Finix California Consumer Privacy Act Featured Image that says "CCPA"

Security & Compliance

What the California Consumer Privacy Act Means for Your Business in 2020

A few weeks ago, we shared our most significant fintech predictions for 2020 plus the payments news that defined the end of the decade. But now, as we all set our sights towards all things new, changing tides on the regulatory front could mean big changes for data privacy, and your business.

It’s no secret that the world of financial services is undergoing rapid transition. While these changes in most cases aid in speed and efficiency for consumers and large enterprises alike, this new era of digital payments, lending, money movement, and more has created a renewed focus on data protection and consumer safety.

For software companies of all sizes, data is king. It’s what allows companies to build products and services that are well-suited to meet consumer needs and demand. The use of that same data is also big, big business. While most people understand that using software means they give up certain data privacy rights, the idea that a tech company can or would sell users’ data without their knowledge or permission is widely frowned upon, but common practice.

The last decade saw several high profile companies, including Capital One and Facebook, succumb to massive data breaches, which impacted millions of users. These breaches exposed the vulnerabilities of digital data storage and, more importantly, highlighted how little control consumers have over their data.

What is CCPA?

The California Consumer Protection Act officially went into effect on January 1st, 2020. It’s a new piece of legislation that gives Californian consumers the most substantial data protection in the nation. Based on its mandates, some refer to it as the “US GDPR.”

Since 2018, the General Data Protection Regulation (GDPR) has governed all countries belonging to the EU and maintains the following:

Consent is required from subjects for data processing Collected data must be sufficiently protected at rest Consumers must be notified of data breaches Data must be handled safely across borders Certain companies must appoint a data protection officer to ensure GDPR compliance

The CCPA goes into great detail to define the application of the law, including definitions of terms featured throughout the bill like “consumer” and “business.” While different in its stipulations to GDPR, the focus is the same on giving consumers more rights regarding their data. Under CCPA consumers:

Have a right to know what data companies collect about them Must be told if their data is to be sold and to whom Can say no to the sale of their data Must receive equal service regardless of whether or not they allow their data to be sold Can request to access their personal information Have the right to request their data be deleted

One of the most significant changes of this new law is the requirement of companies to notify consumers of the intended sale of their data and the option they now have to opt-out. Previously, corporations and companies were permitted “to use” consumer data in a variety of ways. California’s omnipotent Facebook, for example, has long held that it does not sell consumer data. Rather they admit to using consumer data in a variety of ways, namely giving third parties access to users’ behavior while on the platform specifically for ad targeting.

Who’s impacted by CCPA

Not all California businesses are required to adhere to the new regulations set out by CCPA. Companies must either make $25 million or more in annual revenue, have the personal data of more than 50,000 consumers, or earn more than half its revenue through the sale of private consumer data to be bound by the new regulations. The law defines “personal data” as identifiers like name, address, email address, social security number, etc. Those companies that do, however, meet the qualifiers mentioned above have a six month grace period to enact processes that will keep them compliant regarding the new law. Organizations that meet these standards have a six month grace period to institute procedures and measures of adherence before the law goes into effect.

CCPA’s Impact on Financial Services

Even with CCPA, applicable laws, regulations, and compliance mandates will continue to be specific to a company’s size and business practice. Banks, for example, will have to adhere to a handful of regulations that do not apply to software companies. Advertising and marketing firms will have the task of adhering to both GDPR and CCPA. Payment facilitators–being software companies–may need to tackle SOC (System Organization Controls) and PCI DSS (Payment Card Industry Data Security Standards) as applicable for their cloud-based software platforms.

The changing sentiments around consumer protection and data privacy will likely dominate tech at large, and more specifically, financial services for years to come. Parties on both sides of the new privacy mandate agree that a standard is needed, but precisely what kind of mandate that serves the needs of all involved stakeholders proves to be a challenge.

Both Nevada and New York have passed similar CCPA-like legislation that has yet to go into effect. Washington state recently proposed new privacy legislation last year that failed to pass. As the speed by which companies acquire and deploy consumer data accelerates, expect the trend towards tighter data privacy laws and protections to continue.