The California Consumer Privacy Act
Implementation & Beyond

As our nation’s consumers crusade for their right to privacy and more control of their personal data, California has become one of the first states to enact legislation attempting to usurp authority over privacy rights from existing federal law.  The California Consumer Privacy Act (“CCPA” or the “Act’), effective January 1, 2020, grants California residents vastly expanded privacy rights and control of how their personal information is handled by covered entities. Even those businesses who do not collect, share, or sell California consumers’ information should pay attention – this has become a national battleground as several states are now considering similar legislation.

The Act and the pending regulations

The CCPA applies potentially to any (for profit) entity that is doing business in California, or that collects the personal information of California residents and meets certain revenue or consumer volume thresholds.[1]  As of January 1, 2020, the Act requires these covered businesses to comply with certain notice and disclosure requirements, fulfilling California residents’ additional rights regarding their personal information, including responding to any of their verified requests.  The data that some covered businesses collect and share, like much of the data handled by mortgage lenders, might be exempt from these requirements if the data is otherwise regulated by the Gramm Leach Bliley Act (GLBA) and/or the Fair Credit Reporting Act (FCRA).[2]

Despite these now-existing requirements, the Act required California’s Attorney General (AG) to issue implementing regulations so that the AG could start enforcing the CCPA starting July 1, 2020.  The proposed regulations were first issued in October 2019, and after a comment period, amended proposed regulations were issued February 10, 2020 with comments due February 25, 2020.[3]  The amended proposed regulations are expected to be finalized by “spring” such that they are still anticipated to be made effective by the original July 2020 enforcement date.  The AG has already indicated that this six month period before the Act and implementing regulations will be enforced does not give covered businesses a pass—we are expected to make good faith efforts to comply with the Act.

AmeriHome is currently taking the position that the existing CCPA exemptions, as amended[4] are still not quite clear enough to provide an all-encompassing, blanket exemption at an institution level, even for those of us lenders who are regulated by the Gramm Leach Bliley Act (GLBA) and/or the Fair Credit Reporting Act (FCRA).  We know that some/many lenders believe they are fully exempt.  However, you may wish to consult counsel as to whether there is other data you collect and share that are for reasons other than what section 145(d) and (e) contemplates– “collected, processed, sold, or disclosed” pursuant to GLBA, or for reasons other than “collected, maintained, disclosed, sold, communicated, or used” by a credit furnisher or user and “subject to regulation by FCRA” that thus might still be subject to the CCPA.

New consumer rights granted

• The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
• The right to delete personal information held by businesses and by extension, a business’s service provider;
• The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
• The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.[5]

New liability provisions

In addition to granting these new consumer rights, the CCPA also supports the existing requirement for covered businesses to maintain reasonable security practices to guard against privacy breaches. Many of us are aware of the variety of state laws that already exist requiring action in the event of a breach of personal information.  But statutory damages are generally not available—actual damages must be alleged which is often more difficult to assert in these privacy liability cases, which already can be very expensive depending on the volume of the breach.  Here, the CCPA provides for civil penalties for violations of these new CCPA requirements, as asserted by the AG[6], as well as for civil liability to harmed consumers in the event of a breach where there is a failure to maintain reasonable security practices.[7]  Although both liability provisions allow for a 30 day cure, the fact that breach liability now provides statutory damages could make the possibility of waging class actions in these breach cases much more enticing to plaintiffs’ attorneys.

Conclusion

This is only the start of the consumers’ march towards a more secure right to privacy. Once the proposed regulations are finalized and implemented, this is not the end– at least a dozen other states are working on their own legislation, a CCPA 2.0 is readying for California’s November ballot, and even federal legislation is in the works.  You can assure this legislative activity will keep us focused on privacy rights for years to come.

Some critical steps to take on your privacy crusade:

• Your online Notice at  Collection and Privacy Policy (and if applicable, your Notice of Right to Opt out of Sale, and/or Notice of Financial Incentive) must be available in the languages in which you conduct your business in California and reasonably accessible to consumers with disabilities.  This reasonable accessibility has been clarified in the amended proposed regulations to mean “following generally recognized industry standards such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium”[8];
• The CCPA Policy must include notice of the various rights the California consumer has (as already was required in the CCPA) and, with the amended regulations, no longer needs to include the sources of  EACH Category of PI collected, but must still include the Categories of third parties with whom shared for each Category of PI that was either disclosed for a business Purpose or sold to a third party in the preceding twelve months; additionally, if the business alone or in combination annually buys, receives, sells, or shares the PI of 10 million or more consumers, then certain metrics are required to be reported for the previous calendar year, which will require the tracking of that information now to be able to report next year[9];
• Responding to requests to know or to delete will require confirmation of receipt within 10 business days, which now can be provided in the same manner in which the request was received, and which must include information about how the request will be processed, what the general verification requirements are, and when the consumer should expect a response; the response shall be fulfilled within 45 calendar days, with an additional 45 day extension if necessary[10];
• However, in no circumstances should a business disclose at any time a consumer’s Social Security Number, driver’s license number or other government issued ID number, financial account number, health or medical information number, account password, or security questions or answers, or biometric information when responding to consumer CCPA requests[11] ;
• If a business denies a verified request to know in whole or in part because of a conflict with federal or state law or an exception to the CCPA, the business shall inform the requestor and explain the basis for the denial.  This appears to mean that even those lenders who believe they are fully exempt must still have a process to explain to the consumer why the request is being denied.[12] ;
• In cases where a business denies a consumer’s request to delete, the business shall so inform the consumer, describing the basis for denial, including any exception, and shall not use that information for any Purpose other than the Purpose provided for in the exception. Again, this would apply even to those lenders who believe they are fully exempt; AmeriHome is treating these accounts that are exempt from deletion as also subject to marketing opt outs.[13]
• Though employee-related personal information has been exempted from the remainder of the CCPA requirements and rights, at least until Jan. 1, 2021, employees and contractors still have the right to receive a notice at collection about the categories of PI collected and the purposes for collecting that information.[14]
• Additionally, PI collected about business to business contacts has similarly been exempted from the remainder of the CCPA rights until at least Jan. 1, 2021, however these business contacts still have the right to request opt out of the sale of their personal information.[15]
• Lastly, in order for a business to be able to assert that PI they may share with a third party is not “sold” under the CCPA definition of “sell”[16], contracts with those third parties must be reviewed and/or amended to ensure the contract specifically restricts the third party’s use of that PI to only those services that are provided for in the contract.[17]

Click here to share your feedback via LinkedIn.

Thanks for your time,

Sabrina Noyola
Chief Compliance Officer

[1] CA Civil Code section 1798.140(c)) (annual revenues over $25 million, collect data on 50,000 consumers, or receive 50 percent of their revenue from selling data.)
[2] CA Civil Code section 1798.145(d) and (e)
[3] See Proposed regulations at: https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-mod-redline-020720.pdf (“Proposed regulations”)
[4] CA Civil Code Sec. 1798.145(d) and (e).
[5] CA Civil Code section 1798.100 et seq.; see also, https://oag.ca.gov/privacy/ccpa
[6] CA Civil Code section 1798.155 ($2,500 for each violation; $7,500 for each intentional violation)
[7] CA Civil Code section 1798.150 (from $100 to $750 per consumer per incident)
[8] Proposed regulation sections 999.305(a)(2); 999.306(a)(2); 999.307(a)(2); 999.308(a)(2); see also, https://www.w3.org/TR/2018/REC-WCAG21-20180605/#requirements-for-wcag-2-1
[9] Proposed regulation sections 999.308(c) and 999.317(g)
[10] Proposed regulation section 999.313
[11] Proposed regulation section 999.313(c)(4)
[12] Proposed regulation section 999.313(c)(5)
[13] Proposed regulation section 999.313(d)(6)
[14] CA Civil Code section 1798.145(h)
[15] CA Civil Code section 1798.145(n)
[16] CA Civil Code section 1798.140(t)
[17] CA Civil Code section 1798.140(v); however, see also, Proposed regulation section 999.314(c).