skip to navigation
skip to content

Financial Outsourcing Solutions

Compliance-Inside-Header.jpg

FOS Blog

20 Dec
2019

WHAT DOES CALIFORNIA LAW HAVE TO DO WITH THE EAST COAST?

WHAT DOES CALIFORNIA LAW HAVE TO DO WITH THE EAST COAST?

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and becomes effective on January 1, 2020.  This law has to do with creating new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.  It was developed because, in this age of technological advances, “privacy” has not kept pace with technology. Consumers are largely unable to control the collection and use of their personal information that’s stored with businesses.  Cybersecurity breaches has shone a bright light on this need.

It’s a California regulation, so what does it have to do with Pennsylvania, New York, New Jersey, Maryland, and Delaware?  It has far-reaching applicability and affects financial institutions in any state. It gives consumers the right to take control of their information; to know how it’s collected, used, and shared; and the right to have businesses delete it and stop selling it.  If an institution is affected by the regulation, it also requires disclosures and notices and requirements for responding to consumer requests.

So, how do I know if my bank is subject?  California has provided a quick Fact Sheet at https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf but the one criteria that banks should be concerned about is that “Business” is defined as one that has annual gross revenues in excess of twenty-five million dollars ($25,000,000).  It is not based on asset size but rather on income.  A small bank of less than $1 billion in assets could have sufficient revenue to make them subject to this new law.  A “Consumer” means a natural person who is a California resident.  And the definition for “Personal Information” (different from the GLBA definition for personally identifiable information) is very broad – it identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  So, to tie these definitions together – CCPA grants “consumers” new rights relating to the access to, deletion of, and sharing of “personal information” collected by “businesses.”

California is not the only state designing privacy controls.  Several other states are in various stages of writing their own similar laws.  This is a topic worth keeping an eye on!

So, it’s time to take stock.  Do you do business with California residents?  Does your institution meet the coverage thresholds?  Review what information you collect and how you use it.  Perform data mapping – how does customer information enter your business?  How do you use it?  How does it leave your business?  Even if you’re not subject to the California rules, you may become subject to other states’ rules as they continue to develop.  Be prepared to respond.

For additional information, contact the author edehmey@fosaudit.com.

Related posts:

  1. Privacy Fallout
  2. WHEN DO I HAVE AN APPLICATION?
  3. Does a Creditor Need to Share Closing Disclosures with Third Parties?
  4. The Who, What and When of HMDA rule changes

|