The CCPA and GDPR: How these emerging privacy laws will impact the credit union industry: Part II

How the CCPA Will Change the Competitive Landscape in the US

The CCPA won’t apply to all companies but will apply to a great majority, especially if one of these three thresholds are met:

1. Gross annual revenues in excess of $25 million
2. Buys, receives, sells or shares the PII of 50,000 or more consumers, households or devices for the business’s commercial purpose
3. 50% or more of the businesses annual revenue comes from selling consumer’s PII

If any of the above conditions are met, the marketers of the effected company have a great deal of work to do. Especially if they have no business tactic or strategy in place to organize all of their customer specific data. To comply with the CCPA, marketers must be able to organize and develop an efficient data scheme that compiles all of their consumer data. Consumers have the right to:

• Know what PII is being collected regarding them
• Know whether that is being sold and to whom
• Say no to the sale of their PII
• Access their own PII
• Equal service and pay from the company, even if they exercise their own privacy rights and it requires more work to be done on the side of the business

In addition, businesses are not allowed to retain any PII collected from a single, one-time transaction. Businesses must also delete any PII upon request from the consumer, from their own database and relevant third parties/service providers that may possess that same PII. There are, of course, certain limitations; consumers can only request access to PII twice in a 12-month period and can’t truly delete “any PII” pertaining to them. Businesses can skip deletion if PII is needed for completing a transaction, proved valuable in detecting security incidents (i.e. illegal activity), defending an exercised right provided by law (i.e. freedom of speech on another’s behalf), and if that PII is engaged in public/peer-reviewed statistical research in the public interest.

CCPA Opposition and What That Means for the Future

The CCPA bill was passed just recently on June 28th, 2018, and the current effective compliance date is planned for January 1st, 2020. However, an industry-wide coalition led by various California associations may succeed in pushing back this date of compliance. Their preventative action included sending the authors of the CCPA a 20-page letter voicing their concern with the quickly passing legislation, asking to delay the effective compliance date to January 1st, 2021.

This preventative measure, led by the California Chamber of Commerce, potentially reveals the unpreparedness that many businesses are now facing with regard to the management and security of data. Divya Gupta, a commercial litigation partner on the TCPA defense team, estimates, “that the CCPA will apply to more than 500,000 U.S. companies,” and potentially many more worldwide.

Smaller independent businesses that are affected by the CCPA and only operate in California, are only responsible to handle the PII of California’s state residents. Larger businesses that fall within the domain of the CCPA and have operations outside of California are faced with a much more difficult decision. They could:

1. Create a separate process for handling the personal data of California’s residents only, or
2. Apply the restrictive CCPA standards nationwide

The first option is much more economical and makes more sense for the short-term but could cause a lot of headache later. Applying the CCPA standards nationwide is much costlier and time-consuming but probably worth it as privacy/security regulations may expand to other states sometime in the future. According to Jonathon Lacoste, Co-Founder and President, Jebbit:

The CCPA doesn’t quite reach the same scale as GDPR, an overwhelming majority of businesses will be impacted by nature of conducting business in California. And it’s inevitable that other states – and perhaps even the federal government – will follow suit in pursuing similar laws in the next 18 months or so.

How this Will Impact the Credit Union Industry

CUbroadcast recently posted a video interview with OnApproach’s CEO, Paul Ablack, How GDPR and California Consumer Privacy Will Impact Credit Unions in 2019. The discussion covers how these new laws require, if not all, certain credit unions attention more than others.

Larger credit unions located in California will be impacted more by the CCPA. Ablack mentions that credit unions holding $1 billion or more in assets need to be readier-than-ever for this quickly changing landscape. The reason for this is two-fold. The more assets a credit union holds, the more likely they are to exceed the $25 million in gross annual revenue threshold for CCPA compliance. And the larger the credit union, the more likely they are to serve more members. More members bring more responsibility, as there is more personal member data to keep track of and sort through.

This can leave many credit unions in a very difficult place as they are responsible for complying with the CCPA standards without having the necessary toolkit. OnApproach bridges the gap between the need for CCPA compliance and the need for a centralized location for all of a credit union’s member-specific data. Ablack explains:

For our clients, because our M360 software is member-centric, it has the ability to pull all of that data into one single source of truth… Just type in the member number and it will pull up all of the transactions and information associated with that one person… Having that information solves a big part of the problem. Which is just being able to access that data and have it there.

For companies that are unprepared, accessing and filtering through each member’s relevant data becomes a very complicated process. This is why data integration is so important in today’s day and age. It can help alleviate a lot of the burden that a credit union might face by leveraging the available technology. OnApproach’s technology falls right in line with facilitating the compliance process by organizing member-specific data in a way that is easily collectable/extractable. This applies to the newly composed CCPA and other potential technological laws in the future that are impossible to avoid. All credit unions and businesses will face data regulations at some point in the future. It is only a matter of time.