From paper compliance to operational compliance
Financial services firms must prepare for the California Consumer Privacy Act, says Alex Scheinman.
Data privacy has become an overarching issue top of mind to
organizations across industries and geographies over the past several years. It
affects every business function in an organization, from the IT department to
compliance to marketing to HR, and has increasingly been occupying the minds of
the C-suite. With the European Union’s sweeping GDPR regulation having gone
into effect last year, additional countries and jurisdictions have taken it
upon themselves to create similar legislation that enhances individual privacy
rights and holds companies accountable for ensuring that appropriate safeguards
are in place to protect data.
Even in the U.S., where data privacy has historically been viewed as an
afterthought rather than a business priority for the nation’s data-rich
companies, the never-ending wave of high-profile data breaches and corporate
and political misuses of data has brought data privacy to the forefront of the
corporate agenda. Further, technological innovations in areas such as
artificial intelligence and cloud computing mean that wherever an individual
goes, regardless of their place of residence or work, their data moves with
them – adding an additional layer of privacy risk. To address some of these
concerns, on June 28, 2018, California passed the California Consumer Privacy
Act (CCPA) to grant California residents increased control over their personal
data, set to go into effect in just under a year on Jan. 1, 2020.
The CCPA
applies to any for-profit business, regardless of location, that grosses at
least $25 million annually, interacts with 50,000 or more customers, or derives
at least half of its annual revenue from the sale of personal data. In short,
any for-profit company (even if headquartered outside the US) that collects
data on California residents and meets one of the above threshold criteria will
likely be facing CCPA compliance obligations.
Under the act:
• Customers can demand that companies delete their personal data and/or refrain from selling it.
• Customers can demand that companies reveal what personal data they have collected, the reason it was collected, and which types of third parties have received it.
• Companies must follow enhanced disclosure requirements.
• Companies must comply with the above or be penalized.
• Companies cannot charge customers higher prices or withdraw services as a result of privacy requests.
The GDPR of the U.S.?
Much of the discussion around the CCPA has centered around whether the
law is set to become the “GDPR of the United States.” While GDPR is a more
robust, complex data privacy regulation and framework, the CCPA is nevertheless
sweeping in scope and impact, and the two acts are underpinned by many of the
same data privacy principles. And while comparisons between the two acts have
been frequent, not enough has been said about the concrete steps that
organizations, specifically those in the financial services space, should be
taking to get their processes, people and technology ready for CCPA compliance.
These heavily-regulated organizations should be weary to view the CCPA as
simply another law to comply with. In order to avoid scrutiny by the regulators
and heavy fines along with potential reputational harm, they will need to shift
their approach to data privacy.
Is financial
services data in scope for compliance?
In September 2018, the original CCPA bill was amended to address several
concerns, including whether certain B2B data like financial services data will
fall in scope for the law. A substantive change that came from that amendment
was the clarification that GLBA-regulated data, which most core financial
services data falls under, is indeed exempt. Though the date is not yet
finalized, in late summer or fall 2019, the business community and the
California Chamber of Commerce are expected to push for another round of
amendments to narrow the present scope of the CCPA. It is expected that the
business community will seek to exempt all B2B data and perhaps limit or
eliminate the inclusion of personal data related to employees (e.g., dependents
and beneficiaries). While these proposed amendments might tempt financial
services organizations to put CCPA compliance on the backburner, that instinct
might prove to be flawed for quite a few reasons.
Despite GLBA-regulated data falling out of scope for CCPA compliance,
the majority of financial services firms, especially alternative asset
managers, hold a trove of data that may not be considered “core” by regulators,
including many types of alternative data, promotional data, vendor data and
more. Further, if a data breach occurs, under the CCPA, financial services
organizations would still be held accountable for lawsuits. At the very minimum
end of CCPA compliance, both alternative and traditional asset managers should
start with a data mapping exercise to determine the data that they hold that
might fall outside of GLBA.
From paper
compliance to operational compliance
Once a firm
has determined that some of its non-core financial services data might fall in
scope for CCPA, a data mapping exercise is essential. Firms must be prepared to
know exactly what California resident data they hold, who they are sharing it
with (vendors, partners, etc.) and where it is located. They must then develop
and implement a compliance roadmap, filling in gaps from the data discovery
findings and determining a roadmap for compliance obtaining buy-in from
leadership.
Unlike large technology and retail firms, many financial services firms,
especially alternative asset managers that are less directly consumer-facing
than retail banks like private equity firms and hedge funds, do not necessarily
have robust data privacy programs in place, let alone a dedicated privacy executive.
The advent of the CCPA could be a call to action for these firms to put a chief
privacy officer (CPO) in place, a compliance professional whose role would
encompass a more holistic take on data privacy than just SEC compliance. The
CCPA should be a wake-up call to the alternative asset management industry that
it must place data privacy near the top of the compliance checklist.
A move
towards a federal data privacy law?
The past few
months has seen a flurry of activity around several US states following in the
footsteps of California to begin the process of drafting their own data privacy
laws aimed at companies that collect personal data, including New York,
Washington and Hawaii. Though drafted with the best intentions, on a practical
level, it’s ultimately unlikely that a fragmented state-by-state data privacy
approach would work effectively for national and international companies
operating across the entire U.S., not to mention, the considerable compliance
burden that it would create. But the movement to prioritize data privacy is
almost certainly likely to create enough momentum in the U.S. to reach
consensus on the adoption of federal data privacy regulation, just as the GDPR
united more than 20 disparate data privacy regimes that had been implemented
throughout the EU. And just as California launched the ballot initiative for
clean emissions that turned into federal policy, it is more than possible that
the CCPA might be a bellwether of things to come on a federal level.
GDPR and CCPA are just two clear indications that the move towards the
global regulation of data privacy is inevitable, and one that organizations
across verticals must take seriously. With countries such as Switzerland and
India in the process of enacting their own versions of GDPR, and the inherently
global nature of today’s business landscape, the momentum will only continue to
increase. Forward-looking financial services organizations must change their
mindsets, recognizing that they are not immune to this global trend, and must
place data privacy compliance at the top of their to-do lists in 2019.
Alex Scheinman is the director of ACA Compliance Group.
Gloss