CCPA Cover
As lenders look ahead to 2020, they can thank a well-known whistleblower for the next big compliance challenge the industry will face.

Not the whistleblower currently dominating headlines but rather Edward Snowden, who in 2013 leaked highly classified information and exposed, among other things, that U.S. intelligence was paying technology companies for access to systems in order to conduct espionage, including spying on allies.

Those revelations provided significant momentum for passage of Europe’s General Data Protection Regulation, which significantly tightened rules around collection and use of individuals’ personal data. While those rules had limited impact on the U.S. mortgage industry, the effective import of those kinds of restrictions will commence on Jan. 1, when the California Consumer Privacy Act takes effect.

The new law stands to force a broad reassessment for the industry, which is increasingly digitalizing and aggressively buttressing its data collection and access capabilities.

For those companies doing business for California residents, they’ll soon be obligated by law to document and disclose all personal data on their customers or face financial violations for each person in their system. Exactly what the rules will obligate companies to do is not yet completely clear — final regulations are actually still being worked out. But the general principles are fairly clean-cut and this won’t be a movement confined to California — the CCPA quickly becomes a template for a growing list of states considering similar consumer protections.

Some basics on the act: To fall under its provisions, businesses need to hit one of three parameters: They either need $25 million in annual gross revenue, earn more than half of its annual revenue from selling consumers’ personal information, or have possession of 50,000 personal data points.

California residents will have the right to know and access what information businesses collect about them and have that data expunged by request. If their data gets sold, the consumer will now be privy to the transaction and to where it gets sold to. They’ll also have the option to say no to any sale of their information without discriminatory retaliation.

If a company loses data through theft or breach, it’s liable for penalties up to $750 per individual’s information lost. If the company fails to comply with any of the statutes, it’ll be subject to fines up to $7,500 per violation.

Data security regulations have been reactionary to an evolving digital world. Makers of the California Consumer Privacy Act set out to have their new law be retroactively proactive.

“I don’t think people understand the gravity of the situation,” said Ike Kavas, founder and CEO of Ephesoft. “Once the consumers are educated about this and then a few companies are punished — because the punishment is really high — then the actual recognition of this act will take place. I think we’ll see big waves in the next two years of consumers making the mortgage companies accountable and mortgage companies making the software vendors accountable.”

As new generations of borrowers entered the fray, the antiquated ways of getting a mortgage needed modernizing. That meant switching out paperwork and physical touchpoints to keep up with a rapidly digitized landscape. Data capture systems were put in place so personal information could be uploaded and saved. It would then be automated to streamline the process, saving time for both the lender and customer.

Over time, data accumulation surged. Lenders would then spread it around to a growing bullpen of technology partners providing artificial intelligence, bots and electronic notarization, further lessening the idle spells and monotonous clerical work.

While this global technological evolution across industries aided the lending process, it left incalculable amounts of personal information out in the ether. An added emphasis on data security and the GDPR in Europe set the impetus for the act. Its goal is to reduce the power Big Data has in society and shift it back to people.

In theory, the Gramm-Leach-Bliley Act prepared institutions for what’s to come, assuming they’ve been meeting requirements. As long as personal information is collected, processed, sold, or disclosed in accordance with the GLBA, the CCPA probably doesn’t apply. However, it’s not blanket coverage and a great deal of the information collected on a day-to-day basis won’t be shielded by it. Lenders could easily get tripped up by thinking that everything they collect is exempt.

While this lightens the compliance burden for mortgage lenders, it doesn’t do away with the need to track how they use individuals’ information, create pathways for communicating that to Californian consumers and deleting information upon request.

“CCPA refers to “personal information” while GLBA refers to the more narrowly defined nonpublic information and personally identifiable financial information,” said Paula Tuffin, general counsel and chief compliance officer at

“The gulf between GLBA’s narrow definition of nonpublic information and the CCPA’s broader personal information means that lenders will have to make judgment calls on whether the CCPA applies to each piece of information consumers share in the process of obtaining a mortgage. Each of those calls is akin to a blind leap into the privacy enforcement pool. A wrong call could have damaging reputational consequences as well as the risk of fines. For example, the CCPA may apply to leads who have not yet become ‘consumers’ within the GLBA definition. Of concern for digital lenders, information collected about Californian website visitors who are not ‘consumers’ under GLBA may be subject to the CCPA.”

Lenders and servicers need to have all their customer information organized and accounted for if they haven’t done so. Businesses already prepared for GDPR compliance had an exercise in good practice. But this is a new act, with bolstered protections and more control given to consumers.

“Begin mapping your data. If you are a mortgage originator, you obtain lots of information that’s required under various origination statutes in the URLA of a loan application,” said Sanford Shatz, council at McGlinchey Stafford. “If the loan is sold, you transferred it to the new owner. If it’s not sold, you hold it in case the loan origination ever becomes separate of regulatory review or litigation. And if it doesn’t, at some point in time you can get rid of it, no problem. But if the borrower asks you for it or you need it for that purpose, where is it and what are you doing with it?”

The onset of 2020 initiates the CCPA’s regulations with a 12-month look back period. Any California resident can inquire what data businesses have on them, what categories they fall under, where it’s gone and for a copy of the history, dating back to Jan. 1, 2019. A business must then provide the information in a readable, transportable form to the consumer.

It won’t matter if the lender is domiciled in another state or abroad. As long as it conducts business in California, the rules apply. Inversely, the law still kicks in for business outside of the Golden State as long as a California resident is involved.

“The most onerous item is you need to provide a disclosure to the consumer which talks about the categories of information and what particular personal information you are collecting from them before they give it to you,” said Mike Barone, executive director of compliance to MQMR. “So before they tell you anything that’s personal and private, you have to give them a disclosure and make them aware they have these rights under your privacy policies.”
CCPA Map.png
California generally acts as the vanguard when it comes to laws and legal issues, with other states falling in behind it. With the effectuation of the CCPA, there will be copycat bills with degrees of modifications in their statutes.

“I think in California there is an emotional connection to what happened with Facebook. The results of that were very harsh,” said Kavas. “I would say the other states will not be as harsh, but I think logically they will not be able to make it any less. So because California was the first in the United States, that’s going to set the stage for everybody else to come and follow.”

As of Oct. 15, 2019, one dozen additional states had bills going through some stage of the legislative process, while seven others had theirs postponed, according to the International Association of Privacy Professionals.

Only Maine and Nevada passed and signed their bills, though both states are lighter on consumer rights. Maine’s LD 946 goes live on July 1, 2020 and Nevada’s SB 220 went into effect on Oct. 1, 2019.

Illinois and Washington sit a step behind, with their privacy acts in the cross committee stage. Further down the podium, Hawaii, Massachusetts, Minnesota, New Jersey, New York, Pennsylvania and Rhode Island all have theirs in committee.

Connecticut, Louisiana, North Dakota, Texas and a second bill from Hawaii all had task forces assigned in place of their statutes to examine and recommend updates to the regulations. Lastly, Maryland’s and New Mexico’s acts were postponed indefinitely.

“The variations in these laws, however slight, will make compliance complicated for multi-state lenders,” said Tuffin. “The likely outcome is that lenders will adhere to the most stringent rule to minimize enforcement risk. In other words, Washington’s version of GDPR may become the rule by default.”

As they stand pending future amendments, the New York Privacy Act carries both the most extensive consumer rights and business obligations, followed by Minnesota and Washington.

Opinions vary on whether this issue will graduate to the federal level. Some think it’s an inevitability, with uncertainty only surrounding the scale of its severity.

“The push to address the potential for misuse of data will likely drive Congress to adopt a version of the CCPA,” Tuffin said. “What that law might look like remains an open question. A congressional hearing on privacy earlier this year made clear that there is little if any will to adopt GDPR or CCPA in either’s entirety. Testimony pointed out the high costs associated with compliance with laws like GDPR and that those costs can stifle start-ups and the innovation that comes with these nascent businesses.”

While costs may be high, creating a nationwide standard to adhere to would lighten the regulatory load for companies doing mortgage originations across multiple state lines. The lack of viability of having 50 different laws could push a federal mandate, especially if companies lobby for it. If the CCPA and subsequent laws incite a string of institutional infractions, demand for government intervention will presumably swell.

However, others believe it will take a catastrophic incident to spark federal action.

“I think there has to be a compelling event for the federal government to chime in,” Kavas said. “I’ll give you two examples that would move the needle: if a data breach happens at the national level and the state level controls weren’t enough. Or if another country that’s not friendly with the U.S. somehow got in and stole data to use against us — whether it’s from an intelligence agency or infrastructure vulnerabilities. I think those types of events at the national security level would be compelling enough for that to move. But until those, I think the federal government will be in watching mode.”

Lenders and servicers should reassess their practices to figure out if they deem necessary all business conducted and information compiled. Because the larger the data cache a company retains, the higher the compliance risk it possesses.

“I’ve been telling lenders and clients that if you’re collecting information and not using it for anything, stop collecting it,” said Barone. “All you’re doing is creating liability and more things you have to deal with in this California Privacy Act. I think a lot of lenders are collecting information and don’t even know they’re collecting it, and there’s no purpose for them doing it.”

In the short term, education and employee training programs on the CCPA will be key for all businesses. Lenders will need to respond in a timely fashion when consumers make data requests or react quickly in the unfortunate scenario of a leak.

“For the executives of these companies, I encourage them to look beyond next year,” Kavas said. “In two or three years from now, they have to start creating and partnering with the technology providers to establish a system that can actually comply with this and be preventative rather than reactive. Because nobody is working on how we’re going to prevent the issues raised by privacy.”