Countdown to the CCPA: What the financial services industry needs to know

By: John Chaisson, Data Privacy & Blockchain, HealthVerity

Perhaps no other industry is as heavily regulated yet remains as vulnerable to data privacy breaches than the financial services industry.  Among the financial institutions that recently disclosed breaches were Capital One, JP Morgan Chase, Goldman Sachs, HSBC, Fidelity Investments, Sallie Mae, and Citizens Financial Group. At SunTrust Bank, an employee stole the names, addresses, phone numbers, and account balances of some 1.5 million of the bank’s customers.  Given the highly sensitive data these institutions handle, the consequences are far-reaching, from swift changes in leadership to loss of customers. In today’s environment banks and financial services providers continue to grapple with how to balance compliance, consumer mistrust, and government regulations.

The process the industry uses to collect, analyze, aggregate, and share consumer data will be under an even more intense microscope when the California Consumer Privacy Act (CCPA), a far-reaching state regulation, goes into effect in less than six months.  Institutions will need a comprehensive, multi-regulatory data privacy management platform to blaze the path towards January 1, 2020, whether based in California or not.

Detailed below are five actions the financial services industry can take right now to ensure it is ready for CCPA and to usher in a new era of consumer trust and data management centered around transparency and compliance: 

1. Have a Clear Understanding of What Information Will and Will Not be Exempt 

For nearly 20 years, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, has been the de facto financial service industry’s tentpole data privacy legislation. It holds financial institutions accountable by requiring them to explain how they share clients’ data and shields them from having to comply with other privacy laws that fall outside of the financial industry landscape. CCPA, however, will radically impact this framework. 

While CCPA does include an exemption for certain information that is subject to GLBA and other sector-specific regulations, CCPA only exempts personally identifiable FINANCIAL information, i.e., information that a consumer provides to obtain a financial product or service, that results from a consumer transaction, or that is otherwise obtained in connection with providing a financial product or service. All other personally identifiable information (PII) such as names, addresses, phone numbers, advertising data, web-based analytics, and geolocation information will soon be regulated by CCPA. 

This is similar to how the healthcare industry must parse when patient data is covered by HIPAA (when it is PHI) and when it’s governed by the CCPA (when the same person’s data is PII).  For banks, if data is used for marketing generally, it’s governed by CCPA. The challenge for these companies is parsing when it’s under ‘financial’ use vs ‘marketing use’.

Banks and other financial institutions and service providers face the daunting task to not only map data but also to parse consumer data based on whether it is subject to GLBA or CCPA. Financial institutions will have to carefully examine what kind of consumer data is collected and find a new way to align their marketing, legal, and compliance practices.

2. Account for More Personal Information Regulations 

CCPA includes the broadest definition of personal information to date. It includes all “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

For banks and other financial service providers, this means that information collected passively, such as IP addresses, geolocation, and other data typically used for advertising or marketing purposes, will soon be subject to CCPA regulations. Personal information will also now include information obtained from non-financial institution partners and other third parties. 

Essentially, the GLBA exemption covers existing customer relationships, but now, financial service providers will have to comply with privacy regulations for anyone who visits their website when cookies or other personal information is collected.  

Adding another complication, CCPA also calls for 12-month “look back” period. Financial services providers will need to disclose how they have been collecting, using, and sharing data since January 1 of 2019.  Managing current and retroactive data collection practices require consolidated data privacy management platforms to effectively differentiate dates of data collected to ensure compliance. 

3. Carefully Manage Opt-Out Rights

Under GLBA, consumers currently do have the right to opt-out of information sharing, but CCPA includes more extensive opt-rights; most importantly, the provision that once a consumer opts out, financial service providers cannot solicit customers to opt-in for at least 12 months. 

For the financial services industry, in particular, this provision will need to be carefully managed, as many credit card companies, mortgage lenders, and other service providers have robust marketing efforts and many touchpoints with current and potential customers. For example, a customer might have a checking account with a bank but decide to opt-out of having her information shared with the bank's mortgage lending arm. The bank will still need touchpoints of communication regarding her bank accounts without violating her request to opt-out of other communications. 

Banks will need sophisticated data management and privacy governance tools to manage consumer preferences, maintain consumer goodwill, and ensure compliance across all of CCPA’s new consumer privacy rights. 

4. Prioritize the Customer Journey 

Managing opt-out preferences under CCPA will only be one of many important customer experience considerations to take into account. Now that online banking and credit card payments are the norm, customers are becoming more diligent about checking their statements and interacting in some form with banks, credit card companies, and other financial service providers on an almost daily basis. These frequent touchpoints are a tremendous opportunity for the industry to get out in front of any data privacy challenges and ensure consumers that their data is protected and their privacy preferences are respected.

Financial service providers can create goodwill and trust by recognizing their important role in consumers' lives and act as true stewards of sensitive information through a consolidated data privacy compliance platform, such as HealthVerity Consent

5. Be Vigilant about Compliance to Avoid Civil Action 

Last, but certainly not least, CCPA permits a private right of action for data breaches. This means that the banks and other financial service providers are now more vulnerable than ever to lawsuits. CCPA provides for consumer lawsuits with statutory damages of between $100 and $750 per consumer per incident, or actual damages if greater. For actions commenced by the Attorney General, the CCPA allows penalties to be imposed for intentional violations of any provision up to $7,500 per violation, or $2,500 for unintentional violations if the violation is not cured within 30 days of notice.

Thanks to CCPA’s expanded consumer rights, banking customers are more empowered than ever to know how their information is being used and to take action if they feel their rights have been violated. Without a proper data privacy management system, such as HealthVerity Consent, financial services providers could face data privacy violations that will yield hefty fines, lawsuits, and a loss of clients. 

The Bottom Line

Consumers are more empowered and more diligent than ever when it comes to personal data protection. CCPA aims to increase transparency and accountability across industries, but for the financial services industry, CCPA has the potential to make or break how a company manages data and retains its customers’ loyalty.

By utilizing a consolidated, single privacy management platform such as HealthVerity Consent, financial institutions can set the bar for CCPA compliance, reassuring consumers that their data will be protected and be used in compliance with the new laws. HealthVerity Consent consolidates, connects, and logs consumer data preferences and rights across an enterprise’s many consumer data systems. It provides financial service providers with the opportunity to be proactive and transparent about data privacy, not just because it will soon be the law, but because it is a priority for its most valued asset: the consumer. 


Back to Blog