With California's new data privacy law, known as the California Consumer Protection Act (CCPA), set to go into effect in January 2020, financial firms and businesses that will be subject to the law need to become familiar with its regulations in order to avoid costly regulatory fines and litigation.

Partner and co-head of Katten's Privacy, Data and Cybersecurity practice, Doron Goldstein, spoke to FinOps, an online source for news and advice related to financial technology regulations, operations and reducing regulatory risk, about why it's important for financial firms to identify what data they collect on customers, where its stored, and if it falls under any regulatory exemption, such as that of California Financial Information Privacy Act.

Following on the heels of Europe's general Data Protection Regulation (GDPR), which became effective in May 2018, the CCPA requires business to describe to customers how their personal data is used, to provide them with certain access rights, and to delete certain data upon request, with the goal of giving customers more control over their information.

Doron noted that the law is "…likely to capture almost any company that conducts business online, has an application or even has a consumer-oriented website. The firm just needs a website that is accessed by more than 50,000 California visitors, households or devices and the Act doesn't specify that the devices have to be located in California."

According to Doron, firms will need to have a plan in place to quickly fulfill a customer's request about how that data is used or to have it deleted.

"To the extent that the specific data is subject to the CCPA, financial firms might have to amend their agreements with third party providers — called service providers — to track the location of the data and delete it," Doron said.

Another requirement of the new law is that businesses must have written contracts with service providers to prevent a provider from using, retaining or disclosing personal data, except for performing the services for that client or in cases where it is required by law. However, Doron explains, businesses will not be held liable if a provider violates those requirements in its written contract, so long as "the business did not have actual knowledge or reason to believe the service provider would violate those terms."

Finally, certain kinds of data are exempted from the CCPA if they are data covered by the Gramm-Leach Bliley Act (GLBA) or the California Financial Information Privacy Act. But businesses still need to be careful, Doron said.

"The California legislation does say that the firm can be subject to an investor or class-action lawsuit if there is a data breach unless it can prove it took reasonable steps to protect the data," said Doron.

Read, "California's Data Privacy Law: Sticky GDPR Differences," in its entirety.