Editor's Note: This article is authored by John Rossman and Michael Etmund from the law firm Moss & Barnett, and is published here with permission from the authors.
The effective date of the California Consumer Privacy Act (CCPA) was January 1, 2020. Unfortunately, the California legislature rushed the CCPA into law with broad language and scant guidance. Further, it is presumed that consumer attorneys will target financial services companies – including banks, fintechs, automobile lenders, debt collectors and debt buyers – for alleged violations of the CCPA with individual and class action lawsuits brought under the Rosenthal Act or other provisions of State or Federal law. Thus, it is crucial that all financial services companies understand how to comply with the CCPA.
Your company is most likely not exempt from the CCPA
The CCPA applies to for-profit entities that:
- Generate annual gross revenue of $25,000,000; or,
- Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or,
- Derive 50% or more of annual revenue from selling consumers’ personal information
There is a common misperception that if a company complies with Federal privacy laws – such as GLBA or HIPAA – the company is exempt from complying with the CCPA. This is not entirely true. There are many categories of consumer information typically collected by financial services companies (such as biometric data and internet activity information, for instance) that are arguably not subject to GLBA and HIPAA. Thus, the handling of these categories of data for accounts otherwise covered by the GLBA or HIPAA would likely fall within the purview of the CCPA. Accordingly, the most efficient manner to service all data on such accounts would be to comply with the CCPA.
Devise Strategy to Respond to “Verifiable Consumer Requests” to Identify and Delete Data
Two of the key consumer protection features of the CCPA is the right of the consumer to request disclosure of what data is collected about the consumer and the right to request deletion of a consumer’s information. Companies should be ready to respond to such requests immediately. The law requires that a company respond to requests for categories of information or requests for deletion within 45 days, with one 45 day extension.
Please note that a company must only respond to a “verifiable consumer request.” Thus, it is crucial that a company be able to verify the consumer request before responding. Further, there are exemptions to the consumer’s right to require a company to delete information including:
- Data needed to complete a transaction;
- Data necessary to comply with legal obligations; and,
- Data to use in a lawful manner that is compatible with the context in which the consumer provided the information.
Every company should immediately have in place a strategy for responding to such consumer requests for disclosure and/or deletion in a matter that conforms to the law. If your company’s responses to consumer requests will be identical, templates for responding to consumer requests in writing and scripting for responding to consumer requests by phone is highly recommended to ensure consistency.
Author's Note: This article is provided only as a general discussion of legal principles and ideas. Every situation is unique and must be reviewed by a licensed attorney to determine the appropriate application of the law to any particular fact scenario. If you have a legal question, consult with an attorney. The reader of this publication will not rely upon anything herein as legal advice and will not substitute anything contained herein for obtaining legal advice from an attorney. No attorney-client relationship is formed by the publication or reading of this document. Moss & Barnett assumes no liability for typographical or other errors contained herein or for changes in the law affecting anything discussed herein.