If you’re unfamiliar with the California Consumer Privacy Act (CCPA), you might want to stop catching up on email you missed over the holiday and focus on this new regulation. Here are a few highlights of California’s new law, which went into effect yesterday.
CCPA grants California residents new rights when it comes to their data and privacy. Essentially, this group of consumers are now entitled to know what data businesses collect about them, where they received it, how they plan to use it, who they have shared it with, and if it will be sold.
Here’s are some take-aways of what fintechs need to know now that the new rule has taken hold:
What’s required of you
Essentially, California consumers have the right to receive a report of their personal information that a business has collected on them for the past year, the right to have that data deleted, and the right to limit the sale of their data to third parties.
All of this means that in addition to tracking consumer data, businesses are also responsible for reporting where the data came from and where it’s going.
CCPA may not apply to you
The state of California has almost 40 million residents, and if you’re conducing business in the U.S., you likely have clients there. And even if you don’t, CCPA grants the new privacy rights to all California residents as defined by income tax, even if they are not currently living in the Sunshine State. In contrast, those living in California but paying income tax in another state are not covered by CCPA.
That said, there’s still a chance CCPA won’t apply to you. Businesses with gross annual revenues less than $25 million, or those that deal with personal information of fewer than 50,000 consumers, or businesses that generate less than 50% of their annual revenue from selling consumers’ personal information are exempt.
Heads up: you could be sued
Data breaches are generally always costly, and CCPA will add to the expense. If a consumer notifies a business that it has improperly handled their data and the business doesn’t rectify the issue within 30 days, the consumer has a right to sue for damages in the amount of $100 to $750 per incident, injunctive or declaratory relief, or another option deemed suitable by the court.
On top of that, if a business experiences a data breach, sells consumer data without permission, or retains data after the consumer requested it to be deleted, the Attorney General has a right to charge violators $2500 to $7500 for each consumer data file involved.
CCPA may go federal
As you plan out methodologies to document data collection, usage, and distribution, don’t limit your systems to Californians. The privacy act may eventually be escalated to the federal level so plan your data protocol around all of your U.S. clients.
Just because you’re GDPR compliant doesn’t mean you comply with CCPA
The U.K.’s General Data Protection Regulations (GDPR) went into effect in May of 2018. But just because you’ve mastered your compliance strategy for GDPR doesn’t mean you can rest easy when it comes to CCPA.
On the contrary, there are a handful of differences between the two, as outlined by Pillsbury Law:
- The coverage group
- The privacy policy disclosures
- The breadth of disclosure rights
- The data disclosures and deadlines
- The right to opt-out
- The explicit protection against discrimination
For a more in-depth look into the differences, I highly recommend taking a look at Pillsbury Law’s piece.
Identity verification may be an issue
A user may request access to all of his data, but how do you ensure he is indeed who he says he is and not a criminal? Furthermore, how do you ensure he is a California resident?
According to IDology COO Christina Luttrell, “If GDPR is an indicator of how CCPA will unfold, then businesses need to consider how criminals can and will exploit subject access requests.”
Luttrell went on to explain, “The organizations that will be well positioned to complete CCPA-related requests are the ones that understand the facets of CCPA identity verification (IDV) and adopt IDV systems that scale and automate, are secure and easily integrated, and have multiple IDV methods that will satisfy consumer needs.”
You may be late but you’re not too late
In the event a business violates the CCPA, it has additional time before fines and enforcement take hold due to the 30 day period to cure noncompliance.
If a business can fix a problem with its privacy compliance and follow the procedures set forth in the law to do so, then they haven’t violated the law and will not be subject to a lawsuit for the failure to comply.