After determining the universe of personal information that is subject to the CCPA, the next step to take to get in compliance with the CCPA is to develop systems and procedures to ensure adherence with the myriad of broad consumer rights that have been afforded to consumers under California's new privacy law. Specifically, financial institutions will have to comply with the following rights:

Right to Know: Consumers must be able to learn – through a general privacy policy and with more details upon request – what personal information an institution has collected about them, where the information originated, the use of the information, and whether and to whom the information is being disclosed or sold.
Right to Access: Consumers can request that financial institutions provide them with a copy of all personal information collected by the institution on the consumer, which the institution must then provide to the consumer free of charge.
Right to Opt-Out: Financial institutions must allow consumers to "opt-out" and stop an institution from selling their personal information to third parties, with the term "sale" defined very broadly to include any sharing of personal information in exchange for something of value.
Right to Deletion: Consumers maintain the right to request that financial institutions delete their personal information and data, subject to several exceptions.
Right to Equal Service & Pricing: Consumers maintain the right to receive equal service and pricing from financial institutions, even if the consumer chooses to exercise his or her privacy rights under the CCPA.

In addition, institutions will also need to provide the mandated privacy disclosures and notices that are required by the CCPA. Here, institutions will need to update their privacy policies with the information that is required to be affirmatively disclosed to consumers pertaining to the institution's data practices and consumers' rights under the CCPA, including a toll-free number and website for consumers to submit requests, as well as a link on the institution's webpage titled "Do Not Sell My Personal Information" to facilitate the opt-out process. Moreover, institutions must also develop the operational capabilities to provide information to consumers upon request in the event a consumer seeks information regarding the data that is collected and sold by the institution, including the specific pieces of information that the institution has collected concerning the requesting consumer.

Instant Insights /

Analyzing the California Consumer Privacy Act's Impact on Financial Institutions

Related Stories

Recommended For You