Many financial organizations are under the impression that they are not required to comply with the California Consumer Privacy Act (CCPA) because their data privacy practices are already regulated by several state and local laws, including the California Financial Information Privacy Act (CalFIPA), the Fair Credit Reporting Act (FCRA), and the Gramm-Leach Bliley Act (GLBA) of 1999. This is an incorrect assumption.
The confusion stems from a clause of CCPA which exempts personal information (PI) that is already regulated by federal and state laws. This includes CalFIPA, FCRA, and GLBA. While FCRA is generally aligned with the scope of data covered by CCPA, GLBA and CalFIPA are more narrow in scope, and apply to the following types of data when it is collected, processed, sold, or disclosed:
- PI that a consumer provides to obtain a financial product or service
- Data resulting from transactions involving a financial product or service with a consumer
- Data that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.
Many banks, insurance companies, and investment funds have interpreted the clause to mean that they are completely exempt from CCPA, but the exemption only applies to types of data, within their care. It is not a wholesale exemption for the entire company. CCPA covers a much wider range of information than just financial information and focuses on the ability of PI to identify its owner, rather than on how that data was gathered.
This means that types of PI collected for non-financial reasons, such as IP addresses collected for marketing purposes, is subject to regulation by CCPA. Of course, it might not be feasible to separate exempt and non-exempt sets of data, which means that financial organizations should create data privacy policies and protocols that are aligned with the more comprehensive standards set forth by CCPA (and if fitting, the European General Data Protection Regulation) while still adhering to the standards of CalFIPA and GLBA.
Given that financial institutions are not exempt from the private right of action granted to consumers by CCPA, overcompensation seems to be the most prudent course of action.
Governance professionals looking for a guide to CCPA compliance should start here. In general, however, there are four distinct rights that individuals can exercise under CCPA, and financial institutions need to be prepared to provide them. These rights are:
1.) The right to know what personal data is being collected, stored, and sold
2.) The right to delete personal data
3.) The right to opt-out of data collection or sale
4.) The right against discrimination for choosing to exercise the first three rights
In addition to being prepared to comply with these consumer rights, companies should review existing security protocols and take action to provide reasonable measures against breaches. Contracts with vendors should be reviewed and audited for compliance, and record retention policies and protocols should be reviewed through the lens of CCPA compliance. With more data privacy laws on the way, financial organizations should be prepared to adapt quickly and constantly.