The Consumer Financial Protection Bureau (CFPB) is an agency of the United States government responsible for consumer protection in the financial sector. CFPB’s jurisdiction includes banks, credit unions, securities firms, payday lenders, mortgage-servicing operations, foreclosure relief services, debt collectors, and other financial companies operating in the United States. Since its founding, the CFPB has used technology tools to monitor how financial entities used social media and algorithms to target consumers.

Posts

Complying with the California Consumer Privacy Act

The California Consumer Privacy Act of 2018 (CCPA) gives California residents more control over their personal information that businesses collect about them. The CCPA took effect on January 1, 2020, and final regulations for the statute were approved on August 14, 2020. Enforcement of the CCPA by the California Office of the Attorney General has begun and affected business not in compliance can be fined up to $2,500 per violation or $7,500 for each “intentional” violation.

Who has to Comply with the CCPA?

For-profit businesses doing business in California that collect and control California residents’ personal information must comply with the CCPA if they meet one of three requirements: (1) have annual gross revenues more than $25 million; (2) possess the personal information of 50,000 or more consumers; or (3) earn more than half of its annual revenue from selling consumers’ personal information. For further information about affected employers, see our previous article on the CCPA.

Compliance Strategies to Minimize Enforcement Risk

Businesses required to comply with the CCPA should consider several actions to avoid the risk of enforcement by the attorney general’s office:

  • Update existing privacy policy with information on how, why, and what personal information is collected and processed
  • Update existing privacy policy with information on how users can request access, change, or erase their personal data
  • Introduce a method to verify the identity of the person making requests to access or change their data
  • Introduce a “Do Not Sell My Personal Information” link on their home page to allow users to prohibit the sale of their personal data
  • Obtain consent from minors 13-16 years old before selling their personal data and obtain consent from parents for minors younger than 13

Responding to Consumer Requests and Protecting Personal Data

As more and more companies shift to remote work and digital systems, compliance with the CCPA has become more critical, and for some, burdensome. Companies with limited resources that are struggling to create remote work policies and procedures inside the office are now faced with the challenge of managing data beyond the office. It is important to note that under the CCPA, the California attorney general can also take enforcement action against a business for failing to respond to consumer requests to view or delete personal information, as well as for an unauthorized sale of a consumer’s personal information (or sharing of that data).

Avoiding these compliance pitfalls may require using artificial intelligence and implementing digital tools. Here’s how companies can adapt to CCPA requirements.

Look to analytics and automation technologies to meet consumer and auditor requests efficiently and affordably. Under the CCPA, consumers may request a copy of the data categories being gathered or for their data to be deleted. This is where digital solutions can come in handy. Virtual assistants can help employees ensure that requests are addressed by identifying which consumers have a higher compliance risk and placing them into an automated workflow. Furthermore, analytic tools can make it possible to identify all requests mentioning certain key words, such as “CCPA,” “personal information,” “remove,” or “disclose.” Such tools can ensure efficient and reliable compliance with consumer or auditor requests.

Ensure that third-party partners who collect consumer data are compliant with CCPA requirements. For companies that fail to store consumer data in one central location, they may find it harder to comply with CCPA regulations. Such companies often give third-party providers access to consumer data. In these scenarios, companies should make sure that the third-party providers themselves are compliant with the CCPA.

During these times especially, the CCPA has taken on a new urgency and this is probably just the beginning of the era of consumer data protection.

Employers and the CCPA

Unless a California employer has been hiding under a rock, chances are that the company is aware of the impending California Consumer Privacy Act (CCPA).

Signed into law in June 2018 as a quickly-enacted compromise to prevent an even stricter initiative from appearing on the ballot, the CCPA is the most far-reaching consumer privacy and data protection measure in the United States.

The new law applies to any for-profit company doing business in the state that (1) collects consumers’ personal information (PI) solely or jointly with others and (2) either (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the PI of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from PI sales.

“Personal information” includes an IP address, Internet activity, geolocation, education information and biometrics, among other data. A “consumer” is defined as “a natural person who is a California resident,” easily encompassing both employees and job applicants.

Covered entities are required to provide consumers with access to the data collected about them as well as the ability to opt out of the sale of their information to third parties and request that their PI be deleted. Businesses must disclose and deliver the information to consumers free of charge within 45 days of receiving a verifiable request.

Violations of the CCPA are actionable by the California Attorney General’s Office and a limited private right of action also exists for data breaches, with civil penalties of up to $7,500 per violation.

The expansive definitions and broad reach of the law have many employers concerned about the application of the CCPA to their business when the statute takes effect on January 1, 2020.

But – for those employers that do fall under the statute’s coverage – a last-minute amendment to the CCPA will provide a one-year reprieve.

In an effort to alleviate the burden on employers, state lawmakers enacted Assembly Bill 25 in September. The measure amended the CCPA to provide a one-year exemption for the personal information “collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.”

This tweak grants employers 12 months of breathing room as long as they are collecting the data of employees and job applicants solely for purposes relating to employment. Governor Gavin Newsom signed the bill into law on October 11, 2019.

Despite the reprieve, covered employers would be well-served to continue preparing themselves to comply with the law. The requirements of the CCPA will still apply with regard to PI about non-employees and/or non-exempt uses of employee and applicant data. And the statute will take full effect for employee and applicant data as of January 1, 2021, absent some future change to the law if lawmakers decide to extend the exemption or make it permanent.