Financial services firms must prepare for the California Consumer Privacy Act, says Alex Scheinman.
Data privacy has become an overarching issue top of mind to organizations across industries and geographies over the past several years. It affects every business function in an organization, from the IT department to compliance to marketing to HR, and has increasingly been occupying the minds of the C-suite. With the European Union’s sweeping GDPR regulation having gone into effect last year, additional countries and jurisdictions have taken it upon themselves to create similar legislation that enhances individual privacy rights and holds companies accountable for ensuring that appropriate safeguards are in place to protect data.
Even in the U.S., where data privacy has historically been viewed as an afterthought rather than a business priority for the nation’s data-rich companies, the never-ending wave of high-profile data breaches and corporate and political misuses of data has brought data privacy to the forefront of the corporate agenda. Further, technological innovations in areas such as artificial intelligence and cloud computing mean that wherever an individual goes, regardless of their place of residence or work, their data moves with them – adding an additional layer of privacy risk. To address some of these concerns, on June 28, 2018, California passed the California Consumer Privacy Act (CCPA) to grant California residents increased control over their personal data, set to go into effect in just under a year on Jan. 1, 2020.
The CCPA applies to any for-profit business, regardless of location, that grosses at least $25 million annually, interacts with 50,000 or more customers, or derives at least half of its annual revenue from the sale of personal data. In short, any for-profit company (even if headquartered outside the US) that collects data on California residents and meets one of the above threshold criteria will likely be facing CCPA compliance obligations.
Under the act:
• Customers can demand that companies delete their personal data and/or refrain from selling it.
• Customers can demand that companies reveal what personal data they have collected, the reason it was collected, and which types of third parties have received it.
• Companies must follow enhanced disclosure requirements.
• Companies must comply with the above or be penalized.
• Companies cannot charge customers higher prices or withdraw services as a result of privacy requests.
The GDPR of the U.S.?
Much of the discussion around the CCPA has centered around whether the law is set to become the “GDPR of the United States.” While GDPR is a more robust, complex data privacy regulation and framework, the CCPA is nevertheless sweeping in scope and impact, and the two acts are underpinned by many of the same data privacy principles. And while comparisons between the two acts have been frequent, not enough has been said about the concrete steps that organizations, specifically those in the financial services space, should be taking to get their processes, people and technology ready for CCPA compliance. These heavily-regulated organizations should be weary to view the CCPA as simply another law to comply with. In order to avoid scrutiny by the regulators and heavy fines along with potential reputational harm, they will need to shift their approach to data privacy.
Is financial services data in scope for compliance?
In September 2018, the original CCPA bill was amended to address several concerns, including whether certain B2B data like financial services data will fall in scope for the law. A substantive change that came from that amendment was the clarification that GLBA-regulated data, which most core financial services data falls under, is indeed exempt. Though the date is not yet finalized, in late summer or fall 2019, the business community and the California Chamber of Commerce are expected to push for another round of amendments to narrow the present scope of the CCPA. It is expected that the business community will seek to exempt all B2B data and perhaps limit or eliminate the inclusion of personal data related to employees (e.g., dependents and beneficiaries). While these proposed amendments might tempt financial services organizations to put CCPA compliance on the backburner, that instinct might prove to be flawed for quite a few reasons.
Despite GLBA-regulated data falling out of scope for CCPA compliance, the majority of financial services firms, especially alternative asset managers, hold a trove of data that may not be considered “core” by regulators, including many types of alternative data, promotional data, vendor data and more. Further, if a data breach occurs, under the CCPA, financial services organizations would still be held accountable for lawsuits. At the very minimum end of CCPA compliance, both alternative and traditional asset managers should start with a data mapping exercise to determine the data that they hold that might fall outside of GLBA.
From paper compliance to operational compliance
Once a firm has determined that some of its non-core financial services data might fall in scope for CCPA, a data mapping exercise is essential. Firms must be prepared to know exactly what California resident data they hold, who they are sharing it with (vendors, partners, etc.) and where it is located. They must then develop and implement a compliance roadmap, filling in gaps from the data discovery findings and determining a roadmap for compliance obtaining buy-in from leadership.
Unlike large technology and retail firms, many financial services firms, especially alternative asset managers that are less directly consumer-facing than retail banks like private equity firms and hedge funds, do not necessarily have robust data privacy programs in place, let alone a dedicated privacy executive. The advent of the CCPA could be a call to action for these firms to put a chief privacy officer (CPO) in place, a compliance professional whose role would encompass a more holistic take on data privacy than just SEC compliance. The CCPA should be a wake-up call to the alternative asset management industry that it must place data privacy near the top of the compliance checklist.
A move towards a federal data privacy law?
The past few months has seen a flurry of activity around several US states following in the footsteps of California to begin the process of drafting their own data privacy laws aimed at companies that collect personal data, including New York, Washington and Hawaii. Though drafted with the best intentions, on a practical level, it’s ultimately unlikely that a fragmented state-by-state data privacy approach would work effectively for national and international companies operating across the entire U.S., not to mention, the considerable compliance burden that it would create. But the movement to prioritize data privacy is almost certainly likely to create enough momentum in the U.S. to reach consensus on the adoption of federal data privacy regulation, just as the GDPR united more than 20 disparate data privacy regimes that had been implemented throughout the EU. And just as California launched the ballot initiative for clean emissions that turned into federal policy, it is more than possible that the CCPA might be a bellwether of things to come on a federal level.
GDPR and CCPA are just two clear indications that the move towards the global regulation of data privacy is inevitable, and one that organizations across verticals must take seriously. With countries such as Switzerland and India in the process of enacting their own versions of GDPR, and the inherently global nature of today’s business landscape, the momentum will only continue to increase. Forward-looking financial services organizations must change their mindsets, recognizing that they are not immune to this global trend, and must place data privacy compliance at the top of their to-do lists in 2019.
Alex Scheinman is the director of ACA Compliance Group.