By Lydia Iseh
Organizations collect lots of consumer data for various reasons such as improving the customer experience, gaining a competitive advantage, meeting customer expectations, increasing the consumer base, etc. However, the collection, management, and security of this data should be carefully handled by these organizations.
Data privacy has to do with protecting personal data from those who should not have access to it. It is also the ability of individuals to determine who can access their personal data or not. Finally, data privacy is concerned with how and where businesses store the data they collect.
Data privacy laws have been laid down to guide organizations on how personal data should be collected, stored, and shared with third parties. The most common data privacy laws are GDPR, CCPA, CPRA, VPPA, etc.
CPRA is one of the most recent data privacy laws, and businesses are considering how the regulations will affect their business. So, this article will address the impact of CPRA compliance requirements on the financial sector.
All you need to know about the CPRA
The California Privacy Rights Act (CPRA) is a data privacy law that goes into effect on January 1, 2023. This act was passed in November 2020 to be an amendment to the California Consumer Privacy Act (CCPA). Also, although this law goes into effect in 2023, it applies to all the personal data that businesses collect from January 1, 2022.
You should know that companies outside of California are not excused from the California Privacy Rights Act. This law applies to all organizations that do business in California and have California residents as customers. Therefore, for any financial institution to remain compliant with the CPRA, it must first understand the CPRA and how it works.
The CPRA has additional protections for consumer data, increased enforcement options, and increased fines for violations. So, institutions in the financial sector must ensure they remain compliant.
About the CCPA: the foundation of the CPRA
The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. This law made California the first United States jurisdiction to have a comprehensive data privacy law. The CCPA can be considered to be very similar to the European Union’s data privacy law, General Data Protection Regulation (GDPR).
The CCPA gave consumers the right to know what data the organization collects, when it is collected, and if the information is being shared or sold to third parties. Apart from keeping consumers in the know of how organizations handle their data, the CCPA also provided customers with a level of control over their data.
For instance, the CCPA allows consumers to find out what information the companies have collected about them, prevent the sale or sharing of these personal data, and even ask businesses to delete such data. Also, consumers cannot be discriminated against if they ask for any of the above.
The CCPA was considered to be a ground-breaking legislative piece. However, lawmakers believed that the CCPA did not cover some areas which could lead to exploitation and violation of consumer data. This then led to the amendment of the law and the adoption of the CPRA.
Sensitive Personal Information under CPRA
Under the California Privacy Rights Act, a new category called Sensitive Personal Information (SPI) was introduced. The classification provides that businesses may only use consumers’ sensitive personal information for limited business purposes alone, such as non-personalized advertising.
If the company wants to use the SPI for any other purpose, it must notify and allow the consumer to opt out of using their SPI. The CPRA provides a list of information that falls under sensitive personal information. These include:
- Social security number
- Driver’s license
- State ID card
- Account log-in
- Credit or debit card number
- Password or other credentials allowing access to a financial account
- Precise address
- Racial or ethnic origin
- Religious or philosophical beliefs
- Contents of a consumer’s private communications
- Genetic data
- Personal information concerning a consumer’s health
- Personal information concerning the consumer’s sex life or sexual orientation
Businesses must provide a clear and conspicuous link on their website’s homepage titled “Limit the Use of My Sensitive Personal Information.” This link should be in addition to the opt-out link required under the CCPA.
Who does the CPRA apply to?
The California Privacy Rights Act established the California Privacy Protection Agency (CPPA), which will implement and enforce the CPRA. This agency ensures businesses remain compliant with the rules of the CPRA. These are the businesses that fall under the CPRA. Any business that:
- Has annual gross revenues of over $25 million in the preceding calendar year
- Buys, sells or shares the personal information of 100,000 or more consumers or households
- Gets 50% or more of its annual revenues from selling or sharing consumer’s personal information
Impact of CPRA compliance requirements on the financial sector
The financial sector is a part of the economy of companies and institutions that provide financial services to commercial and retail customers. The financial industry comprises many industries such as banks, investment houses, insurance firms, real estate brokers, etc.
These financial institutions are known to collect personal information from their customers for business purposes. Because of this, the establishments in the financial sector must comply with the regulations under the California Privacy Rights Act. So, below are the rights of consumers under the CPRA and how they impact the finance sector.
1. Right to correct information
Consumers have the right to have their personal data corrected or rectified. Consumers can ask for their personal data to be corrected if it is inaccurate or incomplete. Financial establishments like banks that have consumers who dispute the accuracy of their personal information should use commercially reasonable efforts to make the necessary corrections.
The CPRA requires these companies to disclose the new right to their consumers and provide a means to request a correction.
2. Right to limit the sensitive personal information
As addressed earlier in the article, the CPRA brings forth a new category called sensitive personal information. Accordingly, customers of financial organizations and other businesses have the right to limit the use of these SPIs to a narrow set of purposes that have been prescribed in the regulations.
Failure to stick to these specific purposes could be detrimental to the organization. Financial institutions that store customers’ sensitive personal information have to ensure they use the information for the stated purposes only.
3. Right to access information about and opt-out of automated decision making
Under the CPRA, there are regulations allowing consumers to make requests to seek meaningful information about the logic involved in the decision-making processes in the organization. They can also request a description of the possible outcome based on this process.
Automated decision-making is the process of deciding by automated means without any human intervention. This provision is similar to that in the GDPR. Consumers have the right to know and opt-out of automated decision-making. An example of automated decision-making is an online decision to award a loan.
4. Right to opt out of sharing
The CPRA expands on the CCPA’s right to opt out of selling or sharing consumers’ personal information. This includes shared data with a third party for cross-context behavioral advertising.
Cross-context behavioral advertising refers to the targeting of advertising to a consumer based on the PI gotten from the consumer’s activity across websites, apps, or services apart from the one the consumer intentionally interacts with.
For instance, if a consumer uses a fintech service and starts seeing targeted ads related to it, the organization could have shared the consumer’s PI with a third party. Consumers could decide to opt out of having their personal data shared or sold to these third parties or services.
5. Right to delete
A significant right that businesses in the finance sector have to note is the right of consumers to delete their personal data. Also, companies have to inform the third parties they have shared any personal data with about the consumer’s request to delete the information.
Additionally, these financial organizations must inform their customers about how long they intend to retain their personal information. Once this duration elapses, they are to dispose of the data securely.
Financial establishments that fail to adhere to the above CPRA compliance requirements will face penalties of up to $7,500 per intentional or willful violation. However, if the violation was unintentional, the fine the organization will pay is $2,500. Also, consumers may seek compensation for damages. The fee should not be less than $100 and not more than $750 per consumer per occurrence.
Other penalties include imprisonment, loss of reputation, shutting down of the business, and other punishments to the guilty organization. Having a “big name” in the finance sector facing charges of non-compliance could affect the finance sector. This is why compliance with data privacy laws like CPRA should be a priority for financial institutions.
In conclusion, data privacy should be a priority for any organization that collects personal information from its customers. However, this does not exempt the companies in the finance sector. The law requires financial institutions that handle personal data to comply with data privacy laws such as CPRA. This article has addressed what CPRA is and the impact of CPRA compliance requirements on the organizations in the finance sector.
About the Author
Lydia Iseh is a writer with years of experience in writing SEO content that provides value to the reader. As someone who believes in the power of SEO to transform businesses, she enjoys being part of the process that helps websites rank high on search engines.