California Dreaming? Why and What You Should Know About CA’s Privacy Law and Regulations

October 16, 2019 at 9:24 am Leave a comment

The most important regulation that is out for comment right now is not being promulgated by the federal government or New York State. Instead, they are regulations proposed by California to implement the California Consumer Privacy Act of 2018 (CCPA).

To be clear, assuming you are not a California credit union or dealing with California consumers, you can go about your day happy with the fact that there is actually a state that imposes even more onerous mandates on its businesses than New York. That being said, there isn’t a compliance person, IT professional or lawyer working with businesses or financial institutions today that shouldn’t be aware of the steps California has taken to give consumers greater control of their personal online data. We are all going to have to comply with similar frameworks sometime in the future, and my guess is that future is coming sooner rather than later.

So what is the CCPA? It is a comprehensive statute which gives California residents the right to know what private information of theirs is being collected by businesses, as well as to give consumers the right to forbid businesses from selling this information to third parties. It also gives consumers the right to demand that their information be deleted, although there are exceptions to this requirement. The statute was inspired by the European Union’s GDPR framework and was a reaction to Facebook’s mishandling of account information, and the ease with which it gave this private information to venders including political operatives who helped target voters in the 2016 election.

Why is this such a big deal? From a public policy standpoint, it codifies the principle that peoples’ personal information is theirs to control and use as they see fit. This includes a right to internet privacy. From a technical standpoint, the legislation has necessitated a fundamental shift in how information is collected, stored and organized.

For example, in New York, effected businesses worked themselves into a low-level frenzy when the Department of Financial Services established baseline requirements for the encryption of personally identifiable information. In contrast, effective January 1, 2020, California consumers will have the right to know about the specific pieces of personal information that a business has collected about them; a breakdown by category of the personal information that it has collected or sold; the purpose for which they collected or sold this information; and the categories of third parties to whom this information has been sold.

The definition of personal information is broader than what we’ve gotten used to. Specifically, this “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The key to understanding the definition is that it captures big data uses by including information which can be used to identify a specific individual, such as an individual’s ”browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”

In recognition of the difficulty and cost of implementing this radical mandate, the law does not apply to all businesses. Instead, it applies to businesses that have at least 25 million dollars in gross revenues; that buy, receive or sell personal information of 50,000 or more consumers or households; or derive 50% or more of their annual income from selling personal information.

There is much more I could talk about, but there’s only so much I can test your patience when it comes to describing California law. Nevertheless, what California is doing will catch on. I would be asking my IT person or department what resources they would need to comply with this kind of requirement, and to start moving in the direction of being able to segregate personal information by member. The more time you give yourself to integrate this approach into your IT and compliance framework, the more cost-effective it will be.

Entry filed under: Compliance, New York State, Regulatory, Technology. Tags: , , , , , , .

Former Municipal CU Board Chair Arrested State Finalizes Student Loan Servicer Requirements

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 772 other followers


%d bloggers like this: