The real estate and mortgage lending industries in the United States were not as impacted by the European Union’s General Data Protection Regulation (GDPR) as some other U.S. sectors, but they anticipate a significant impact from the California Consumer Privacy Act that goes into effect on January 1, 2020. The GDPR was a sea change in privacy law. It became the most burdensome, generally applicable privacy law in the world. A survey by PriceWaterHouseCoopers found that 77% of businesses expected to pay over $1 million to comply with the new EU law.
Like the GDPR, the CCPA regulates how companies handle Personal Information (PI). The CCPA grants California consumers new rights to access, delete, and opt out of the sale of their data while placing restrictions on entities that collect, store, and sell Californians’ Personal Information. Many U.S. business anticipate spending amounts similar to what they spent on GDPR compliance to come into CCPA compliance.
The International Association of Privacy Professionals (IAPP) estimates that over 500,000 businesses in the United States, including over 100,000 businesses in California alone, will need to comply with the new law.
With the deadline fast approaching, it is important to understand what the CCPA requires and how to comply. The following white paper briefly outlines (1) who needs to comply with the CCPA, (2) how the mortgage industry is unique under the CCPA, (3) what the CCPA requires, and (3) what the penalties are for noncompliance.
Who Does the CCPA Apply To?
It can be difficult to determine whether the CCPA applies to your business. The law is complex, and there are various factors that determine whether your company must comply. Fortunately, the privacy experts at the law firm Wilson Sonsini Goodrich & Rosati distilled those factors into three easy questions that cover most companies.
First, does your company handle Personal Information from California residents? Keep in mind: the definition of personal information is very broad under the CCPA (click here for more). The CCPA defines Personal Information as any data that can identify, relate to, describe, is capable of being associated with, or can be reasonably linked with a person or household.
If the answer is no, your business likely does not need to comply with the CCPA. The new law only applies to companies that do business in California, or otherwise handle personal information from California residents.
If the answer is yes, however, you need to answer the next question.
Second, do any of the following apply to your company: (1) you make over $25 million in revenue per year, (2) you handle personal data for 50,000 people, devices, or households from California per year, or (3) you make at least half of your revenue from selling the information of California residents? If none of these three apply, your company likely does not need to comply with the CCPA. Keep in mind that there are a few exceptions, so it’s important to speak with a lawyer to know for certain. If any of those three scenarios do apply, however, then you need to answer the next question.
Third, is your company for-profit? If the answer is no, then your organization likely does not need to comply with the CCPA. The CCPA only applies to for-profit businesses; there is, however, an important exception if your non-profit handles information on behalf of a for-profit entity. In that scenario, your organization would need to comply with the new law.
If you answered yes to all three questions, then your business likely needs to comply with the CCPA—and you have a lot of work ahead of you. The following section outlines the main obligations under the law and specific exceptions that are likely to come into play in the mortgage industry.
To see an automated version of these questions that generates results for you, please click here.
How is the Mortgage Industry Unique Under the CCPA?
Not all Personal Information collected by mortgage lenders is subject to the CCPA. Personal Information that is collected, processed, sold, or otherwise disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), its implementing regulations, or the California Financial Information Privacy Act (CFIPA) is exempt from the CCPA. But any information activities that fall outside those laws, such as marketing, sales, and customer service, are subject to the CCPA.
Because those regulations define Personal Information than the CCPA, their narrower definitions include only those individuals who have applied for or received service or product from a regulated entity. This means that, among other things, mortgage lenders should reevaluate the security protocols associated with their non-GLBA/CFIPA-regulated personal data. If that data is breached, CCPA fines ranging up to $7,500 per record are possible.
In addition to the security concerns mentioned above, CCPA-regulated lenders will have to comply with all CCPA guidelines for that information that is not exempted through the GLBA and CFIPA. The CCPA gives California consumers four rights: (1) to know what Personal Information a business collects about them, how it collects it, its purpose, and whether and to whom it is being sold.; (2) the right to opt out of the sale of their Personal Information; (3) the right to have their Personal Information deleted; and (4) the right to receive equal services from a business even if they exercise their CCPA privacy rights. To comply with these rights and other restrictions placed on them by the CCPA, business have four main obligations: (1) to provide the proper disclosures and documentation; (2) consumer request management; (3) mapping their data (this is not explicitly required by the CCPA but enables 1 and 2); and (4) employee training regarding the CCPA.
The CCPA requires that a business must disclose the following information to California residents before the company collects their personal information:
- What personal information your company collects;
- Who your company collects the personal information from;
- Why your company collects the personal information;
- Who your company shares the personal information with;
- What categories of personal information your company sells;
- What categories of personal information your company otherwise shares;
- What rights consumers have under the CCPA; and
- Who consumers should contact about their rights under the CCPA.
The CCPA requires that companies allow California consumers to request that covered businesses: (1) provide information about what personal information they have collected and who they have shared their personal information with, (2) delete their personal information, or (3) not sell their personal information. Companies must provide at least two ways for consumers to make requests: over the phone and via their website. Companies have 45 days to respond to each request under the law. This deadline, however, can be extended up to 90 days in some circumstances. The law requires companies to be able to provide data going back to the prior 12 months.
The request requirement under the CCPA is generally considered the most burdensome part of the law. In addition to the upfront changes to privacy policies, contracts, and other documents, business must create a process through which consumers can ask the businesses to disclose what data they have about the consumer, how it is shared, and how they obtained it as well as allow consumers to ask that the business delete or cease sharing their personal information. Businesses are obligated to honor these requests with some exceptions.
After a consumer opts out, a business cannot sell the consumer’s information without the consumer’s express written consent. Companies cannot ask for that consent for 12 months after the consumer opts out. Request management is therefore an ongoing requirement that must be tracked in order to ensure compliance. To learn more about what SixFifty has done to help companies manage their consumer requests, click here.
Unlike the GDPR, data mapping is not an explicit requirement of the CCPA. However, in order to create a robust request management system and to ensure that your company is following the other requirements, data mapping is one of the unwritten requirements that the CCPA imposes.
In order to answer consumer access requests about what information your company collects about a consumer and how the company uses it, you need to map your data. The CCPA also requires that your contracts with third party service providers include specific elements. Companies must know who all of their service providers are in order to implement those new contract terms and to be able to identify which entities are third parties as opposed to service providers under the CCPA (information sharing with third parties as opposed to service providers is treated as the ‘sale’ of information under the CCPA).
In addition to being a necessary step for achieving CCPA compliance, data maps will also enable your company to get a true vision of what data you have and how you are, or are not, using it. Many companies are finding that they have personal information they do not need or use, thus exposing themselves to unnecessary security risks, which are heightened by the fines the CCPA imposes for security breaches.
To learn more about what SixFifty has done to help companies train their employees, click here.
The CCPA requires that companies have a policy of training anyone in their organization who is involved in (1) compliance with the CCPA, (2) the privacy practices of the company, and (3) handling consumer requests. CCPA training must be updated each year and teach employees how to handle consumers’ personal information according to the requirements of the law, particularly regarding responding to consumer requests under the CCPA. To learn more about what SixFifty has done to help companies train their employees, click here.
Penalties for Noncompliance
Penalties under the CCPA be divided into two categories: (1) regulatory violations and (2) data breaches. Lawsuits for violations of the CCPA can be brought by the Attorney General or consumers in civil actions.
1. Regulatory Violations
A company can be penalized up to $2,500 for each violation of the CCPA, with that amount increasing to $7,500 for each’ intentional’ violation. An intentional violation includes any action that a company knows that it should take under the law, but chooses not to. Some experts have speculated that violations will be determined on a per-capita basis the way California’s Supreme Court has counted violations in other cases.
Under this theory, if a business ignores the disclosure requirements under the CCPA, the California Attorney General could impose a $7,500 fine for each consumer that visited the company’s website–a potentially staggering amount. Facebook has approximately 24.6 million California users; if it were found to have violated the CCPA, it could face a rough maximum penalty of $61.6 billion for an unintentional CCPA violation and $184.7 billion for an intentional one. The Attorney General is expected to give further clarification on this point.
2. Security Breaches
Under the CCPA, if a company did not employ “reasonable” security measures to protect personal information, a company can be penalized $750 per record lost in a data breach under the CCPA. The company can also be charged with the actual loss experienced by each consumer who had their personal data compromised, whichever amount is higher.The CCPA is a unique law in that it grants citizens this private ‘right of action.’
The California Consumer Privacy Act of 2018 is one of the most important privacy laws in the history of the United States. It will affect more businesses in a more profound way than any proceeding privacy statute. Mortgage lenders should start preparing early to meet the requirements of the new law. To learn more about how SixFifty can help your company expedite CCPA compliance, visit https://www.sixfifty.com/solutions/ccpa. To see a helpful timeline for bringing your business into compliance, click here.
*** Multiple amendments are being considered by the California legislature, so be sure to check our blog regularly for legislative updates.***
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.