Navigating The California Consumer Privacy Act (CCPA): What You Need To Know About Compliance For Enterprise
By Calvin Bushor, Vice President of Data Services, Quicken Loans
In January 2020, the state of data for companies and consumers in the U.S. changed forever.
The California Consumer Privacy Act (CCPA) went into effect, giving people more power and control over their data than ever before. With this change, there’s a lot of new information that both companies and consumers need to know about how to responsibly handle data.
For the first time ever, consumers and clients of a company’s goods and services can demand to know and control how their data can be used and stored. That means companies need to have programs designed to track, protect — and yes eliminate — all the data they have around those consumers and clients. That’s not something they’ve ever had to think about before, and while it’s a necessary shift for consumers, it’s a huge change for data caretakers.
For a company, understanding and navigating this changing data landscape can be difficult, and you may be struggling to figure out the right thing to do for both your business and your clients.
At Quicken Loans, we experienced this tug of war, but our company culture and client obsession helped us navigate the fog and develop a privacy philosophy.
What Is The CCPA?
The California Consumer Privacy Act (CCPA) is a law from California state legislature defining how businesses can deal with personal information of it’s residents. This law gives consumers in California three data privacy rights.
However, these concepts are important for all consumers — including those outside of California — to understand:
People Have The Right To Know
This means a person can contact a company and find out what types of data they collect. The answer to this question will go something like this: “We collect contact information, such as name, email, phone number and address. We collect financial information, such as, income, assets and credit information.”
People Have The Right To Access
This means a person can request to obtain a copy of the data you collect on them. It’s their data, after all. It’s up to companies to navigate how to field these requests, but if a request is made, companies are required to provide an answer within 45 days and must provide records covering the year preceding the date of the request.
People Have The Right To Delete
This means a person can request you delete all the data you have on them. Often, the first question I’m asked about this is, “Is it a hard delete, or is it a soft delete? Can we just flag the data?” Delete means delete. We must purge the data should we need to fulfill a “right to delete” request.
Which Companies Does The CCPA Affect?
The CCPA applies primarily to businesses that operate as for-profit companies, collect personal information of California consumers, conduct business in the state of California and meet at least one of the following requirements:
- You earn at least $25 million in gross revenues.
- You buy, sell, share and/or receive personal information of a minimum 50,000 Californians’ households or devices each year.
- You derive at least 50% of your annual revenue from selling personal information of California consumers.
Most companies don’t want to introduce the complexity of state-by-state data standards, which means California is essentially setting the standard for the country.
What Do I Need To Do As An Affected Company?
To abide by the CCPA, a company will need to create new business processes and software features to manage these requests. Deleting data is relatively simple. Just perform a “DROP TABLE customers,” and you’re all set. Doing so, however, would mean an inability to conduct business, so the trick here is figuring out what data the company needs to operate and what data can be deleted after use.
A company can apply their retention rights to these requests. For example, at Rocket Mortgage, if a client requests their data be deleted but we’re in the middle of transacting with them by originating their mortgage so they can buy a new home, we’re not obligated to delete their data because we still need their data for processing their loan. Your industry standards may be different, which is why it’s crucial to be familiar with this law and how it impacts your business.
You may also need to keep a client’s data for compliance reasons. The mortgage industry is heavily regulated, and we’re required to retain certain data for these use cases. For example, after we originate a loan, we’ll often continue to service that loan. For regulatory reasons, for any loan we service, we need to retain the majority of the data we collect about that loan and client for the life of the loan.
We’ve been managing complex regulatory rules around client and mortgage data for eons, so understanding and managing these situations is familiar territory. But for any company, having and understanding your data retention rules is essential for developing a data privacy strategy.
What if you don’t know the person implementing their rights? As a business, you won’t blindly execute on these requests. You’ll need to create some sort of client verification process. This process should help identify who this person really is with fraud detection built in. Once you identify the person for who they really are, and your retention rules allow for their request to process, and you can find their data, then you fulfill their request.
What If My Company Isn’t Compliant With The CCPA?
This is a difficult question to answer because precedent hasn’t been set and we do not have a lot of examples of companies being sued or going through the financial accountability that CCPA declares. Each company is left to interpret the law as it stands, knowing that if you fail to implement a data privacy solution for fulfilling these new client data rights, your company could be financially liable. The maximum fine for an unintentional breach of CPPA is $2,500. If a company is found to be intentionally violating the law, fines can be as high as $7,500 per violation. For example, if a client requests to have their data deleted, and the company later mistakenly sends the client a text message, email or calls them to try and sell them something, the company can be held liable for not deleting this data.
What If There’s A Data Breach?
When a company has a massive data breach, if they want to comply with CCPA, they must disclose the event happened and details about the event. They’re also held financially accountable to any financial damage to their clients. When an individual’s data is breached, they are able to collect $100 to $750 under CCPA.
This accountability is a huge game-changer believed to help influence companies to revisit their data security strategies. Before, companies could cover up such breaches and continue to operate as they previously were with very little oversight or impact to their business.
CCPA Compliance, Brand Trust And Culture
Should a business fail to follow these new privacy laws or have a critical data breach, the biggest impact may not be financial. It could be the loss of trust to your brand.
At Rocket Mortgage, we live by our culture, the foundation which is our ISMs, 19 philosophies that guide how we act. So, naturally, when we set out on this journey to rethink our data privacy approach, we started with our culture. Two of our ISMs provided guidance that served us particularly well in this process:
Every Client. Every Time. No Exceptions. No Excuses.
This philosophy means that everything starts and ends with the client, and it’s up to every person in this organization to do everything in their power to help our clients have the best experience possible.
Our strategy starts with a focus and true commitment to creating the best data privacy experience possible. If you really care about your clients, focus on creating a simple process and client-centric experience for someone to manage their data privacy preferences.
Do The Right Thing.
Straight to the point, this philosophy is about looking at all the variables and potential outcomes and coming up with the right thing to do. Looking at these data rights, our first decision was to identify what the ‘right thing’ was to do. Examining the spirit of the CCPA and the forces driving it, we agree with what the law was seeking to establish: It’s the client’s data, not ours. Therefore, we needed to figure out a way to not just obey the letter of the law, but its spirit and intent.
We believe the right thing to do is to empower our clients, and we believe that trust is earned. This is the cultural framework we’re using to help us design the right data privacy experience for our clients. To achieve this, we’re giving our clients the highest level of transparency and control possible over their data while also ensuring it’s protected at the highest level.
The future is one where the consumer wants are driving this policy and pushing companies in this direction. Consumers are becoming more empowered than ever to take control of their data, with more access to information and tools than they’ve ever have. Is your company ready to take on this challenge?
Companies that focus on giving me more control, with more transparency, more choice, more flexibility and more trust, will be the brands I gravitate toward and will want to do business with in the future.
We’re still hiring! Even in the face of uncertainty, we’re reshaping the fintech industry. Interested in joining us? Check out our technology openings.
These opinions are those of the author. Unless noted otherwise in this post, Quicken Loans is not affiliated with, nor is it endorsed by any of the companies mentioned. All trademarks and other intellectual property used or displayed are the ownership of their respective owners. This article is © 2020 Quicken Loans.