California’s Consumer Privacy Act (CCPA)

Blog Post California’s Consumer Privacy Act (CCPA)

California’s Consumer Privacy Act (CCPA)

May 2019

With the onset of spring, mortgage company leadership teams are focused on capturing as much of the seasonal swell in purchase business as possible and executing on business plans that include getting leaner and more efficient by leveraging technology, improving the borrower experience, and growing production.


In addition to focusing on those key strategic initiatives, this year, companies with annual gross revenue in excess of $25 million who hold more than 50,000 consumer records and are doing business or employing individuals in the state of California also need to be planning for the new California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. The CCPA aims to provide consumers in the state of California with clarity regarding the personal data that is collected about them, as well as a mechanism for deleting that data upon request.


The CCPA provides California consumers with:

  • The right to know what categories/types of personal information a business has collected about them or their children
  • The right to know whether a business has sold that information to a third party
  • The ability to require a business to stop the sale of their data to third parties
  • The right to “opt-in” for minors, rather than simply being given an “opt-out” mechanism


Additionally, under the CCPA, businesses:

  • Cannot charge more for services if a consumer requests that his/her information no longer be collected or sold
  • Must implement reasonable comprehensive data protection controls to prevent the breach or compromise of personal information, which includes data about devices, (such as Alexa, Google Home or other Internet of Things (IoT) devices) and households


Starting with the “Right to Know What Personal Information is Being Collected,” businesses must give consumers the ability to find out what data is being collected and the ability to receive a complete data log that includes the data gathered over the previous 12 months. This can be a challenge for any organization, regardless of its size or sophistication, if the organization lacks a good data inventory.


The creation and maintenance of a comprehensive data inventory that not only defines where the data is stored, but also how it is secured, and the associated legal retention requirements, is one of the largest hurdles organizations face. A robust data inventory is the keystone of meeting CCPA requirements and should be the foundation of developing a comprehensive strategy for managing not only the “Right to Know,” but also the “Right to Say No” provisions within the CCPA. Additionally, businesses must give consumers two or more methods to submit requests, including such things as a toll-free hotline and forms on their websites.


These new requirements have a broad reaching impact not only for California companies, but for all companies that collect, use, share, or sell information of California residents. Under the CCPA, specifically the “Direct Right of Action for Consumer,” companies now need to have a “reasonable” and well-structured data governance and data privacy program. Benchmarking is now more than just assessing maturity of a cybersecurity program; organizations now also need to assess their compliance with multiple data privacy laws (local, state and federal governments) and information control frameworks. In doing so, focus should be on streamlining assessments, which is critical in avoiding undue expense and overhead. Knowing what is in an organization’s data inventory for processing activities and the associated assets is the key to meeting the requirements related to the CCPA.


Similar to provisions in the European General Data Protection Regulation (GDPR), the “Right to Say No” requirement within the CCPA gives consumers the ability and right to know whether their data is being sold to any third party. Organizations must provide a privacy notice to consumers with specific information regarding what data is collected, to whom it is sold, and instructions regarding how to have their data deleted and how to opt out of the sale of their information for the next 12 months. The only exception to these requirements would be cases where businesses are under legal obligation to retain certain data.


And if that weren’t painful enough, the penalties for failure to comply can be significant, including a fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation. As the frequency of data breaches and compromises continues to increase, we should expect other states to adopt similar legislation to not only require businesses to deploy comprehensive data access and management controls, but to also give information and power to consumers with respect to the protection of their personal data. This includes requirements for “Opt-In” consent for minors, and is applicable to data about all devices and households. These new requirements have a broad-reaching impact not only for companies headquartered in California, but for all companies that collect, use, share, or sell information gathered about California residents.


However, there are exemptions to the CCPA. If data is collected, processed, distributed, or shared in anyway in accordance with the Gramm-Leach-Bliley Act (GLBA) “Privacy Rule” or the California Financial Information Privacy Act (CFIPA), it is exempt for CCPA purposes. Similar exemptions also are in place for HIPAA-HITECH and the California Confidentiality of Medical Information Act (CMIA). But remember, the CCPA does not totally exempt financial or healthcare institutions altogether from its requirements; healthcare or financial institutions may need to comply with several of the CCPA obligations, including requirements to make certain disclosures to consumers and/or to provide certain rights to consumers, such as the right to stop the sale of their personal information and the right to access data that a business has collected about them. As always, we recommend that you consult your legal team for specific requirements for your organization.


About Richey May Technology Solutions

A division of Richey May, Richey May Technology Solutions offers a full spectrum of technology solutions, from cloud services and cybersecurity to marketing technology, and from governance, risk, controls and privacy to technology management consulting.

For more information, visit