Episode 17: California Consumer Privacy Act 2018

In June 2018, California Governor Jerry Brown signed the CA Consumer Privacy Act of 2018 into law. In this episode of the CCO Buzz, CEO Michelle Jacko explains the major provisions within the legislation and offers key considerations financial institutions may want to review in preparation.

 

 

 

(INTRO MUSIC)

Hello, this is Michelle Jacko, CEO of Core Compliance & Legal Services. And on this week’s CCO Buzz, we will be discussing the new California Privacy Legislation.

Governor Jerry Brown, of the State of California, has been very busy as of late. On June 28th, 2018, Gov. Brown signed into law the California Consumer Privacy Act of 2018, which was pretty hastily drafted.

The purpose of the act was to protect consumers, which is defined as a natural person who are California residents of four basic rights related to their own personal information. There are four major provisions related to the consumer protections.

The first, is that the consumer would have the right to know, through a general privacy policy, what type of personal information a business has collected on them – where it was sourced, what’s it being used for, whether it is being disclosed or if it is being sold, and if it is being disclosed or sold – who it is going to be disclosed or sold to.

The second provision, is the right of the consumers to opt out of allowing the business to sell that personally identifiable information to third-parties. Importantly, if a consumer is under the age of 16, they have the right to not have their personal information sold absent their parents opt-in.

The third consumer protection, is the right of the consumer to have a business delete their personal information, with some exceptions.

And then finally, the fourth provision is for the consumer’s right to have equal service and pricing from a business, even if they happen to exercise their rights under the privacy act.

Procedurally speaking from a consumer stand point, it is unclear whether or not consumers will really know about these provisions and the rights to protect themselves. So in order to safeguard the consumers, there are several steps that financial institutions will need to think about.

Step one is for that financial institution to proactively disclose to the clients the existence and nature of the consumer’s privacy protection rights under the act. And so, in terms of compliance this will be an extension of the Privacy Notice Disclosure Form that’s already in existence. And then they’ll need to determine and establish an internal control for capturing what type of personal data is being collected from these individuals, how is it being used, and then of course, what are their internal controls as it relates to Privacy Policies and that will require additional time, effort, and collateral to the consumer.   

The second consideration is that for those companies that happen to sell the consumer data, they’ll need to disclose what exactly are their practices and how are we going to allow that consumer to opt-out of that sale. One way to do this would be to supply a link titled, “Do Not Sell My Personal Information” on that financial institution’s company homepage of their website. Other notifications could be to provide written notification and that information should be captured in the financial institution’s privacy notice.

The third consideration for financial institutions is for them to provide the consumer with at least two means to submit their Notice of Disclosure, and that would include both a toll-free number, as well as the website. And so, from a practical standpoint, you’ll need to determine what’s the best methodology that you will need to take in order to make these affective and timely communications.

And then finally, the financial institution will need to monitor what exactly are their sharing practices and when they receive the consumer request to opt-out – how is that being captured, how quickly are they updating their systems, and if a consumer would like information with regards to how their information is being used, does that financial institution have readily available a communication to provide that to the end consumer.

So as you can see, there are a lot of different things going into effect and a lot of different operational considerations for the financial institution to take into account. The positive thing is that this legislation, while it was passed June 28th, 2018, doesn’t go into effect until January 1st, 2020. Therefore, it is incumbent upon the financial institutions to start thinking about how are they going to be gathering this information, how are they going to provide these notices, and to come up with a detailed plan, right now, as to what actions need to take place so that they can be in compliance as of January 1st, 2020.

Another consider for financial institutions is to take a look at the current Privacy Notice that they’re using and consider how will these new provisions impact that Privacy Notice. So for example, if you are a broker-dealer or an investment adviser and you happen to have elected to use the SEC’s model Privacy Notice Form- that form will not take into consideration the new California requirements and it may require you to add an additional page or additional information within that form related to how you will complying with the new Consumer Privacy Act.

For more information and assistance with putting these actions in to place, please contact Core Compliance at (619) 278-0020 or email us at info@corecls.com. Thank you.

CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn or Twitter @CoreCLS. Thank you and we hope you tune into next week’s episode of the CCO Buzz.

(OUTRO MUSIC)