California's privacy law is in effect. Now what?
The California Consumer Privacy Act is here, but many mortgage lenders still don't know what that means for them. I've received over a dozen calls from sizable lenders asking what others are doing. Webinars on the topic have record registrations and CCPA experts are in high demand to speak at conferences all because there is still a lot of confusion and gray area with this ground-breaking data privacy law.
Although Jan. 1 was the effective date, enforcement action is not scheduled to take effect immediately, allowing somewhat of a grace period for businesses to get squared away. But that doesn't mean lenders should be in a holding pattern. Here's a high-level overview of the CCPA based on research and discussions I've had.
Which businesses are affected?
Businesses must comply with the law if they meet any of the following criteria: Have revenue that exceeds $25 million annually; buy, sell, share, or receive consumer information on 50,000 or more California consumers; or more than 50% of revenue is from selling consumer data.
What do consumers need to know?
For Californians, like me, we now have the right to know what information companies have about us, request that it not be sold, and request that it be deleted unless it is in conflict with another law (very important to note that last piece for our highly regulated industry). Businesses must also provide a link that says, "Do Not Sell My Information" which enables the consumers to make their opt-out request. The CCPA is the first momentous step in privacy laws and will likely become the framework for other states or the federal government.
What can your company do — at a minimum — now?
What you should not do
First and foremost, nothing. You should not be doing nothing if you are a business that qualifies under one of the above criteria. Additionally, there is a major concern for identity theft when businesses respond to CCPA requests by providing personal information without properly (reasonably) verifying the requestor is who they say they are. Do not quickly throw together a plan to comply with CCPA, take a step back and review policies and procedures and how they will be enhanced thoughtfully to avoid missteps that put consumer information at risk.
What steps can your company take to honor privacy?
Consider the following action items to ensure your organization is truly honoring the consumer:
● Storage and access: Most businesses store data on multiple media types, each technology and format requiring its own type of protection. Understand storage and access.
● Solutions: Here at Jornaya, we recently extended our compliance product suite to assist companies in meeting the requirements of the CCPA, as well as any future state and federal regulations. Our Privacy Guardian solutions helps companies know if a site visitor is located in California and helps them prove what happened at each web event.