Countdown to CCPA: Are You Ready to Comply with New Data Privacy Requirements?
With less than one month before the California Consumer Privacy Act (CCPA) is effective, companies are preparing to update their cybersecurity programs. Many must address the regulation’s new data privacy requirements, which have caught some financial institutions off guard. Modeled to some extent after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides new privacy rights to California consumers, including:
- The right to know what categories and items of their personal information is collected, used, shared, or sold;
- The right to delete that personal information;
- The right to opt-out of the sale of their personal information, and
- The right to non-discrimination for price and services when invoking such rights
The CCPA applies to companies who do business in California and who either:
- Have gross annual revenues in excess of $25 million (in total, not limited to California);
- Buy, receive, or sell the personal information of at least 50,000 consumers, households, or devices annually; or
- Derive at least 50% of annual revenue from the sale of personal information of California consumers.
As such, a number of financial institutions are finding themselves subject to the CCPA’s requirements, which include providing specific privacy notice disclosure to California consumers that expands upon typical privacy notice provisions (including disclosure about the additional rights of California consumers under the CCPA). Also included in the requirements are development of policies and procedures for handling consumer requests to exercise data privacy rights under the CCPA, along with mapping an inventory of where personal information of consumers is stored in order to facilitate responding to deletion requests.
The CCPA does include a number of exemptions, such as for data subject to HIPAA and the Gramm-Leach-Bliley Act (GLBA), as implemented under Regulation S-P for SEC registrants. A consumer’s right to request deletion of personal information can be refuted if such information is required by law to be kept by the SEC registrant. However, many investment advisers collect and store personal information that is outside the scope of the GLBA, including data about their own employees and data about individual contacts at their third-party service providers, for example. The CCPA provides a one-year extension, until January 1, 2021, for some of the requirements applicable to employee data and business-to-business data collected as part of due diligence. And advisers to private funds who have not had Regulation S-P on their radars may find themselves with additional requirements with respect to the personal data they collect about individual investors in the funds they advise. Firms who collect cookies via their websites may quickly find that they, too, are within the scope of the CCPA, as cookies are included among the definition of “personal information” under the CCPA.
The CCPA is effective January 1, 2020, and enforcement of the CCPA is expected to occur by the earlier of July 1, 2020 or six months following publication of the law’s implementing regulations by the California Attorney General. Penalties for noncompliance can be steep, as each consumer can request damages of up to $750 if a company does not cure violations within 30 days, on top of the up to $7,500 in fines per data record for intentional violations.
And California’s first-in-the-nation comprehensive data privacy law is likely the first of many states who are expected to follow suit.
For assistance in conducting a cybersecurity risk assessment, data mapping, and updating your cybersecurity procedures to align with the California Consumer Privacy Act, please contact us to find out how our Shield cybersecurity services can help.