ACA International member attorney provides best practices for compliance with the new California data privacy law.
By Michael T. Etmund
The effective date of the California Consumer Privacy Act (CCPA) was Jan. 1, 2020. Unfortunately, the California legislature rushed the CCPA into law with broad language and limited guidance. Further, it is presumed that consumer attorneys will target financial services companies—including banks, fintechs, automobile lenders, debt collectors and debt buyers—for alleged violations of the CCPA with individual and class action lawsuits brought under the Rosenthal Act or other provisions of state or federal law. Thus, it is crucial that all financial services companies understand how to comply with the CCPA.
Your company is most likely not exempt from the CCPA.
The CCPA applies to for-profit entities that:
- Generate annual gross revenue of $25 million; or,
- Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or,
- Derive 50% or more of annual revenue from selling consumers’ personal information
There is a common misperception that if a company complies with federal privacy laws—such as The Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)—the company is exempt from complying with the CCPA. This is not entirely accurate. There are many categories of consumer information typically collected by financial services companies (such as biometric data and internet activity information) that are arguably not subject to the GLBA and HIPAA. The handling of these categories of data for accounts otherwise covered by the GLBA or HIPAA would likely fall within the purview of the CCPA. Accordingly, the most efficient manner to service all data on such accounts would be to comply with the CCPA.
Devise a strategy to respond to “verifiable consumer requests” to identify and delete data.
Two of the key consumer protection features of the CCPA include the right of the consumer to request disclosure of what data is collected about a consumer and the right to request deletion of a consumer’s information. Companies should be ready to respond to such requests immediately. The law requires that a company respond to requests for categories of information or requests for deletion within 45 days, with one 45-day extension.
Please note that a company must only respond to a “verifiable consumer request.” Thus, it is crucial that a company be able to verify the consumer request before responding. There are exemptions to the consumer’s right to require a company to delete information including:
- Data needed to complete a transaction;
- Data necessary to comply with legal obligations; and,
- Data to use in a lawful manner that is compatible with the context in which the consumer provided the information.
Every company should immediately have a strategy in place for responding to such consumer requests for disclosure and/or deletion in a manner that conforms to the law. Even though an individual review of each consumer request is required, if your company anticipates response to consumer requests will be identical, templates for responding to consumer requests in writing and scripting for responding to consumer requests by phone is highly recommended to ensure consistency.
Michael T. Etmund is an ACA International member and attorney with Moss & Barnett in Minneapolis.
Author's Note: This article is provided only as a general discussion of legal principles and ideas. Every situation is unique and must be reviewed by a licensed attorney to determine the appropriate application of the law to any particular fact scenario. If you have a legal question, consult with an attorney. The reader of this publication will not rely upon anything herein as legal advice and will not substitute anything contained herein for obtaining legal advice from an attorney. No attorney-client relationship is formed by the publication or reading of this document. Moss & Barnett assumes no liability for typographical or other errors contained herein or for changes in the law affecting anything discussed herein.