Article 5 min

CCPA Compliance — A Guide for Fintech

The global wave of increased privacy regulations hits California on January 1, 2020 when the California Consumer Privacy Act (CCPA) takes effect.

The CCPA provides broad-reaching data privacy rights to California residents, and any for-profit business serving them must comply if it meets certain thresholds. Many fintech companies are already large enough to qualify (they have $25M in annual gross revenue or 50K California customers) or have plans to grow to that size. Big Tech companies like Facebook and Amazon that are eyeing the financial services sector also fall into this category.

For the hundreds of fintech companies doing business in the Golden State, this may be their first encounter with privacy compliance. If their customer base is confined to the U.S., they aren’t subject to the EU’s General Data Protection Regulations (GDPR), which European and global corporations have been grappling with since May 2018. They may also not be subject to national banking regulations like the Gramm-Leach-Bliley Act (GLBA).

So the moment has arrived for fintech to come to terms with privacy compliance.

Why does CCPA compliance matter to fintech?

The CCPA has a number of implications that should make fintech companies sit up and pay attention.

The consequences of noncompliance can be costly
The CCPA includes provisions for fines of $2,500 per unintentional violation and $7,500 per intentional violation, per customer affected. Consumers affected by data breaches can also sue companies if the stolen data was not encrypted or redacted before the breach, with awards of $750 per customer.

Fines under the GDPR have been relatively modest to date, but indications are that the CCPA will be rigorously enforced. The law firm Cooley speculated that there is a high risk of enforcement by an experienced attorney general and plaintiffs’ bar.

Compliance increases customer trust
Fintech companies are playing catch-up to established financial institutions (FIs) when it comes to earning a trusted reputation with customers. Achieving compliance demonstrates to the public that a fintech takes privacy seriously. And conversely, noncompliance can cause reputational damage at a crucial time in a fintech’s growth.

Data privacy issues related to tech companies
Anupam Sahai, VP of security intelligence firm Cavirin, stated that the CCPA “is looking to stop companies that have been leveraging consumer information (sometimes without the consumer’s knowledge) to obtain financial benefit, which may not be aligned with the consumer’s understanding of the information usage. These types of organizations are: internet providers delivering value added via over-the-top (OTT) services (AT&T DirecTV, Verizon Oath, etc.); social media firms; advertisers; online retailers; and non-banks (fintech firms).”

As noted by John Stephens of the American Bar Association, “The legislation specifically cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica. The legislation also references recent congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft.”

Since fintech has been identified as an industry of concern for data privacy, it will likely attract even greater scrutiny around compliance.

Fintech needs to plan now for robust scalable solutions
Privacy compliance touches on many aspects of a company’s operations, including data collection, storage and use. In order to achieve and maintain compliance as a company grows, fintech should consider automated, digital solutions. These solutions provide “privacy by design” that can scale up without sacrificing performance, and they offer better security and a lower total cost.  Those solutions could include electronic identity verification, customer identity and access management, and platforms for sales, marketing and support.

How the CCPA applies to fintech

We’ve pulled out a few highlights from the CCPA that are particularly relevant to fintech.

The definition of personal information goes beyond that of current state regulations
The CCPA defines “personal information” as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes info such as the following:

  • IP address
  • Browsing history
  • Search history
  • Geolocation data

The Data Protection Report noted that “By removing the name requirement and instead including specific data elements such as IP address, browser history and geolocation data as PI, the CCPA requires companies to reexamine how data is tagged and risks related to data is analyzed and mitigated.”

CCPA does not override KYC and AML requirements
As a state law, the CCPA does not take precedence over national laws like the Bank Secrecy Act (BSA) or the Patriot Act. If a company has obligations around notice and access under KYC/AML regulations, it must continue to meet them, even if they contradict the CCPA requirements.

CCPA and GLBA have some overlap and exemptions
Both acts address the handling of personal information, and the CCPA exempts some personal information that is subject to the GLBA, so they need to be considered together. This is yet another area that demonstrates the necessity of good compliance officers and lawyers.

Importance of identity and age verification
Given the sensitivity of financial accounts and information, fintech companies should make sure that they are verifying the identity of individuals who, for example, request that an account and data be deleted. The CCPA requires that businesses make a good faith effort to verify subject access requests, similar to the GDPR. Companies may also need to verify ages of consumers under 16 in order to make sure they are collecting the appropriate consent from parents.

Given that the CCPA is not as complex or far-reaching as the GDPR, it could be an easier point of entry for U.S. fintech companies that haven’t been subject to stringent privacy regulations previously. Easier doesn’t mean easy, though, and starting now will help make sure that fintech companies properly protect customer data so they can continue to scale with confidence.