Mortgage lenders have long tailored their information collection, disclosure and sharing practices to the federal Gramm-Leach-Bliley Act (GLBA). The GLBA implements protections for nonpublic consumer information. This is about to change for some lenders in 2020.
The privacy safeguards of the GLBA seem quaint in comparison to those in the newly-minted California Consumer Privacy Act (CCPA). Though California’s new law doesn’t go into effect until January 1, 2020, it’s already drawing attention from California mortgage lenders because of its broad reach and potential to impact the home mortgage industry.
Given recent high-profile data breaches and the European Union’s landmark General Data Protection Regulation (GDPR), the CCPA has been long overdue. Then-Governor Jerry Brown signed Assembly Bill (AB) 375 into law in June 2018. Like the GDPR, the CCPA aims to regulate the collection and sale of personal information by expanding consumer rights and installing enforcement mechanisms. You can read the full bill in its original form here.
Most notably, the CCPA allows consumers to:
- request businesses disclose their collected information [Calif. Civil Code §1798.100(a)];
- opt out of the sale of their information [CC §1798.120(a)]; and
- request the deletion of their information. [CC §1798.105(a)]
Will my business have to comply?
The CCPA applies to for-profit businesses operating in California that:
- earn greater than $25,000,000 in annual gross revenue;
- collect or share the personal information of more than 50,000 California residents annually; or
- earn at least half of their annual revenue from selling personal information for California residents. [CC §1798.140(c)(1)]
Personal information includes conventional identifiable information like physical addresses and phone numbers, but more broadly encompasses any information that can identify, relate to, describe, is capable of being associated with or be reasonably linked with a particular consumer or household. [CC §1798.140(o)(1)]
To picture the scope of this law, imagine your business’s website collects the email address, geolocation data and search history of a California resident and creates a preference profile based on this data to better market to them. Under the CCPA, even inferences drawn from this profile are subject to regulation. Unauthorized access of any of this data stemming from a failure to properly secure it will be considered a CCPA violation.
The high revenue threshold for compliance squeezes out all but the largest mortgage lenders, but even small businesses will find themselves reaching the second criterion quickly. For instance, it only takes 137 daily credit card transactions for a business to fall under CCPA regulation in a year. Any businesses that meet one or more of these criteria will need to overhaul their privacy practices to comply, risk exposing themselves to costly lawsuits or exit the market entirely.
Conflicts with federal legislation
Businesses in compliance with the GLBA can breathe a small sigh of relief. The bill’s original language carves out an alcove for the GLBA. AB 375 states that the new law will not apply to personal information collected, processed, sold or disclosed under the GLBA and its regulations when in conflict with that law. But this exemption only raises questions about what constitutes a conflict between the GLBA and CCPA.
Adding to the confusion, the CCPA relies on a broad definition of consumer instead of the one set out by the GLBA’s Privacy of Consumer Financial Information Rule and the California Financial Information Privacy Act (CFIPA). Their much narrower definition only includes individuals who apply for or obtain or have obtained a personal-use product or service from an entity controlled by Regulation P. On the other hand, the CCPA’s definition includes any California resident.
Editor’s note — first tuesday explores Reg P’s definition of consumer in this Mortgage Concepts video.
Because the CCPA’s definition of personal information is much broader than that found in the GLBA and CFIPA, this exemption is quite limited. Businesses are still on the hook for the breach of any data collected outside the GLBA/CFIPA umbrella and under the larger CCPA umbrella.
SB 1121, a clean-up bill passed only three months later, amended this section to address some of these issues. In listing exemptions to the compliance requirements, the bill removes language concerning “conflicts” with the GLBA. It also adds the CFIPA to the list of exemptions.
In other words, just because your business is regulated by the GLBA or CFIPA doesn’t mean it’s totally exempt from the CCPA. It’s exempt from any information collected under the GLBA, but broader data-collecting activities like targeted advertising are not covered in the GLBA/CFIPA. [CC §1798.145(e)]
You can read SB 1121’s full changes here.
Related article:
How will it affect my business?
Legislation that restores power to consumers over their information is a boon for privacy advocates, but not everyone is enthusiastic about this shift. Many business owners are wary of how such laws’ overbroad language may be exposing them to litigation. This is especially true of the CCPA since its enforcement mechanism allows consumers to sue individually on a per-incident basis for breaches stemming from a failure to properly secure data.
The risk for incurring such penalties is magnified by the vast scope of what constitutes personal information in the CCPA. Businesses regulated by the new law need to expand their data security systems to include many more categories of information that aren’t currently regulated with the same rigor.
Businesses subject to the CCPA will need to provide consumers with opportunities to opt out of personal information sales. In tandem with opt-out options, they will also need to update their consumer disclosures to comply with the CCPA’s broad definition of personal information. The disclosure needs to include:
- how data is collected;
- why it’s collected; and
- with whom it’s shared. [CC §1798.110(a)]
In addition to this mandatory disclosure, consumers of CCPA-regulated businesses have the right to request more granular disclosures, including:
- the categories of collected personal information;
- the categories of sources from which personal information is collected;
- the purpose for collecting or selling personal information;
- the categories of third parties with whom personal information is shared; and
- the specific pieces of personal information collected. [CC §1798.110(b)]
Although it has been signed into law, the CCPA does not go into effect until 2020 and is still subject to changes. This gives lawmakers some time to iron out its many kinks as they’ve attempted with SB 1121. It also gives business owners a chance to revamp their privacy practices in compliance with the new rules. The road to transparency is paved with good intentions, but potholes abound.