When the first customer calls from California on Jan. 1, 2020, to inquire about personal data, will your bank know what to do? For most, the answer is no.
Banks and financial services firms around the world are grappling with compliance challenges as the start date draws closer for the California Consumer Privacy Act (CCPA). All companies that do business in California, regardless of where they’re based, are required to comply. The real key isn’t just preparation, however; it’s execution.
The scope of CCPA’s groundbreaking regulations is broad. It entitles every Golden State resident the right to opt out of data collection, including household details, browsing and purchase histories, and geolocation points. Consumers can also request all paper records to be deleted, and are entitled to receive a record of their data that’s been collected and sold, upon request. Consumers who exercise their rights under the CCPA can’t be given lower levels of service.
Given the sweeping provisions, there’s significant confusion. It’s easy to misunderstand CCPA in light of the European Union’s General Data Protection Regulation (GDPR), the comprehensive law that took effect in May 2018. We’ve heard companies mistakenly say they prefer to focus on GDPR, or that they’ll simply apply the preparation they undertook for GDPR to CCPA.
Yet the two laws differ. For one, GDPR stipulates that companies have a “legal basis” for collecting and using personal data. Additionally, a privacy notice that meets GDPR criteria likely won’t satisfy CCPA.
Noncompliance with CCPA is potentially costly. Fines cap at $7,500 per violation. A penalty affecting the data of, say, 100,000 customers risks putting a company out of business.
Moving Toward Compliance
While your organization can’t just dust off the work it did for the GDPR and emblazon CCPA across the front, it can leverage the teams, action plans and structures they’ve already put in place.
Building a compliance roadmap starts with the following assessments:
- The customer journey. Examine data across all touchpoints where personal information is collected and utilized. Who has access to it? What personal data elements are gathered? What type and format of data is stored?
- Impact on business applications. Because data requests are a new consumer right, you’ll need a plan to document and manage the requests. Address data collection points and information-sharing policies, such as application programming interface (API) integration, to capture information and communicate consumer consents.
- Data entitlement and processing transformation. With legislation pending in multiple jurisdictions, it’s critical to develop a strategy for data security entitlements for all consumers, not just California residents. Global and national banks will also need to consider the patchwork of existing and contemplated privacy laws in states such as Arizona, Washington and New Jersey, as well as the interaction with other regulations such as the Gramm-Leach-Bliley Act.
- Governance and change management. Establish a data protection office (DPO) to ensure sponsorship from senior leaders and facilitate funding. The DPO should coordinate all supporting programs and projects, and enable your organization to achieve compliance in a strategic, comprehensive way.
- Be ready to execute. Preparation for CCPA is just the first step. The real key to compliance is execution. Will your teams know where to route calls? What physical and machine-based systems will you have in place? What tools will you implement to extract data?
A Clarion Call
Consumer interest in personal data protection is rippling through every industry. While interest in trust and transparency is especially keen in the information-intensive banking industry, it’s also affecting insurers, healthcare providers, and communications and media companies. Only 48% of people in the U.S. say they trust businesses, falling from 58% last year. With its emphasis on transparency and responsiveness, CCPA has the potential to make or break companies’ reserves of consumer trust.
CCPA should be a wake-up call – make that a trumpet blast – for banks. The bar is set for banks to demonstrate that they value consumers’ privacy not just because it’s law but also because consumers want it.
Be ready when that first call comes in 2020.
To learn more, please visit our CCPA for Banking website.