as necessary. Banks are required to inform new and existing consumers of the categories of personal information collected, and the purposes for which this information is to be used, before or at the time it is collected.

Access and Deletion: Bank may need a toll-free phone number and website, if applicable, to facilitate consumers’ information requests. They may also need appropriate operations to verify and process consumer requests, as well as how the personal information from only the preceding 12 months will be provided to the consumer or deleted, depending on the consumer request. This should be managed in a way that provides the bank with the appropriate framework for demonstrating compliance.

Opt-Out: Bank websites must maintain a link titled “Do Not Sell My Personal Information” that allows consumers to opt out of the sale of their information. Banks must have processes in place to support this opt-out, including mechanisms for notifying service providers to delete the consumer’s personal information from their records when requested. Additionally, they need to make sure that they can not only fulfill opt-out requests, but also demonstrate compliance with this opt-out provision of CCPA. Digital data management should already be part of a bank’s business strategy. CCPA compliance could be an opportunity to more fully examine your bank’s operations in consumer data tracking and usage.