Share This Page

ShareShareShareShare
Author: Subhasis Bandyopadhyay |10/01/19

California Consumer Privacy Act (CCPA)

An overview and reference article in preparing for the California Consumer Privacy Act (CCPA )

Understanding the California Consumer Privacy Act ( CCPA )

The California Consumer Privacy Act (CCPA) is a California state law that enhances privacy rights and consumer protections for California residents. The CCPA which goes into effect on January 1,2020 regulates what businesses can do with the personal information they collect. This act confers new rights on consumers to obtain more control over their Personal Identifiable Information (PII), how it is used and whether it can be sold or shared by organizations. The Act mandates the Financial Institutions and other organizations to demonstrate their ability to monitor ­and defend personal data against the growing threat of cyber intrusion. This would force the banking organization to have the right systems and processes in place to adhere with the regulation. The definition of personal information under this Act is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information in the Act are as follows:

  1. Identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email, account name, Social Security number, driver’s license number)
  2. Commercial information (e.g., records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies)
  3. Biometric information
  4. Internet or other electronic network activity information (e.g., browsing history, search history, information regarding a consumer’s interaction with a web site)
  5. Geolocation data
  6. Audio, electronic, visual, thermal, olfactory or similar information
  7. Professional or employment-related information
  8. Education information (not publicly available)
  9. Inferences drawn from the information above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
  10. Probabilistic identifier

Who needs to comply with this act and what are the consequences for non – compliance?

Starting January 1, 2020 Financial Institutions that have gross revenue of more than $25 million, process more than 50,000 personal information and make 50 % of their annual revenue from selling California residents’ data must comply with the regulation. Selling data is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration." Under this new act consumers have the right to request information about Personal Information the banks collected, way the Personal information will be used and with whom Personal information are shared. This apart, the banks must delete all personal information stored about consumer at their request and required to ensure that the third-party vendors they work with also has to adhere to CCPA rules and implement measures to prevent the data breaches.

Non -compliance of this regulation will result banks to pay penalties in tune of $7,500 per violation, which are intentional, $2,500 per violation, which are unintentional, fails to rectify within a 30 days’ notice and Personal data exposed to breach wherein the consumer can sue $100 to $750, per consumer per incident.

CCPA and GDPR comparison

CCPA builds on General Data Protection Regulation (GDPR) that recently went live in Europe. But there is a difference exist between the two regulations which we want to highlight below

Features

CCPA

GDPR

Affected Entity

Revenue >=$25 million or

Data on 50k residents/households/device or

50% of revenues from Selling PI

Established in the Union or

Not Established in the Union and (offering goods or services to EU residents or monitoring data subject’s EU behaviour

Enforcement power

California Attorney General

Supervisory authority within each member state

Penalties

Up to $7500 per violation

Penalties as a percentage of gross revenues

Cure Period

Within 30 days of being notified

No cure period provided in the regulation

Breach Notification timeline

In the most expedient time possible, without unreasonable delay

Controller has 72 hrs after become aware of the breach

Private right of action

A consumer may bring an action to recover damages up to $750 per incident or actual damages whichever is greater

EU Citizen has the right to pursue compensation claims against controllers and processors for damages

Consumer access request

Requires two methods for requesting access to information through telephone and website

At least one method to service access request (Self-service website, email or telephone)

Consumer access request timeline

45+ days

30+days

Do Not Sell my personal information - Internet Webpage

Required

Not Required

Offering Incentives in exchange of data

Permissible

Permissible - but must be adopted cautiously

Right to Opt of Third party sale

Yes

Yes

Opt In Consent for mirrors

Yes

Yes

Right to access

Yes

Yes

Right to delete

Yes

Yes

Right to data portability

Yes

Yes

Right to rectification

No

Yes

Data Minimization

No

Yes

Legal Basis of Processing

No

Yes

Require Data protection officer

No

Yes

How Banking Industry gets impacted with California Consumer Privacy Act (CCPA) ?

According to Mindtree developing CCPA-compliant security and privacy capabilities is an enterprise wide initiative. We identified four areas of impact from banking side.

1. Customer Journey

Conduct an internal review across business process to determine where personal information is stored and utilized. It allows for personal data discovery and establishes links to the primary workflows.

2. Evaluating the Application

Evaluating the data stored in existing business applications helps banks to come up with process changes plan. Data change requests are new as per CCPA and banks needs to plan documenting and managing the requests.

  • Addressing data collection points and information sharing polices
  • Maintain strong data linkage and integrity with upstream and downstream system
  • Deleting PI data from archives and legacy systems will result in operational changes
  • Finally, delivering PI data will require robust testing, including a thorough review of standardized logics, business rules and automated workflows.

3. Data entitlement and processing transformation

It is critical for banks to develop a strategy for data security entitlements for the personal information of all customers, not just for California residents.

4. Governance and change management

Governance team can coordinate all supporting programs and projects and ensure compliance is strategic and comprehensive. Putting effective controls in place will require new or refined operating and governance models

Mindtree can collaborate in designing the CCPA Data Assessment approach and plan MVP implementation

1. Analyze the CCPA regulation

2. Impact assessment on touchpoints across business process where personal information being collected to address below points

  • Type and format of data computed and stored in all platforms/application.
  • Data usage either within US – California, other states or across geography
  • Third party agreement if any for sharing/processing customer data

3. Perform data discovery

  • Start with data classification, understand the data in organization is relevant to categories of personal information outlined in law

4. MVP design and implementation

  • Define and design the integrated process based on requirements as per bank needs considering consumer communication portals, case management and workflows

Mindtree as a partner

CCPA is all about data wherein Mindtree has significant expertise in data analytics and offers insights driven CCPA solution powered by AI and advanced analytics to automate CCPA efforts and will leverage regulatory compliance expertise gained over the years in implementing Dodd Frank, FATCA, EMIR, CCAR, SEC filing and MiFID which will ensure your CCPA program to run successful. Our operations team ready to provide post implementation/go-live services which includes process automation, advanced data discovery methods, modelling implementation, capacity planning and continuous maintenance support.

Mindtree has developed a robust framework to help the banks to comply with CCPA. Talk to our experts to check your CCPA readiness

READ

Let's Talk About Your Needs

Thank you for your submission. We'll be in touch.