Even though the California Consumer Privacy Act 2018 is expected to be amended this year even before its introduction in 2020, the primary obligations that it is to impose on private banks and the main rights it promises for consumers will probably stay predominantly unchanged.

As was the case with the European Union’s General Data Protection Regulation (GDPR), which recently entered its second year of operation, private banks are not likely to gain anything by waiting until the last minute to start complying with its main requirements. Both pieces of legislation - European and Californian - can and will have significant repercussions for the ways in which private banks handle customers' information, and some multinational banks will have to reconcile them with each other in their efforts to comply.

The CCPA and the GDPR have similarities in many areas. The CCPA has some specific requirements that go beyond those found in the GDPR and the GDPR has some requirements not covered in the CCPA. Significant work may well be required to achieve and maintain a proper level of compliance with each regulation, both from a technology and operational standpoint. But first, organisations must understand each law’s expectations when it comes to protecting consumer privacy.

The CCPA and GDPR at-a-glance

Passed in June 2018 and subsequently amended, the CCPA is a first-of-its-kind law in the United States that gives Californian consumers greater control over how companies may use their personal information. It empowers them with new rights regarding access to data, the deletion of data, opt-outs, knowing the sources of data and to whom it is sold, and non-discrimination. The law also imposes new requirements on businesses regarding the collection of children’s and teenagers’ data.

Even though the law was amended to provide a six-month extension to allow California's Attorney General to draft and adopt the law’s implementing regulations, it will go into effect on 1 January 2020. The amendment also delayed enforcement by six months after the publication of the implementing regulation. Having said this, however, the law has a 12-month "lookback period" which dictates that businesses ought to be begun keeping records on 1 January this year.

Civil penalties range from $2,500 to $7,500 per violation and the law gives consumers the private right of action to recover statutory damages of $100 to $750 per "breached record" for businesses’ failures to implement and maintain reasonable security procedures and practices that result in "data breaches," the Act's term for infractions against it.

The GDPR, which came into force last year, is a similarly revolutionary piece of legislation. The idea is to standardise the rules that govern data flows between the countries of the European Union (EU) and to strengthen the rights of so-called data subjects (i.e. anyone whose personal data is being used by businesses) who are inside the borders of the EU at the time when firms were collecting their data. In the furtherance of its goals, the GDPR sets out rules and obligations for both data controllers (companies responsible for determining the purpose and means of processing) and data processors (companies that process the data according to a controller’s instructions) and regulates the way in which they must work together. Unlike older data protection laws, the GDPR specifies that both the controller and the processor may be held liable for damages incurred by data subjects. The GDPR is also similar to the CCPA in that data subjects have several rights relating to their information, including the right of access and the right to erasure. A range of sanctions are possible under the GDPR, including fines up to €20 million or up to 4% of the offending organisation’s annual worldwide revenue, whichever is higher.

Do these laws apply to your private bank?

From the outset, it is important to understand that both the CCPA and the GDPR have extraterritorial application, so their obligations apply to companies located outside the state of California and the European Union. A private bank’s physical location is not a jurisdictional defence for non-compliance.

The CCPA applies to firms and their business partners if they exceed at least one of the thresholds that it lists. They must also determine whether exemptions or exceptions apply. For example, the CCPA does not apply to the following categories of data:
    • publicly available information, which it defines very narrowly;
    • medical information governed by Californian or US federal health information privacy laws; or
    • personal information regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or the Driver’s Privacy Protection Act 1994, with some exceptions.

On the other hand, even though the GDPR has some limited exemptions, it is an overarching regulation whose reach is expansive. Private banks not located in the EU that “envisage offering goods or services” to data subjects inside the EU must ensure that they are complying with the GDPR. The Article 29 Working Party, an advisory body, has indicated that the mere accessibility of an organisation’s website or contact details to EU data subjects is not enough to "prompt GDPR applicability" and has provided several factors to help companies in this analysis.

Information security programmes

Since the implementing regulations of the CCPA have yet to be promulgated, it is vital for private banks to take early action as much as possible, establishing at least substantial compliance with the sections of the CCPA. Compliance with the GDPR, while daunting, is a clearer undertaking because private banks have recourse to guidelines released by various data protection authorities over the past year.

Many businesses, including private banks, should review (and, if necessary, update) their policies and processes, including those related to website usage, to ensure compliance with both laws. They probably also need to augment their staff with people trained specifically to understand and respond to consumers’ requests properly. Many companies are finding that experts in CCPA/GDPR compliance matters can shorten the length of the project. Independent experts are good at assessing current levels of compliance, updating policies and procedures, establishing and implementing new processes, and building new compliance functions to monitor privacy processes in action.

Both pieces of legislation have made people more aware about data protection and cyber-security. Compliance and information security experts will be indispensable to banks as they develop and monitor the effectiveness of controls that those banks set up to protect the privacy of consumers. Regardless of whether an organisation hires an expert or undertakes the project alone, it will probably have to change itself fundamentally to embrace cyber-security as part of its culture. Notwithstanding the mandates that may result from the anticipated CCPA amendments and the implementing regulation, information security professionals should take steps to address the following.
 
Information security programmes

When it comes to information security programmes, both laws share significantly similar expectations. The CCPA will shortly require organisations to “implement and maintain reasonable security measures”, whereas the GDPR expects them to “implement appropriate technical and organisational measures.”

In the past, many EU companies have gravitated towards the ISO 27001 information security standard. California has previously endorsed the 20 Critical Security Controls from the Centre for Internet Security as minimum reasonable security measures. Although both standards are accepted widely and designed to protect organisations' data and systems, they are not the only ones that are available today. Whichever risk controls a private bank selects, it must be ready to defend its choice in the face of each piece of legislation. It is a very good idea for it to check facts rigorously and the keep notes that explain why it chose this-or-that standard.

Data mapping and data inventory

A bank that knows the data it collects, “processes” (GDPR) or “sells” (CCPA) precisely will be very well placed to comply with the requirements of each law. The next step in the process is to detach information that is "personal" from information that is not. The GDPR is designed to protect any information relating to an “identified or identifiable natural person.” The CCPA's definition of "protected personal information" is broader and includes any information that “identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.”

There are many other differences between the two Acts' data inventory requirements that a private bank must consider before it embarks on a successful data mapping exercise. For example, the CCPA applies to data that is held for continuous use (including sale of the data) but does not cover data that is used once and not sold. The GDPR has a special category of sensitive data which requires companies to take more onerous steps than usual to protect it. At a minimum, private banks will have to identify the specific categories of data elements in their records, the sources of data and the "business purposes" that they are pursuing when cataloguing the data.

A thorough data inventory will help a bank to spot gaps in its governance and information security, to spot places where extra controls or procedural changes are required, and to evolve new processes to help it respond to regulatory inquiries and legally binding requests from consumers.

Consumer rights request processes

Both the CCPA and the GDPR give consumers rights. These are related to, among other things, access to data and the deletion of data. There are several differences between the two laws in this area, however. For example, the GDPR only affords the consumer a right to deletion if his request meets certain conditions. The right that springs from the CCPA is broader but, even so, this right is not absolute either. A consumer with a loan, for example, cannot order a bank to erase all records of who owes the money (i.e. himself). Likewise, the rights to disclosure or access in the CCPA and the GDPR are similar to one another, but the GDPR allows consumers broader access to their data, whereas the CCPA only requires a written disclosure.

Best practices call for organisations to minimise the consumer-related data that they collect and be prepared to justify (operationally) every element of data that they store. Information security and information technology teams should work with other business units, such as compliance, legal and operations, to establish proper processes that can answer requests from consumers effectively in accordance with the law in question.
 
Deidentification, anonymisation and pseudonymisation of personal information

Both laws say that a company can “de-identify” (as per the CCPA) or “anonymise” (as per the GDPR) personal information – the GDPR promotes this, whereas it is currently only an optional strategy for compliance with the CCPA. True de-identification and anonymisation is an extremely lofty aim and will require companies to impose technical controls to ensure that nobody can re-identify the information in question. The GDPR also allows for data pseudonymisation, which means that data cannot be linked back to a particular consumer without additional information. Pseudonymised data is still considered personal data, whereas de-identified and anonymised data are not.

Information security consultants can help the boards of private banks decide whether it is feasible for them to take steps to de-identify, anonymise and/or pseudonymise data.

What next?

The GDPR has made organisations all over the world far more aware of data privacy. To date, European regulators have levied significant fines against organisations that have failed to comply. Financial firms can no longer procrastinate in their efforts to comply.
 
Although the CCPA is only supposed to have a direct effect on Californian consumers, many private banks that operate in the United States — perhaps most — may find it onerous to maintain separate processes for their Californian HNWs. The CCPA’s privacy-related rights and protections may very well become the standard afforded to all consumers nationwide. If the CCPA applies to your private bank, it is imperative for you to start making efforts to comply soon.

Firms that have to take both laws into account are going to have to make the most strenuous efforts to protect personal data in the next year or so. However, there are meaningful similarities between the two laws and firms can use these to apply the same standards to their compliance efforts in all countries. Even if a firm believes itself to be exempt from one of the laws, now is a good time for it to consider imposing "best practice" on all its branches all over the Western world. If many US states follow California’s example, this approach might save them a good deal of work later on.

* Yvette Gabrielian can be reached on +1 213 503 5239