Banking and Finance Law Daily ABA, CBA comment on California AG’s proposed privacy regulations
Monday, December 9, 2019

ABA, CBA comment on California AG’s proposed privacy regulations

By Colleen M. Svelnis, J.D.

The American Bankers Association recommended a number of changes, and the Consumer Bankers Association expressed "significant concerns."

The American Bankers Association and the Consumer Bankers Association have responded to proposed regulations put forth by the California Attorney General’s Office to implement and govern compliance with the California Consumer Privacy Act (CCPA), with both industry associations submitting comment letters with recommendations.

The CCPA established comprehensive privacy protections giving California residents, including minors, significantly more control over their personal information and an enforcement mechanism to protect their rights (see Banking and Finance Law Daily, June 29, 2018). Shortly after its enactment, the CCPA was amended to clarify several provisions to ensure its proper implementation, including the effective date, enforcement procedures, and applicability (see Banking and Finance Law Daily, Sept. 25, 2018). The California AG issued the proposed regulations, intended to clarify the law and provide guidance to financial institutions and consumer subject to the Act (see Banking and Finance Law Daily, Oct. 15, 2019).

Significant concerns. The CBA stated in its letter that its member banks "share the Attorney General’s goal of protecting the privacy of consumers" but noted "significant concerns" about the proposed regulations. The major issues the CBA cited are whether the right to opt-out of sale guidance is sufficient to address practical business concerns, and the need to provide a safe harbor for financial institutions when verifying consumer requests.

The CBA urged the California AG to provide more certainty about the right to opt-out of sales of personal information. The letter stated that, under the draft regulations, "it seems a bank, or any covered entity, may present the choice to opt-out of certain sales, so long as a global option to opt-out of the sale of all personal information is more prominently presented than other choices." However, according to the letter, "it is likely a business may possess varying data elements about a single consumer through different relationships with the consumer, which may not be linked."

According to the letter, even with the proposed rules, "furnishing personal information to customers purporting to exercise their rights under the CCPA, in response to a verifiable consumer request, may result in unintended risk and harm to the consumer, including misuse of personal information to perpetuate fraud and identity theft." The comment suggests that the Attorney General establish a safe harbor from liability to assure banks, and other covered entities, that rejecting a suspicious right of access request in good faith will not later result in a violation.

Protect consumers’ rights. The ABA’s comment letter notes that it hopes to assist financial institutions, including banks, insurers and insurance producers, to comply with the CCPA, "while helping to ensure that consumers' rights are protected in the manner the legislature intended."

The ABA recommended that the final regulations do the following:

  • revise the proposed requirements for verifying consumer requests to help prevent fraud while ensuring consumers can obtain financial services;
  • ensure that the CCPA does not apply to a business's intellectual property or require a business to reveal information that would infringe on rights of others;
  • clarify that the transfer of sensitive personal information from financial institutions to service providers to provide products and services for customers are not sales as contemplated in the CCPA;
  • eliminate the proposed requirements related to accepting and responding to consumer requests;
  • not transform notice into an explicit "opt-in" right for consumers regarding the use of personal information for purposes other than those disclosed before collection, which is "an unauthorized restriction on the use" of personal information;
  • delete "household" from the personal information definition or provide procedures for a safe harbor for compliance;
  • provide guidance on a business's right to "cure" certain violations;
  • limit the look back period for the right to know to the CCPA's Jan. 1, 2020 effective date;
  • establish an effective date of 18 months after issuance; and
  • limit enforcement actions to acts or omissions occurring on or after the final regulations' effective date.

In addition, the comment states that the final regulation should not include new and burdensome data collection and reporting requirements for businesses that handle personal information of four million consumers annually. Further, the ABA recommended that the California AG should issue model disclosure forms that provide a safe harbor, to assist financial institutions in achieving compliance.

Companies: American Bankers Association; Consumer Banks Association

MainStory: TopStory CaliforniaNews ConsumerCredit CyberPrivacyFeed IdentityTheft LegislativeRegulatoryActivity Preemption Privacy StateBankingLaws

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.