The California Attorney General’s office began enforcing the California Consumer Privacy Act (CCPA) on July 1. Lenders operating outside California need to pay attention because they may be subject to the CCPA if their borrowers are in California. Below are tips to help understand California’s new privacy rights and how to comply with the CCPA.
The CCPA created a wholesale change in how to view privacy. No longer just limited to data breaches and data protection, privacy is now determined by who owns and controls a consumer’s data. The CCPA gives California consumers four new privacy rights: to know what information is being collected, shared or sold, and to obtain a copy of it; to delete their personal information; to opt out of the selling their personal information; and nondiscrimination for exercising their rights. In compliance terms, lenders must provide new disclosures concerning these rights, enhance their customer service to acknowledge and respond to consumer requests, and update their technology to provide website access for consumers exercising their rights.
Compounding the compliance burden, Attorney General Xavier Becerra released implementing regulations last month, which impact how lenders comply with the CCPA.
While the CCPA exempts personal information collected, processed or sold, pursuant to the Gramm-Leach-Bliley Act (GLBA), the scope of the carve-out is undefined. For example, the CCPA defines “personal information” more expansively than the GLBA. In addition, a lender cannot always determine if the information is subject to the GLBA exemption until it is collected, requiring lenders to provide potential borrowers with disclosures of their CCPA rights before collecting any financial information.
To comply with the CCPA and minimize liability, lenders should act now. First, identify, track and map consumer data. Second, determine what data is retained, the purpose for collecting and retaining it, and where and how it is stored. Third, update policies and procedures to identify what is collected, why it is collected, how it is used, and with whom it is shared. Finally, enhance employee training.
Lenders with operations outside of California will also need to comply. The CCPA protects anyone who lives in the state at least half the time. If you are a regional finance company operating in the Southeast who purchases a contract financing a Louisiana car purchase, and the borrower moves to Los Angeles, you may be subject to the CCPA.
Lenders rolling the dice on whether their customers will move to California need to weigh their risk exposure in three areas: attorney general enforcement actions, civil penalties and consumer data-breach lawsuits. Although there is generally no private right of action under the CCPA, lenders may face exposure under California’s law on unfair and deceptive trade practice. Combine the risks with collateral that has wheels, and lenders should be ready to comply with the CCPA as its reach drives around the country.
Sanford Shatz is of Counsel in McGlinchey’s Irvine office. He has litigated cases involving commercial law, real estate, and consumer financial services, and offered regulatory and compliance advice to clients throughout the country for 30 years.
Paul Lysobey is an associate practicing in McGlinchey’s Cleveland office in the firm’s Consumer Financial Services Compliance group, focusing on auto finance, privacy and data security.
Editors Note: This feature first appeared in the July issue of Auto Finance News, available now.
Auto Finance Summit, the premier industry event, returns October 20-22, 2020, as a virtual experience. The virtual experience will offer the same quality networking and education as past events, all through an online platform. To learn more about the 2020 event and register, visit www.AutoFinanceSummit.com.