Attorney Published Article
CCPA for lenders outside California
The California Attorney General’s office began enforcing the California Consumer Privacy Act (CCPA) on July 1. Lenders operating outside California need to pay attention because they may be subject to the CCPA if their borrowers are in California. Below are tips to help understand California’s new privacy rights and how to comply with the CCPA.
The CCPA created a wholesale change in how to view privacy. No longer just limited to data breaches and data protection, privacy is now determined by who owns and controls a consumer’s data. The CCPA gives California consumers four new privacy rights: to know what information is being collected, shared or sold, and to obtain a copy of it; to delete their personal information; to opt out of the selling their personal information; and nondiscrimination for exercising their rights. In compliance terms, lenders must provide new disclosures concerning these rights, enhance their customer service to acknowledge and respond to consumer requests, and update their technology to provide website access for consumers exercising their rights.
Compounding the compliance burden, Attorney General Xavier Becerra released implementing regulations last month, which impact how lenders comply with the CCPA.
While the CCPA exempts personal information collected, processed or sold, pursuant to the Gramm-Leach-Bliley Act (GLBA), the scope of the carve-out is undefined. For example, the CCPA defines “personal information” more expansively than the GLBA. In addition, a lender cannot always determine if the information is subject to the GLBA exemption until it is collected, requiring lenders to provide potential borrowers with disclosures of their CCPA rights before collecting any financial information.
To comply with the CCPA and minimize liability, lenders should act now. First, identify, track and map consumer data. Second, determine what data is retained, the purpose for collecting and retaining it, and where and how it is stored. Third, update policies and procedures to identify what is collected, why it is collected, how it is used, and with whom it is shared. Finally, enhance employee training.
Lenders with operations outside of California will also need to comply. The CCPA protects anyone who lives in the state at least half the time. If you are a regional finance company operating in the Southeast who purchases a contract financing a Louisiana car purchase, and the borrower moves to Los Angeles, you may be subject to the CCPA.
Lenders rolling the dice on whether their customers will move to California need to weigh their risk exposure in three areas: attorney general enforcement actions, civil penalties and consumer data-breach lawsuits. Although there is generally no private right of action under the CCPA, lenders may face exposure under California’s law on unfair and deceptive trade practice. Combine the risks with collateral that has wheels, and lenders should be ready to comply with the CCPA as its reach drives around the country.
This article was first published on Auto Finance Excellence, a sister service of Auto Finance News, and is reprinted with permission. McGlinchey is pleased to serve as the official Compliance partner of Auto Finance Excellence, providing insights and thought leadership through webinars, podcasts, and monthly columns.