Skip to Main Content
PCBB Banc Investment Daily September 07, 2018
Banc Investment Daily
September 07, 2018

The Impact Of California's New Privacy Law

Summary: The new California privacy law is being touted as the most stringent privacy law in the US. What do community banks need to know to stay out of trouble?
Scientists have published a paper that finds long before the age of dinosaurs, a huge volcanic eruption that lasted for 1 million years wiped out the ozone layer, 96% of marine life and 70% of terrestrial species. Life that lived on land took 10 million years to recover from this extinction event that was more impactful than the one that killed the dinosaurs millions of years later.
To community bankers and businesses operating in states throughout the country, worries over the extinction of personal privacy have led to a bevy of legislation lately. Add to the list CA, which passed the Consumer Privacy Act of 2018 (AB 375). This law takes effect on January 1, 2020 and gives CA residents the right to know what data companies, including banks, collect on them and how that information is shared.
This bill, being touted as the most stringent privacy law in the US, is said to bear great similarities to the EU's General Data Protection Regulation (GDPR), which went into effect in late May.
While banks that are based in and have customers in CA will have 16 months to revamp their programs and policies to comply with this new law, it also creates major restrictions on how businesses collect, use, store, and share personal data that reach far outside the single state.
A partial list of consumer rights under the new legislation:
  • Know all data collected by a business on them.
  • Say no to the sale of their personal information.
  • Ask a business to delete their data.
  • Be informed of data categories collected about them before collected, and be informed of any changes.
  • Choose whether or not the business can sell their children's information (under age 16).
  • Know the categories of third parties with whom data is shared, and the sources of information from which data was acquired.
  • Know the business purpose for collecting information.
This legislation will affect California's 39mm residents, who make up about 12% of the US population. Moreover, according to the International Association of Privacy Professionals (IAPP), the California Privacy Act will apply to more than 500,000 US companies. As such, it creates a near de facto standard for most US companies.
Smaller financial institutions with <$1B in assets may qualify for an exemption; FDIC data finds nearly all banks above that size earned $25mm in annual revenue (which necessitates their compliance with this new law).
Further, the law is unclear as to the extent to which businesses can differentiate among consumers who consent to the sharing of their information and those who do not. The law prohibits businesses from retaliating by changing the price or level of service, but at the same time it would authorize businesses to offer financial incentives for the collection of personal information.
One thing that does seem clear: running afoul of the law could get expensive. Once it goes into effect, businesses can be fined up to $750 per violation, if the company fails to fix its error within 30 days. To keep you out of trouble, we will continue monitoring the development and impact of this privacy law.