The California Consumer Privacy Act is here, but many mortgage lenders still don't know what that means for them. I've received over a dozen calls from sizable lenders asking what others are doing. Webinars on the topic have record registrations and CCPA experts are in high demand to speak at conferences all because there is still a lot of confusion and gray area with this ground-breaking data privacy law.
Although Jan. 1 was the effective date, enforcement action is not scheduled to take effect immediately, allowing somewhat of a grace period for businesses to get squared away. But that doesn't mean lenders should be in a holding pattern. Here's a high-level overview of
Which businesses are affected?
Businesses must comply with the law if they meet any of the following criteria: Have revenue that exceeds $25 million annually; buy, sell, share, or receive consumer information on 50,000 or more California consumers; or more than 50% of revenue is from selling consumer data.
What do consumers need to know?
For Californians, like me, we now have the right to know what information companies have about us, request that it not be sold, and request that it be deleted unless it is in conflict with another law (very important to note that last piece for our highly regulated industry). Businesses must also provide a link that says, "Do Not Sell My Information" which enables the consumers to make their opt-out request. The CCPA is the first momentous step in privacy laws and will likely become the
What can your company do — at a minimum — now?
Over a month after the Jan. 1 effective date, many lenders still have yet to update their privacy policies and provide the required link for Californians to access their data and make a request to delete or not sell their information to a third party. Speaking as a Californian (and not a lawyer, this is not legal advice), lenders should be updating privacy policies, notifying all of their California consumers of the updated privacy policy, and providing a process to make the related requests.
My servicer, who is one of the largest in the country, updated its privacy policy and provided an email address to email my request for information. Providing an email address rather than a web form is not the ideal implementation, but it is definitely a step in the right direction. After all, the spirit of the law is to provide a way for me to make my request so they can respond back to me accordingly. I am now waiting for the said response from them.
What you should not do
First and foremost, nothing. You should not be doing nothing if you are a business that qualifies under one of the above criteria. Additionally, there is a major concern for identity theft when businesses respond to CCPA requests by providing personal information without properly (reasonably) verifying the requestor is who they say they are. Do not quickly throw together a plan to comply with CCPA, take a step back and review policies and procedures and how they will be enhanced thoughtfully to avoid missteps that put consumer information at risk.
What steps can your company take to honor privacy?
Consider the following action items to ensure your organization is truly honoring the consumer:
● Clarity: Provide clear guidelines on personally identifiable information, which is any data that could potentially identify a specific individual. Trusted organizations have rigorous terms of use restricting them from exposing raw or proprietary data.
● Storage and access: Most businesses store data on multiple media types, each technology and format requiring its own type of protection. Understand storage and access.
● Solutions: Here at Jornaya, we recently extended our compliance product suite to assist companies in meeting the requirements of the CCPA, as well as any future state and federal regulations. Our Privacy Guardian solutions helps companies know if a site visitor is located in California and helps them prove what happened at each web event.