With all the talk surrounding the California Consumer Privacy Act (CCPA), we wanted to offer a synopsis of how the data privacy bill stacks up—who it applies to and who is required to comply, what exactly it entails, and where to go from here.
What is the CCPA?
Enacted June 2018, the CCPA was enforced by California attorney general (AG), Xavier Becerra, as a means of providing consumers with stronger data privacy rights.
As a California consumer, think more ownership, control and security of your personal information (PI).
As a for-profit business that falls under a certain criteria, think extensive training on strict policies and procedures, outlining exactly how you’re collecting consumer PI and what you’re doing with it.
Slated to go into effect January 1, 2020—yes, that’s in two weeks—the privacy law “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.”
We can expect a grace period with enforcement expected to begin in July 2020.
Who Does the CCPA Apply to and Who is Obligated to Comply?
The CCPA applies to California consumers.
For-profit businesses who do business in California or with California residents are obligated to comply.
More specifically, the word ‘business’ is defined as one that “does business in California, controls the collection or processing of the PI of California residents” and meets one or more of the following criteria:
- Has annual gross revenues reaching more than $25 million;
- Buy, receive, sell or share the PI of 50,000 or more consumers, households or devices annually;
- Generates 50% or greater annual revenue from selling the PI of California consumers.
Keep in mind, even if your business isn’t physically located in California, you are required to comply if you do business with California residents, directly or indirectly. According to Fox Rothschild LLP, a business can indirectly be required to comply, if they “control or are controlled by an entity that meets the above criteria and share common branding with that entity.”
So, what is ‘personal information’ (PI)? PI is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
According to Dickinson Wright LLP, PI includes:
- Personal identifiers, such as a real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a California resident’s interaction with an internet web site, application, or advertisement;
- Geolocation data;
- Biometric information;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information; and
- Education information.
What Does the CCPA Law Entail?
Essentially, consumers will be afforded new privacy rights to their data, including the right to:
- Know who is collecting their PI, how it’s being used and who it’s shared with;
- Control how their PI is collected, used and shared;
- Access their PI to correct or delete it;
- Utilize self-serve tools to make PI requests;
- Not be penalized for making requests for their PI;
- Hold businesses accountable for failing to protect their PI; and
- Benefit from businesses’ use of their PI.
How Does the CCPA Compare with the General Data Protection Regulation (GDPR)?
Often referred to as “GDPR Lite,” the CCPA is an opt-out sale of data, while the GDPR is an opt-in to consent for data collection.
If you’re already equipped to comply with the GDPR, you can leverage that work when preparing for the CCPA.
Businesses will now be responsible for following the chain of their data, so conducting an audit of your website to determine the source of the PI and how you’re managing it is a good way to follow best practices.
Below are some considerations:
- What kind of PI are you collecting?
- What is the source of the PI and is it coming through third-party providers?
- How is the PI collected?
- Where is the PI being stored?
- How is the PI deleted?
- How is the PI being used?
- Was the PI sold?
Additionally, creating new processes for documenting and handling consumer requests will be a critical component in operationalizing CCPA compliance.
For example, offering two methods by which a consumer can contact your business to request information about their data, and ensuring that all matters are handled seamlessly to comply within the mandated 45-day window.
- Provide a 1-800 phone number or email address
- Have a dedicated privacy, administrative or customer service employee managing communication and requests
The CCPA is still up for interpretation and it’s likely that there will be additional refinements to the law until the AG authorizes enforcement rules; however, it should be noted that the CCPA is enforceable by the AG for the State of California and by private litigants. Unintentional violations are subject to $2,500 fines, while intentional violations are subject $7,500 penalties.
We’ve only grazed the surface as far as how the CCPA will impact the mortgage industry. For instance, how it relates to the Gramm-Leach-Bliley Act (GLBA) and the new ballot measure—or ‘CCPA 2.0’—California Privacy Rights and Enforcement Act (CPREA), which we will cover in Part II of this series.