CCPA, Hearsay and You
November 21, 2019
California’s new state law, the California Consumer Privacy Act (CCPA), enhances privacy rights and consumer protection for California residents. It’s set to take effect on January 1, 2020 and, like the EU’s GDPR before it, will have an impact on how you handle your customer’s data. Here’s what you need to know to be prepared.
What is CCPA?
The California Consumer Privacy Act (CCPA), enhances privacy rights and consumer protection for California residents. It’s a law that empowers a consumer to determine how a business can store, retain and use their personal information. For the scope of this law, personal information is no longer identified as only obvious identifiers such as a name or email address; location data, IP address, biometric data and genetic identity are also relevant.
The CCPA gives Californians the right to access all information gathered and shared about them through increased transparency, mostly through company Privacy Policies. Consumers will be able to request information on how their personal data is being used and who is it being disclosed to. Additionally, California residents can opt-out of having their data shared with third parties.
And regardless of whether your firm has a physical presence in California or not, starting January 1, 2020, you will be subject to the CCPA if you market and/or sell goods or services to California residents.
Who has to comply with CCPA?
For-profit businesses that (a) have an annual gross revenue of at least $25 million or more, (b) buy, receive, sell, or share consumer data from 50,000 or more consumers, households, or devices, OR (c) gain a majority of their annual revenue from the selling of personal data.
What’s all the commotion?
As with every regulation passed, and consumer right granted, there are processes that need to be put in place to become compliant. The CCPA has a lot of consumer rights, so the primary concern is that the processes needed will take lots of resources.
First, the definition of ‘personal information’ is broad. Section 1798.140(o)(1) of the CCPA outlines the following things:
At any time, a consumer may request any personal information and may request a firm delete said personal information. In addition, if personal information is disclosed at any time due to a firm’s noncompliance, each consumer may institute a civil action for violation of privacy rights. There are some parameters around this which limit company liability, but the potential risk of monetary penalty is great.
What specific challenges does CCPA create with respect to electronic communications?
For companies already addressing data subject rights and regulations in response to the GDPR or similar global privacy regulations, the most notable change introduced by the CCPA may be the provision addressing the “sale” of personal information, where “sell” is defined as any exchange that benefits the parties directly or indirectly.
Under the “request to know”, the rights to both disclose as well as discontinue (“opt out” from) the sale of personal data mean that a business collecting data from consumers will also have to be able to disclose the third parties to which Personal Information was “sold” to within the previous twelve months. This is in addition to existing data subject rights covered by the GDPR for the disclosure of data and categories collected from individuals.
Additionally, in the recently published proposed regulations (up for approval in December), the California AG office has further defined the response to consumer requests which are due within forty five days unless an extension is requested. The aforementioned proposed regulations provide clarification around the need to delete consumer data within the response period, as well as addressing backup and archives; stating that while not included in the formal response timeline, deletions would have to occur when they are next accessed or used.
In summary, while upon careful legal review one could cite many differences between the two regulations; it appears that most differences will have little effect on the relationship between Hearsay and our customers which have addressed GDPR, and as a Service Provider under CCPA and as a business partner, Hearsay will continue to meet your regulatory needs.
What should you demand from your vendors to help you prepare for CCPA?
While there is no explicit formula to complying with the CCPA, it is critically important that vendors explain what type of information they can accept from customers, what are appropriate methods and formats to provide this data, and how it is handled throughout its lifetime on their systems.. While vendors may not directly interact with consumers, vendors need to provide companies with transparency around their data handling practices, specifically how they protect consumer data and secure the systems used to provide their services or platform. Additionally Service Providers under the CCPA must ensure their customers that they can adequately support them in responding to consumer requests and consistently improve and automate processes and tighten controls available to customers to reduce compliance burden. Furthermore, vendors need to retain subject matter expertise in data security and compliance to actively collaborate with customers to ensure that practices are consistent with customer messaging.
How Hearsay is built to help you address your CCPA requirements
To ensure that we address emerging global privacy regulations and manage risk associated with processing personal data on behalf of our customers, Hearsay performs an annual privacy impact assessment of all of its software services. This assessment provides a summary of the digital footprint of its software, documenting the type of personal information collected as well as the rationale for collecting and processing this data. Review of this documentation occurs at regular frequencies, including an annual comprehensive review and then feature reviews for every product release. From these reviews, Hearsay has made a deeper commitment to improved data security functionality, including the biometric and PIN locking capabilities for Hearsay Relate.
Because Hearsay exclusively works closely with financial services firms with specific regulatory retention requirements, complying with consumer data deletion requests incurs an added layer of complexity. While the CCPA did recently pass an amendment exempting information pursuant to GLBA, not all PII collected electronic communications records squarely fit within this exemption. With this level of uncertainty in the this records area, Hearsay has pledged to make deeper commitments at the platform level as part of its product roadmap to provide more flexibility and control to its customers on how to manage data within Hearsay. Our Customer Success team is also ready to respond to any consumer request regarding data transparency, disclosure and deletion. Finally, the newly created Compliance Advisory Services practice can help you easily navigate a complicated fintech regulatory landscape by providing both technical and subject matter expertise to optimize powerful data-driven digital solutions to your ever-changing risk profiles. Learn more here.