The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, by the California State Legislature and introduces sweeping new privacy laws to protect the personal data of California’s residents. Also known as the California Privacy Act, the new legislation modernizes California’s data privacy regime in an era of increasing digital threats. Much like the EU’s General Data Protection Regulation, it also gives residents greater control over what businesses do with their personal information.
The California Privacy Act will come into legal effect on January 1, 2020. Since it involves the regulation of personal data, the act has significant implications for the way banks, fintechs and financial services businesses manage their AML/CFT responsibilities. In order to continue to deliver AML compliance, those firms must understand how the CCPA applies to them.
The CCPA is designed to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know if their personal data is sold or disclosed to other businesses.
- Deny businesses the right to sell personal data to third parties.
- Access their personal data upon request.
- Request that businesses delete their personal data.
- Be treated without prejudice for exercising their right to data privacy.
The CCPA applies to every entity (domestic or international) that does business in the state of California and that generates over $25 million per year. The CCPA is also applicable to companies that either:
- Buy or sell the personal data of at least 100,000 customers or households
- Earn over 50% of their annual revenue through the sale of personal data.
Firms found to be in violation of the CCPA face fines of up to $7,500 (in the case of intentional violations) per individual breach.
Under the California Privacy Act, firms take on a number of responsibilities to protect the personal data that they collect. In more detail, firms must:
- Ensure parental consent is obtained when collecting data from minors under 13 years of age and obtain affirmative consent from minors between 13 and 16 years old.
- Implement a “Do Not Sell My Personal Information” link on their website homepage to enable customers to opt out of the sale of their data.
- Avoid requesting opt-in consent for 12 months after a customer has opted out.
- Facilitate customer data requests via a toll-free number (at a minimum).
- Update privacy policies with CCPA information.
The California Privacy Act’s focus on protecting personal data conflicts with many of the AML measures that banks and financial services firms use to prevent money laundering and the financing of terrorism. By complying with the CCPA, firms could potentially allow money launderers to avoid submitting the sensitive personal information required by a range of important AML/CFT controls.
Fintechs in particular may have significant new data privacy conflicts under the CCPA because their services often necessitate the acquisition of personal data via IP addresses, browsing and search histories, or geolocations.
In order to preserve the regulatory necessity and effectiveness of US AML/CFT laws, the CCPA includes an exemption for identity verification and fraud-detection purposes. More specifically, if a firm must obtain personal information that is necessary to comply with federal or state legislation, such as AML or KYC laws, the Patriot Act or the Bank Secrecy Act, the data protection regulations mandated by the California Privacy Act do not apply.
Where possible, financial services firms must comply with CCPA regulations, which means conducting a review of their AML identity verification and KYC processes and the information about their customers that they retain. If third-party verification services are being used, firms must ensure these providers operate in compliance with the CCPA.