CCPA: A Mortgage Manual

How the California Consumer Privacy Act (CCPA) impacts the mortgage industry and what lenders are doing to ensure compliance.

ccpa mortgage manual

On New Year’s Day—January 1, 2020—we saw the California Consumer Privacy Act (CCPA) law go into effect. What’s next for the mortgage industry?

Now that we’ve familiarized ourselves with the new landscape of the CCPA requirements for service providers, we can get into some of the mortgage-related specifics. In this article, we’ll cover the direct impact of the CCPA on the mortgage industry, and share how lenders are updating their processes, and policies and procedures with the required elements.

How Does the CCPA Impact Mortgage Lending?

To briefly recap, the CCPA “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.”

The regulation becomes convoluted with the Gramm-Leach-Bliley Act (GLBA) and Fair Credit Reporting Act (FCRA) requirements already in place. Hence, mortgage lenders will experience the CCPA differently in that not all personal information collected is subject to the California privacy law.

Let’s examine the GLBA and FCRA, and whether or not CCPA exemptions apply.

Does the GLBA Exemption Apply?

The GLBA, a law that requires financial institutions to share their data-protection practices, is not exempt from the CCPA. However, for personal information that is “collected, processed, sold, or otherwise disclosed pursuant to the GLBA,” the exemption does apply.

Paula Tuffin, General Counsel and Chief Compliance Officer at Better, told National Mortgage News that the “CCPA refers to ‘personal information’ while GLBA refers to the more narrowly defined nonpublic information and personally identifiable financial information.”

According to Davis Wright Tremaine LLP, the following types of personal information is not exempt under the GLBA:

  • General advertising and online marketing
  • Information procured via non-financial institution partners
  • Information shared with, or procured from, an affiliate resource

Understanding the FCRA Exemptions

The FCRA exemption is limited and applies only when personal information in a consumer report is:

Subscribe to BeSmartee 's Digital Mortgage Blog to receive:

  • Mortgage Industry Insights
  • Security & Compliance Updates
  • Q&A's Featuring Mortgage & Technology Experts
  • Sold to or from a consumer reporting agency
  • Used to generate consumer reports
  • Secured under the FCRA

Credit reporting agencies and businesses—that qualify as a ‘furnisher,’ one who provides consumer report information to a consumer reporting agency, or a ‘user,’ a third party recipient of the consumer report information—are exempt.

How to Implement CCPA

The BeSmartee team is actively working with clients to go live with CCPA compliant elements.

For California lenders who have shown readiness to address the regulations, “we will be adding language and disclosures, but we have not done it across the board, as the law only applies to those in California who meet the threshold,” said Corey Johnson, Chief Compliance Officer at BeSmartee.

The screen shot below is an example of a client who added a disclosure button to provide consumers with the option of deciding whether or not they want their personal information sold, satisfying best practices for usage and management of consumer personal information.

client usage ccpa required elements

Already in the process of implementing the privacy law? We’ve provided a CCPA compliance checklist that includes six critical measures:

ccpa compliance checklist


An accountability approach is crucial here, as the CCPA allows up to 45 days to act after a data breach or be faced with a fine for failure to comply with requirements. Don’t forget, a security incident under the CCPA can cost your business up to $7,500 per day.

Get started by asking yourself whether you offer an online application. If your answer is ‘yes,’ consider building a disclosure/opt-out link into the footer of your homepage, and/or updating your privacy policy to include detailed information describing where you are collecting data from and how you are managing it.

To learn more about how BeSmartee can help you implement CCPA changes, email