The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The CCPA allows consumers to own their privacy and personally identifiable information and affords them five general rights to that data. Under the Act, California consumers will have the right:
- To know what personal information is collected about them
- To know whether and to whom their personal information is sold/disclosed, and to opt out of its sale
- To access their personal information that has been collected
- To have a business delete their personal information
- To not discriminate against for exercising their rights under the Act
Marketers in all states and other countries need to be prepared to understand the law and how it affects them and how they need to adapt the ways in which they store, protect, and share data.
CCPA: Rights for California residents
If you are a California resident, you have the right to:
- Request your financial institution disclose the following information covering the 12 months preceding your request:
- Categories of Personal Information about you that have been collected
- Categories of sources from which the Personal Information was collected
- Purpose of collecting Personal Information about you
- Categories of third parties to whom your financial institution has disclosed Personal Information about you; the categories of Personal Information that was disclosed (if applicable); the purpose for disclosing the Personal Information about you
- Specific pieces of Personal Information collected about you
- Request your financial institution delete Personal Information collected from you, unless the CCPA recognizes an exception
- Be free from unlawful discrimination for exercising your rights under the CCPA
Your financial institution will acknowledge receipt of your request and advise you how long they expect it will take to process.
What financial institutions need to do
The following list outlines suggested courses of action for banks and credit unions to ensure compliance with CCPA.
Know your Personally identifiable information (PII)
The first action towards compliance should start with understanding what systems are compiling personal information to be held or integrated in downstream systems.
- Map Data
- Privacy Impact Assessment
- Review third party contracts and vendors
Understand what qualifies as PII:
- Name, Address, phone number, email address, social security number, and driver’s license number
- Biometric data
- Internet activity (e.g., browsing history, search history, information regarding consumer’s interaction with institution’s site, application or advertisement)
- Professional or employment information
Treat all clients and members as if they are a California Resident.
- Identify when, where, and how clients/members opted in or joined your database
Create an internal governance plan
- IT, Legal, Compliance, Risk, and Marketing should all be aligned on how these new regulations impact the organization
- Be prepared to provide CCPA rights and disclosures
Consider Salesforce Shield for additional security
Salesforce Platform Encryption offers financial institutions the benefit of an additional level of security without the tradeoffs that come with standard encryption.
Update record retention policies
Right to be forgotten
Residents of California have the right to request the deletion of certain categories of personal data and requires notification of completion. A similar provision is also a key element of GDPR.
Know what data can be retained
The right to deletion under CCPA is not unlimited. Many of GDPR’s limitations are mirrored in CCPA and include the ability for an entity to refuse a deletion request. Those instances are:
- Data needed to complete transactions for which it was collected or services requested by the consumer
- Used in context of the business relationship with the consumer
- Required to perform a contract
- Used to detect security incidents
- Needed to engage in scientific, historical, or statistical research in the public interest
- Used solely for internal uses that are reasonably aligned with the expectation of the consumer
- Required to comply with a legal obligation or applicable laws
Adopt a multi-channel process to handle these requests
- Update your preference centers and add an opt-in form that can accommodate different location requirements
- Create a transparent process to handle CCPA requests
How Silverline and Salesforce can help
You can leverage the power of the Salesforce platform to not only support member and client preferences but also to track the multi-channel workflow for executing requests for entitlements from the CCPA. Additionally, Marketing Cloud’s December 2019 Release announced Audience Studio will be releasing a suite of tools for customers to manage CCPA compliance
Immediate advice to financial institutions
Customers should always refer to their internal compliance departments for interpretation and policy for GDPR, CCPA, and others. Typically, the customer’s website is where consent is captured — typically hosted separately from Salesforce, but the consent that is captured needs to be honored throughout the ecosystem. In this respect, it takes a combination of data integrations, business operations, and diligence to be successful. All implementations should be architected to unify customer data (e.g., avoid duplicates, etc.) so consent, preference, and deletion are prioritized and honored.
Ultimately, it is a best practice to always consult your internal compliance and risk partners to interpret the new guidelines and determine the organizational policies.
For more compliance and security-related expertise, see what our Banking and Lending solutions can do for you.