[rcooper]

1) Do the exceptions in Senate Bill 1121 apply to banks that do not have branches located inside CA?

from Jack to everyone:
I don’t beleive that California bill SB 1121 addresses branch offices. But there have been aver 100 bills proposed to clarify the CCPA and one of them might include such an exemption.

from Robin:
I agree. The exceptions could be used by any business, regardless of location, if they meet the criteria. Also look to the exemptions beginning on p. 18.
CCPA shall not restrict a business’s ability to:
….6) Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.

2) What specific steps should we take now?
• Conduct data mapping.
o Data In – Sources of external data (consumers or third parties).
o Where is it stored and how is it used internally.
o Data Out – Outflow of data to third parties.
• Review contracts – Your vendors are covered, so contracts need to be updated to reflect their expanded obligations.
• Update existing Privacy policies and
• Training for customer service personnel for CA customers

From Robin: Yes, all of the above. Determine coverage first. If you are a covered business, determine what information is being collected, how it is being used and shared. Update policies/procedures, review contracts of service providers, training.

3) What would be the best steps for community banks that do not share/sell information?

from Robin: First determine if you are covered under the rule. If you are covered, determine what information you’re collecting. Can you utilize any of the exemptions? If you have information that is still covered by CCPA after applying exemptions then there are certain requirements (disclosures, responding to requests, training, etc.) that would apply even if you don’t sell information. Feel free to post follow up questions once you determine how it applies to your bank.

4) Are you saying that if we contract with our CRA to do an “ID cross check” service on credit reports, then there is no FCRA exemption?

from Allyn to everyone:
I would suggest verifying with your CRA whether the information used for your ID cross check service is covered by FCRA. If not then it wll not be exempt.

HMDA Question:
1)Did this rule make any changes to the partial exemption, only having to report part of the complete HMDA data? That remains at 500 each, counting closed end and open end separately, correct?

from Jack to everyone:
Yes, the HMDA partial exemption thresholds remain at 500 for both open-end and closed-end credit.

[Author]

Posts