Three Steps Every Company Must Take Today to Avoid CCPA Class Action Liability


ACA International member attorney provides best practices for compliance with the new California data privacy law.

1/7/2020 11:30

By Michael T. Etmund

The effective date of the California Consumer Privacy Act (CCPA) was Jan. 1, 2020. Unfortunately, the California legislature rushed the CCPA into law with broad language and limited guidance. Further, it is presumed that consumer attorneys will target financial services companies—including banks, fintechs, automobile lenders, debt collectors and debt buyers—for alleged violations of the CCPA with individual and class action lawsuits brought under the Rosenthal Act or other provisions of state or federal law. Thus, it is crucial that all financial services companies understand how to comply with the CCPA. 

Your company is most likely not exempt from the CCPA.

The CCPA applies to for-profit entities that:

  1. Generate annual gross revenue of $25 million; or, 
  2. Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or,
  3. Derive 50% or more of annual revenue from selling consumers’ personal information

There is a common misperception that if a company complies with federal privacy laws—such as The Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)—the company is exempt from complying with the CCPA. This is not entirely accurate. There are many categories of consumer information typically collected by financial services companies (such as biometric data and internet activity information) that are arguably not subject to the GLBA and HIPAA. The handling of these categories of data for accounts otherwise covered by the GLBA or HIPAA would likely fall within the purview of the CCPA.  Accordingly, the most efficient manner to service all data on such accounts would be to comply with the CCPA.

Your company website should be updated immediately to reflect a CCPA-compliant privacy policy.

While the inclusion of a privacy policy on a company’s website is a best practice for businesses, the CCPA requires disclosures to consumers regarding at least 11 categories of personal consumer information. In addition, the CCPA requires that a company must disclose policies regarding gathering, sharing, retaining and deleting information and the California consumers’ rights regarding the data. 

The first step in drafting a CCPA-compliant privacy policy is to map the categories of data maintained by your company and the sources of that data. The completed data mapping will provide the information necessary to begin crafting a CCPA-compliant privacy policy and will provide an opportunity for your company to evaluate the data it collects and the utility of that data. 

Devise a strategy to respond to “verifiable consumer requests” to identify and delete data.

Two of the key consumer protection features of the CCPA include the right of the consumer to request disclosure of what data is collected about a consumer and the right to request deletion of a consumer’s information. Companies should be ready to respond to such requests immediately. The law requires that a company respond to requests for categories of information or requests for deletion within 45 days, with one 45-day extension. 

Please note that a company must only respond to a “verifiable consumer request.”  Thus, it is crucial that a company be able to verify the consumer request before responding. There are exemptions to the consumer’s right to require a company to delete information including:

  • Data needed to complete a transaction; 
  • Data necessary to comply with legal obligations; and,
  • Data to use in a lawful manner that is compatible with the context in which the consumer provided the information. 

Every company should immediately have a strategy in place for responding to such consumer requests for disclosure and/or deletion in a manner that conforms to the law. Even though an individual review of each consumer request is required, if your company anticipates response to consumer requests will be identical, templates for responding to consumer requests in writing and scripting for responding to consumer requests by phone is highly recommended to ensure consistency.

Michael T. Etmund is an ACA International member and attorney with Moss & Barnett in Minneapolis.

Author's Note: This article is provided only as a general discussion of legal principles and ideas. Every situation is unique and must be reviewed by a licensed attorney to determine the appropriate application of the law to any particular fact scenario. If you have a legal question, consult with an attorney. The reader of this publication will not rely upon anything herein as legal advice and will not substitute anything contained herein for obtaining legal advice from an attorney. No attorney-client relationship is formed by the publication or reading of this document. Moss & Barnett assumes no liability for typographical or other errors contained herein or for changes in the law affecting anything discussed herein. 

One moment please...

Share Profile

This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!

If you have completed your renewal, please disregard this reminder.