Fintech Insights

The impact of CCPA on financial institutions

Ron Whyte and Rob Harris | Decisions Solutions Group, FIS

April 06, 2020

It’s been almost two years since the EU’s General Data Protection Regulation (GDPR) took effect in May of 2018. Although the GDPR has shifted the way the world of data is being regulated in Europe, it is also driving change in Brazil, India, Thailand and the United States. In January, California’s Consumer Privacy Act (CCPA) took effect, emphasizing a “consumer rights” and “opt out” model – over the “consent” approach adopted under the GDPR. The CCPA is the first comprehensive state privacy law in the United States and gives strong privacy rights to consumers, setting the pace for other states to adopt similar comprehensive privacy laws.

The scope of the CCPA extends to any business with employees or consumers in California that meet any one of the following: greater than $25M in gross annual revenue; buys, receives or sells personal information (PI) of more than 50,000 consumers, households, or devices; or derives more than 50% of its annual revenues from selling consumers’ PI.

Today, there are a number of other state legislatures considering their own comprehensive data privacy laws. And as COVID-19 continues to force consumers to interact even more online, data privacy is becoming a critical and urgent issue. As consumers demand greater control over their data, what does that mean for financial institutions (FIs)? As states pass data privacy laws with strict timelines and penalties for non-compliance, many businesses do not have the resources or tools for an agile privacy management program.

The changing world of data privacy

The CCPA impacts millions of businesses around the country, and for some financial institutions, it may bring a higher level of scrutiny from the California Attorney General’s Office than they are accustomed. The challenge is that most businesses aren’t set up to track all the consumer data they’re collecting. And as new states continue to adopt their own data privacy laws, businesses are tasked with staying up to date with these changes and how they need to address the panoply of compliance issues that arise from a patchwork of differing state laws.

The larger and more expansive the financial institution’s customer footprint is, the more challenging the job of remaining compliant with various state-level data laws will be. Plus, the FI must be strategic in how it leverages data control changes to drive new opportunities. Those that adopt a privacy program in compliance with the CCPA and other future requirements will forge a deeper relationship with customers and can establish a competitive advantage. Those who aren’t adequately prepared for new data laws and regulatory changes risk stiff financial penalties for failing to properly honor customer access requests, and the resulting irrevocable loss of customer trust.

There’s quite a bit of technology financial institutions can utilize to deal with the complexity new data permissions will present. FIS’ Data Privacy Manager, for example, provides a comprehensive, data governance solution that maps to key CCPA requirements. As a single solutions platform, it expands to cover new laws and regulations to come, providing next-gen privacy built on automation, analytics and intelligence.

For now, no one knows exactly how state consumer data privacy laws will continue to unfold in the U.S., but change is underway. Financial institutions that use this time of uncertainty to ensure they are complying with the CCPA will strategically position themselves to respond to similar state privacy laws and the new regulations that may arise and can capitalize on their role as a highly trusted financial partner to their customers.