As if the financial sector wasn't already dealing with sufficient compliance regulations, it is now subject to a patchwork of privacy regulations in all 50 states and of course the rest of the world if you are part of a multinational corporation. The highly anticipated California Consumer Protection Act (CCPA) goes into effect July 1, 2020, and a few dozen other states have their own privacy regulations, each with their own leanings.
This article provides an overview of the most important and effective CCPA requirements and some of the special features they contain.
Before we go into the specifics of the CCPA, let us summarize again why the CCPA is so important.
As mentioned in an article, this author co-wrote an article on Business Law Today with Professor John Rothchild of Wayne State University Law School:
When it comes to privacy laws in the United States, there isn't a single law that you can consult for the advice you need. In the United States, data protection law is commonly referred to as "sectoral," meaning that there is no overarching legal system for data protection in general, but rather a set of federal laws (and often accompanying regulations), each governing a specific matter. Privacy protection in the United States is also not exclusively federal: federal law does not generally exclude state data protection laws, and state lawmakers have not shied away from making their own privacy regulations.
This is where California comes in.
CCPA is to date the most comprehensive and far-reaching omnibus data protection law that has been passed by a state. This is made more significant by the fact that it is the fifth largest economy in the world.
The CCPA gives consumers more control and understanding of their personal information. It defines personal information broadly as "information that identifies, relates to, describes, or can reasonably be directly or indirectly associated with a particular consumer or household".
Simply put, any data that is or could be linked to an individual in California must be given special treatment to ensure compliance with the CCPA.
Seemingly innocuous data such as cookies accessed from a user's computer or random demographic data collected when visiting a company website fall under this definition.
A company that is possibly most unique to CCPA cannot discriminate against a consumer who opts out of selling their personal information.
If this opt-out is selected, companies are prohibited from discriminating against consumers for exercising this right. Prohibited discrimination could include consumers who unsubscribe from charging a different price or trying to provide a different or lower quality of goods or services for it. However, companies can offer financial incentives to collect consumers' personal information.
In addition, companies are prohibited from selling their personal information unless consumers under the age of 16 expressly and positively choose to do so. Consumers aged 13-16 can sign up without parental consent, but parents must give consent to consumers under the age of 13. While the California Attorney General will enforce the CCPA, consumers also have a private right to sue for unauthorized access and unfiltered disclosure, theft, or disclosure of their unencrypted or unedited personal information.
California has planned an election initiative (California Privacy Rights Act), which will be put to the vote on November 3, 2020, that will look more closely at consumer rights. If the CPRA is successful, a new and possibly deeper analysis of the problem is required.
This entry was taken from our whitepaper "A plethora of data protection laws: IG challenges for the financial sector". Click here to download.