Auto Finance News
  • Home
  • News
  • Features
  • Events
    • Auto Finance Summit East
    • Equipment Finance Connect
    • Auto Finance Summit
    • PowerSports Finance Summit
  • Webinar
    • Harnessing AI & Machine Learning to Address Vehicle Affordability Issues
    • Webinar Library
  • Podcast
  • Powersports
  • Big Wheels Data

No products in the cart.

Subscribe
  • Capital & Funding
  • Compliance
  • Risk
  • Technology
  • Best Practices
  • Compliance Monitor
Log In
No Result
View All Result
Auto Finance News
  • Home
  • News
  • Features
  • Events
    • Auto Finance Summit East
    • Equipment Finance Connect
    • Auto Finance Summit
    • PowerSports Finance Summit
  • Webinar
    • Harnessing AI & Machine Learning to Address Vehicle Affordability Issues
    • Webinar Library
  • Podcast
  • Powersports
  • Big Wheels Data
BIG Wheels
Log In
No Result
View All Result
Auto Finance News
No Result
View All Result

Unpacking California’s new privacy reg: 2 issues lenders need to know

Bianca ChanbyBianca Chan
September 20, 2019
in Best Practices, Compliance, Risk Management
Reading Time: 2 mins read
0

Starting January 2020, financial institutions will need to keep their data security procedures in check as California’s new consumer protection act goes into effect.

The legislation gives California consumers the “private right of action,” or the ability to sue companies, if their personal information is the subject of a data breach resulting from a business’s failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

What do “reasonable security procedures” look like and what are the consequences of failing to keep up such standards? AFE spoke with Scott Hyman, a lawyer and data protection officer at Orange Country, Calif.-based law firm Severson & Werson, to find out. Below are two issues lenders should know about the California Consumer Privacy Act.

What “reasonable” means

The CCPA will require businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” which relates to the kind of data businesses may have, Hyman explained. “If a lender has very sensitive information about consumers,” such as Social Security Numbers or financial information, “one could argue that language would require higher levels of security procedures,” he said.

The first requirement is having policies and procedures in place, Hyman stated. After that, “we have some guidelines that we have seen from the way the [Federal Trade Commission] has looked at reasonableness, the way that the courts have treated reasonable policies and procedures in other California data protection statutes,” he said, noting that it can often depend on what the industry standard is.

In fact, a cybersecurity breach can still happen, Hyman said, notwithstanding the fact that you have reasonable security procedures adapted to avoid the breach. “Case law has demonstrated that the mere fact of the breach itself doesn’t mean that your procedures were unreasonable,” he said.

The CCPA requires the California Attorney General to issue guidelines to interpret the legislation. “We don’t know if the AG will do that before the CCPA becomes effective Jan. 1,” Hyman said.

Liability on a per-victim basis

The potential liability for failing to implement and maintain reasonable cybersecurity practices and procedures “is staggering,” Hyman said. Businesses nailed by the CCPA can expect to pay from $100 to $750 per data breach victim, and class actions are permitted. “The plaintiff’s class action bar are calling this ‘the new TCPA,’” he added.

In addition to the private right of action, individuals don’t have to prove compensable damage or loss resulting from the hypothetical data breach, as has been the case in previous data breach litigation predating the CCPA, Hyman said.

“The thing that courts struggled with in regards to consumer breach litigation was the absence of damages – whether someone whose data was the subject of a hypothetical data breach had suffered any compensable loss,” he said. “The CCPA changes that because it has this statutory provision that does not require proof of actual damages.”

Join us for Auto Finance Summit 2019, October 28-30 at the Bellagio Las Vegas. The summit continues to bring together the best and brightest executives in auto lending and leasing for unparalleled networking and education. Register now at www.autofinancesummit.com. 

Tags: california consumer privacy actcybersecuritydata security
Previous Post

No margin, no mission: Credit unions push to reclaim market share

 Next Post

Independent dealers sour on slipping inventories

Related Posts
Risk Management

Used-vehicle floorplan to see uptick ahead of tariffs

May 21, 2025
TJ Villanueva, vice president and associate counsel at GM Financial, speaks at Auto Finance Summit East 2025.
Best Practices

3 words of compliance advice from GM Financial counsel 

May 21, 2025
Bruce Newmark hosting a panel with Robert DeJarnette, VP of Risk Management at Consumer Portfolio Services, Charlie King the Chief Technology Officer at Arivo Acceptance, Eduardo Perez the Chief Customer Officer at Tricolor, and Scot Seagrave the Chief Executive Officer at FinBe USA during Auto Finance East Summit 2025 in Nashville, Tenn.
Risk Management

Subprime lenders see opportunity in recession talks  

May 20, 2025
Next Post
© Can Stock Photo / carroteater

Independent dealers sour on slipping inventories

Please login to join discussion

Stay Informed with Our Newsletters

PowerSports Finance

The Roadmap Podcast

ABOUT US

HELP CENTER

ADVERTISE

PRIVACY TERMS

ADA COMPLIANCE

CODE OF JOURNALISM ETHICS

Manage Cookie Consent

EXECUTIVES OF THE YEAR

AUTO FINANCE EXCELLENCE AWARDS

MAGAZINE ARCHIVE

INDUSTRY GLOSSARY

facebook linkedin twitter podcast podcast
© 2025 Royal Media
No Result
View All Result
  • Home
  • News
    • All News
    • Capital & Funding
    • EVs
    • Technology
    • Management
    • Powersports Finance News
    • Risk Management
    • Sales & Marketing
  • Events
    • Auto Finance Summit East
    • Equipment Finance Connect
    • Auto Finance Summit
    • PowerSports Finance Summit
  • Features
    • Latest Issue
    • Features
    • New Tracks
    • Car Culture
    • Staffing Shuffles
    • Under The Hood
    • Spotlight
    • Issue Archive
  • Webinar
  • Podcast
  • Big Wheels Data
  • SUBSCRIBE
  • Log In / Account

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home
  • News
    • All News
    • Capital & Funding
    • EVs
    • Technology
    • Management
    • Powersports Finance News
    • Risk Management
    • Sales & Marketing
  • Events
    • Auto Finance Summit East
    • Equipment Finance Connect
    • Auto Finance Summit
    • PowerSports Finance Summit
  • Features
    • Latest Issue
    • Features
    • New Tracks
    • Car Culture
    • Staffing Shuffles
    • Under The Hood
    • Spotlight
    • Issue Archive
  • Webinar
  • Podcast
  • Big Wheels Data
  • SUBSCRIBE
  • Log In / Account

THIS WEBSITE USES COOKIES

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “I CONSENT”, you consent to the use of ALL the cookies.

Cookie settingsI CONSENT

Review our Cookie Policies
.
Manage Cookie Consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
34f6831605sessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
a64cedc0bfsessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
CookieConsentPolicy1 yearUsed to apply end-user cookie consent preferences set by our client-side utility.
cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
crmcsrsessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
JSESSIONIDsessionThe JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKENsessionCloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
LSKey-c$CookieConsentPolicy1 yearUsed to apply end-user cookie consent preferences set by our client-side utility.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
CookieDurationDescription
__cf_bm30 minutesThis cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmpsessionZoho sets this cookie for the login function on the website.
663a60c55dsessionThis cookie is related to Zoho (Customer Service) Chatbox
e188bc05fesessionThis cookie is set in relation to Zoho Campaigns
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
_ga2 yearsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT2 yearsYouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid2 yearsVimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
CookieDurationDescription
__Host-GAPS2 yearsThis cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_dc_gtm_UA-1038974-31 minuteUsed to help identify the visitors by either age, gender, or interests by DoubleClick - Google Tag Manager.
_fbp3 monthsThis cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr3 monthsFacebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
test_cookie15 minutesThe test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE5 months 27 daysA cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSCsessionYSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devicesneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-idneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextIdneverThis cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requestsneverThis cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
caf_ipaddrsessionNo description available.
citysessionNo description available.
countrysessionNo description available.
gnt_eidsessionNo description available.
gnt_eu6 hoursNo description
iamcsrsessionZoho (Customer Support) sets this cookie and is used for tracking visitors (for performance purposes)
systemsessionNo description available.
traffic_targetsessionNo description available.
Save & Accept
Powered by CookieYes Logo