Roughly nine and a half months remain before the California Consumer Privacy Act (CCPA) will take effect, at the start of 2020, and privacy experts continue to explore what the legislation will mean for the public and private sector.
In a recent webinar, “2019 CCPA – Are You on the Right Path to Compliance?,” Raj Bakhru and Alex Scheinman, partners in ACA Aponix, which offers cybersecurity, tech risk assessments, network testing and related services, discussed what the act will mean for financial services companies.
The two also noted time is running out to get ready, and discussed how interactions with government will make companies subject to the new privacy law. Among the takeaways:
• The CCPA’s definition of personal data will be extremely broad, Scheinman said during the Thursday discussion, to include any piece of data that “either can identify or be identifiable and link back to a discreet individual.” The act will empower consumers to know what information businesses are collecting, their purpose, and with whom the data is shared, disclosed and sold. It will also create rights around the access and deletion of that information, and the right to opt out of having that information sold.
• The CCPA will tighten access to residents’ personal information (PI), but not every bit of information out there will be considered PI. Publicly available information — i.e., consumer information that’s “lawfully made available” by government records — is not considered PI, Scheinman said. Neither is data that’s used to cooperate with a law enforcement inquiry or to comply with local, state or federal law.
• The CCPA is designed not to overlap with the 1999 Financial Services Modernization Act, AKA the Gramm-Leach-Bliley Act (GLBA), which mandated that financial institutions be transparent about how customer PI was shared and protected. Scheinman said data covered under GLBA “is exempt” from CCPA. But financial institutions with public-sector clients like the California Public Employees’ Retirement System (CalPERS) or the University of California could still be impacted under CCPA provided they receive PI from California residents as part of an investment.
“Anyone who takes institutional investments, which is the heavy majority of those types of firms, you often receive personal data on, for example, authorized signatories from those pension funds or endowments or what have you. The investor is an institution, and the personal data that comes with that investment, that institutional investment, is all covered by CCPA,” he said.
Officials at private and public entities alike should learn from the run-up to the General Data Protection Regulation (GDPR), the European Union’s 2018 mandate which regulates the processing of personal data, and start preparing now for the Jan. 1, 2020, effective date of CCPA. Scheinman recommended data discovery and data mapping to determine what data might be in or out of the scope of CCPA; looking at what policies or procedures might need to be created or revised; and whether systems are capable of meeting requirements, providing data in machine-readable format.
Bakhru emphasized that a privacy readiness assessment should drive any “road map” of preparations. Among other steps, he said, vendor contracts may need to be revisited to examine privacy considerations.
“Some of you who did GDPR will have certain of these components, but there’s definitely nuances here that are different and gaps that you’ll need to address," Bakhru said. "There were a lot of people involved in getting GDPR compliance done, and everyone felt that last-minute crunch.”