Taking effect in just two months on January 1, 2020, The California Consumer Privacy Act of 2018 (“CCPA”) empowers consumers with various rights when their personal information is collected by most businesses. Many of the legislation’s critics believe the CCPA will likely place a substantial burden on the financial services provider industry since the law regulates the collection, analysis, aggregation, and transfer of consumer data, a central component of financial services.
The CCPA establishes specific notice, opt-out/opt-in, access, and erasure rights for consumers, as well as a private right of action for data breaches.
The CCPA applies to legal, for-profit entities that operate in California and collect consumers’ personal information if they meet any of the following requirements:
- Have an annual gross revenue that totals $25 million or higher;
- Buy, receive, sell, or share consumer data from 50,000 or more consumers, households, or devices; or
- Earn most of their annual revenue from selling personal data.
While the CCPA provides exemptions for some data that is subject to the GLBA Rule and the Fair Credit Reporting Act, much of the personal information collected regularly by financial services providers is still subject to the CCPA’s requirements.
Based on its’ definition of “personal information,” the CCPA is the broadest protection of information in any jurisdiction in the United States. This definition applies to all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including name, email address, biometric information, IP address, device identifiers, and browser-derived information (such as information stored in cookies, web beacons, and web pixels). CCPA § 1798.140(o)(1).
The GLBA applies only to “personally identifiable financial information” — information that a consumer provides to obtain a financial product or service, that results from a consumer transaction, or that is otherwise obtained in connection with providing a financial product or service.
The CCPA does “not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report,” and the information is regulated by the FCRA. CCPA § 1798.145(d).
Financial services providers face a higher risk of liability for data breaches since the CCPA creates a private right of action for the unauthorized access and exfiltration, theft, or disclosure of information covered by Cal. Civ. Code §§ 1798.80–.84, California’s data breach law, which includes financial data. This private right of action also allows the recovery of statutory damages. Thus, plaintiffs do not have to establish that the data breach caused actual harm to recover damages.
Companies doing business in California need to start preparing now for the CCPA going into effect on January 1, 2020, especially since the CCPA applies to all personal information, regardless of the means of collection, and across businesses, regardless of industry.
Companies that plan on starting to do business in California in 2020 will need to devote a significant part of their budget to prepare for compliance with the CCPA. Businesses that do not comply by the effective date could incur $7,500 fines for each violation that isn’t addressed after 30 days.
The attorneys at Glass & Goldberg in California provide high quality, cost-effective legal services and advice for clients in all aspects of commercial compliance, business litigation, and transactional law. Call us at (818) 888-2220, send an email inquiry to [email protected] or visit us online at glassgoldberg.com to learn more about the firm and to sign up for future newsletters.