Skip to main content Skip to navigation

The State of Financial Crime 2024: Download our latest research

What is the California Consumer Privacy Act?

CFT Knowledge & Training

Golden Gate Bridge in California

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, by the California State Legislature and introduces sweeping new privacy laws to protect the personal data of California’s residents. Also known as the California Privacy Act, the new legislation modernizes California’s data privacy regime in an era of increasing digital threats. Much like the EU’s General Data Protection Regulation, it also gives residents greater control over what businesses do with their personal information.

The California Privacy Act will come into legal effect on January 1, 2020. Since it involves the regulation of personal data, the act has significant implications for the way banks, fintechs and financial services businesses manage their AML/CFT responsibilities. In order to continue to deliver AML compliance, those firms must understand what the California Consumer Privacy Act is, and how it applies to them.

What Rights Does The California Consumer Privacy Act Provide?

The CCPA is designed to provide California residents with the right to:

  • Know what personal data is being collected about them.
  • Know if their personal data is sold or disclosed to other businesses.
  • Deny businesses the right to sell personal data to third parties.
  • Access their personal data upon request.
  • Request that businesses delete their personal data.
  • Be treated without prejudice for exercising their right to data privacy.

Who Must Comply With The California Consumer Privacy Act?

The CCPA applies to every entity (domestic or international) that does business in the state of California and that generates over $25 million per year. The CCPA is also applicable to companies that either:  

Buy or sell the personal data of at least 100,000 customers or households 

Or

Earn over 50% of their annual revenue through the sale of personal data.

Firms found to be in violation of the CCPA face fines of up to $7,500 (in the case of intentional violations) per individual breach.

What Are The California Consumer Privacy Act Responsibilities?

Under the California Consumer Privacy Act, firms take on a number of responsibilities to protect the personal data that they collect. In more detail, firms must: 

  • Ensure parental consent is obtained when collecting data from minors under 13 years of age and obtain affirmative consent from minors between 13 and 16 years old.
  • Implement a “Do Not Sell My Personal Information” link on their website homepage to enable customers to opt out of the sale of their data.
  • Avoid requesting opt-in consent for 12 months after a customer has opted out.
  • Facilitate customer data requests via a toll-free number (at a minimum).
  • Update privacy policies with CCPA information.

Conflicts With AML Compliance

The California Consumer Privacy Act’s focus on protecting personal data conflicts with many of the AML measures that banks and financial services firms use to prevent money laundering and the financing of terrorism. By complying with the CCPA, firms could potentially allow money launderers to avoid submitting the sensitive personal information required by a range of important AML/CFT controls.

Fintechs in particular may have significant new data privacy conflicts under the CCPA because their services often necessitate the acquisition of personal data via IP addresses, browsing and search histories, or geolocations. 

California Privacy Act and AML Exemptions

In order to preserve the regulatory necessity and effectiveness of US AML/CFT laws, the California Consumer Privacy Act includes an exemption for identity verification and fraud-detection purposes. More specifically, if a firm must obtain personal information that is necessary to comply with federal or state legislation, such as AML or KYC laws, the Patriot Act or the Bank Secrecy Act, the data protection regulations mandated by the California Privacy Act do not apply

Where possible, financial services firms must comply with CCPA regulations, which means conducting a review of their AML identity verification and KYC processes and the information about their customers that they retain. If third-party verification services are being used, firms must ensure these providers operate in compliance with the CCPA.

Tools To Help With CCPA Compliance

>Learn more about how ComplyAdvantage can support you complying with the California Consumer Privacy Act.

Learn More

Originally published 30 December 2019, updated 26 May 2022

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2024 IVXS UK Limited (trading as ComplyAdvantage).