As if the financial sector did not already have to deal with enough compliance regulations, it has now been subject to a patchwork of privacy regulations across all 50 U.S. states and, of course, the rest of the globe if you are part of a multi-national company. The much-anticipated California Consumer Privacy Act (CCPA) is now in force as of July 1 of 2020, and a couple of dozen other states are entertaining their own privacy regulations, each with their own bent.
This post provides an overview of the most salient and impactful CCPA requirements and some of the peculiarities contained within.
Before jumping into the specifics of the CCPA, let’s recap why CCPA is so significant.
As noted in an article this author co-wrote with Professor John Rothchild of Wayne State University Law School for a Business Law Today article:
When it comes to privacy legislation in the United States, there is no single statute you can consult to provide the needed advice. In the United States, the law of privacy is commonly referred to as “sectoral,” meaning that there is no overarching legal regime covering privacy generally, but rather a series of federal laws (and, often, accompanying regulations) each governing a particular subject matter. Nor is privacy protection in the United States exclusively at the federal level: federal law does not generally preempt state privacy laws, and state legislatures have not been shy about enacting their own regulations of privacy.
This is where California comes in.
CCPA is, to date, the most expansive and far-reaching omnibus privacy law enacted by any state, made more significant by the fact that it represents the 5th largest economy in the world.
The CCPA grants consumers more control over and understanding of their personal information. It defines personal information broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household.”
To put it simply: any piece of data that could be linked or associated with a person in California must be given special treatment to ensure CCPA compliance.
Seemingly innocuous data such as cookies accessed from a user’s computer, or incidental demographic data collected when a visitor goes to a business website, would fall under this definition.
Perhaps most unique to CCPA, a business cannot discriminate against a consumer who opts out of the sale of their personal information.
If this opt-out is selected, businesses are prohibited from discriminating against consumers for exercising this right. Prohibited discrimination could include charging a different price for consumers who opt out, or for attempting to provide a different or lower quality of goods or services for doing so. That said, businesses may offer financial incentives to collect the consumers’ personal information.
Additionally, unless consumers under the age of 16 specifically and affirmatively opt in, businesses are prohibited from selling their personal information. Consumers between the ages of 13 and 16 years may opt in without parental authorization, but parents must provide authorization for consumers under the age of 13. While the California Attorney General will enforce the CCPA, consumers also have a private right of action to sue for the unauthorized access and exfiltration, theft, or disclosure of their nonencrypted or nonredacted personal information.
California has a ballot initiative (the California Privacy Rights Act) scheduled for a vote on November 3, 2020 which delves deeper into the rights of consumers. Should CPRA pass, a new and perhaps deeper analysis of the issue will be warranted.
This post was excerpted from our whitepaper, A Plethora of Privacy Laws: IG Challenges for Financial Sector. Click here to download.