California and Europe Privacy Regs Pressure FIs and Finserv Organizations

By July 9, 2018CCG Insights

On June 28, the California’s legislature swiftly introduced and passed the California Consumer Privacy Act of 2018, which provides new rights to consumers, and aims to bring more transparency to business using personal data.

The law, AB 375, gives consumers the right to ask businesses for the types and categories of individual data collected. It also requires businesses to divulge the purpose for amassing or selling the information as well as the identity of third-party organizations receiving the data. Consumers can also request the deletion of information and instigate civil action if they think an organization neglected to protect their personal data.

“California has taken the lead,” states Karen Dhillon of CCG Catalyst. “It is only a matter of time until we likely see other states follow statutes similar to AB 375 to protect Consumer Privacy rights.” 

The CCPA applies to banks, credit unions, savings and loans, credit card companies, insurance companies and other financial service companies; and allows consumers to put limits on what financial companies can do with personal financial information.

“AB 375 responds to the recent data breaches that have affected millions of people – those experienced by Target, Equifax, Cambridge Analytica, and many more,” Assembly member Ed Chau and the other co-authors of the bill said in a press release. “The collection of our information combined with data breaches has raised concerns from internet users worldwide.”

CCPA also touches on children’s data. Specifically, AB 375 prohibits the sale of personal data for individuals between the ages of 13 and 16 years unless they specifically opt in. For anybody under the age of 13, a parent or guardian must provide consent.

Damages range from $100 to $750 per consumer incident, or based on “actual damages, whichever is greater,” AB 375 stated.

Despite the passage of AB 375, however, it is not yet a done deal. Amending the law is possible prior to it’s going into effect until Jan. 1, 2020.

There are indications the tech industry is not going to back off trying to amend or tone down CCPA. The Internet Association, composed of Amazon, Facebook, Google, Uber and many other billion-dollar technology firms, dubbed AB 375 a “last-minute” deal that needs modification. 

“Given the recent data breaches affecting consumers globally, financial institutions are prioritizing the framework of requirements to protect their clients,” said Dhillon.

Parts of AB 375 look a lot like Europe’s General Data Protection Regulation. Many U.S. firms, including banks and other financial institutions and financial service organizations, that do business with European Union customers and citizens/residents now need to deal with the EU’s GDPR, effective May 25, 2018.

The GDPR rules over data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside and ensures there is a single set of criteria to protect individuals and help companies understand compliance issues when it comes to personally identifiable information.

GDPR not only went into effect across all 28 EU nations but the United Kingdom plans to adopt the same standards as well despite Brexit.

The fines for not complying with GDPR are up to 20 million Euros (about $23.5 million) per violation or up to 4% of the organization’s annual revenue, whichever is higher. In a breach scenario, the fines per breach per person are 10 million Euros (about $11.8 million) or up to 2% of the financial institution’s revenue.

European regulators’ scrutiny of companies such as Google and Facebook and increasing worries over the buying and selling of people’s personally identifiable information, in part, drove passage of GDPR.