In California, the data privacy landscape faces radical change. Set to take effect on January 1, 2020, the California Consumer Privacy Act (CCPA) reflects shifting attitudes toward consumer protection in the state by giving California residents complete autonomy over the sharing of their data. In an era where personal data is sold, shared, and used without knowledge or consent, the bill promises revolutionary change. Nonetheless, the bill has a number of major issues. Passed after a mere week of debate, the CCPA has been criticized both for its opacity and potential ramifications. Specifically, it threatens the accessibility of banking for California residents and may hamper international and domestic banking and e-commerce.
The Act, first pushed through the state legislature and passed by Governor Jerry Brown in 2018, declares that California residents have the right to access their data, refuse its sharing and sale, and know both how it is collected and where it is used and sent. Residents may also request personal record wiping, among other provisions. These disclosure regulations will apply to companies earning more than 25 million USD in revenue, collecting data from 50,000 or more consumers, or making over 50 percent of their revenue from sharing of consumer data.
As data privacy concerns continue to grow, many fail to acknowledge the benefits of data sharing and recording—benefits which the CCPA may reduce or eliminate. According to a July 2019 study, 76 percent of American adults do not want their data shared for commercial purposes, and 72 percent support a national data privacy regulation. However, such absolutism ignores the advantages data sharing offers. Consider, for example, a college student taking loans to pay tuition: If that student shares their data, their bank can identify and market specific packages tailored to their financial profile to them. This is a common use case; in fact, many e-commerce companies in California depend on tracking online consumer profiles to effectively market their products.
However, these effects extend well beyond California, since the CCPA regulations prohibit consumer information sharing regardless of where a company is based or whom they sell through. And in addition to the loss of beneficial programs, California residents may find it difficult to navigate this new law, as it uses jargon that is inaccessible to many residents, especially those without legal counsel or extensive educational background. Though intended to provide consumers with increased control over their data, the CCPA may have the opposite effect—of alienating the public from their rights.
Further, the CCPA has been criticized for how its broad language may affect employee privacy rights. The bill originally defined “consumer” as any “natural person who is a California resident,” a definition that does not specify whether the CCPA would affect consumers in their capacities as employees. This means that any onboarding, payroll, and employee benefit plan data would be subject to this regulation, and a number of out-of-state and international entities would have to have to tailor their employee record protocols if they operate in any capacity in California. Moreover, the CCPA stipulates that supply chain and other service providers of companies operating in California must also comply with it, regardless of whether the providers themselves operate in California. This means that in the future, service providers may be discouraged from working with companies that operate in California if the stringency of the CCPA proves to be too much of a burden. Even more daunting for these companies is the fact that the state of California has full authority to pursue civil action if a service provider, or any company thereof, either refuses to comply with the CCPA or takes inadequate compliance measures.
Although the law has good intentions, its opacity is seriously detrimental to businesses. Concerningly, the law enables California residents to file lawsuits for CCPA violations without any demonstrated harm to affected consumers. These complex CCPA clauses discourage e-commerce businesses, tech firms, and banks from investing in California’s economy due to the hefty cost of compliance. This becomes increasingly problematic with regard to data infrastructure constructed through bank mergers and large-scale multinational banks, which demand highly specific and costly granular data analysis in order to segregate CCPA jurisdiction and the jurisdiction of preexisting data laws, namely the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA). Unlike the CCPA, these existing federal privacy laws provide consumers with little agency over their own data. Considering the short timeframe companies and banks have to deal with the stipulations of the CCPA, the existing regulatory issues of the CCPA, GLBA, and the FCRA, and the disproportionate impact of compliance for smaller scale companies, the future of bank investment in the state may be uncertain. Altogether, the CCPA may effectively create a vacuum in bank investment in the state and lead to a shortage of credit available to state residents.
On a broader scale, several other states, such as New York, are drafting privacy laws of their own inspired by the CCPA, which would only worsen the regulatory quagmire banks must navigate. In the long run, a new federal framework, as opposed to a patchwork of state regulations, would be more effective in protecting consumers’ rights and minimizing burdens on institutions that catalyze economic growth.
The CCPA is certainly revolutionary in the cybersecurity and privacy landscape, but it begs the question: How does privacy act as a medium of agency in the world of banking and internet? Where do we draw the line between the benefit of tracking and collecting personal information and the assurance of privacy? These questions clash with the concerns sparked by the introduction of the CCPA, including its negative impacts on banking accessibility for the public, current operations of relevant banks and e-commerce entities, and the future of tech and bank involvement in the State of California. The CCPA is certainly not a gold standard for data privacy, but it remains an interesting model to be considered in the ever-changing sociopolitical arena of consumer, public, and private information.
Photo: Image via Trending Topics 2019 (Flickr)