California Data Privacy In 2023: What’s Next For Fintechs & Their Partner Banks
Some institutions may need to reevaluate their technology, use of data, onboarding forms and disclosures, and more.
On December 31, 2022, California’s data privacy exemption for “business-to-business” (“B2B”) information will expire. As a result, the personal information of business contacts provided to obtain commercial financial products and services will be subject to the new California Privacy Rights Act (the “CPRA”). For fintechs and their partner banks, the B2B exemption has meant that neither vendor data nor commercial account data was subject to California data privacy laws and regulations. This change may require these institutions to reevaluate their technology, use of data, onboarding forms and disclosures, and more.
CCPA Compliance for Fintechs and Partner Banks Until Now
Since the California Consumer Privacy Act (the “CCPA”) was first passed, banks and their fintech service providers have been broadly exempt thanks to the overlapping coverage of three exemptions: GLBA-covered data, FCRA-covered data, and the B2B exemption. In an unexpected move the California legislature declined to extend the B2B exemption, which will now sunset on December 31, 2022 – throwing fintechs focused on commercial accounts and their partner banks into the CPRA compliance regime in a way they may not have anticipated.
Through the end of 2022, fintechs and their partner banks have been able to operate with minimal CCPA compliance obligations. The exemptions for GLBA-covered data and FCRA-covered data generally meant that customer and account data for consumer accounts was not subject to the statute’s requirements. The B2B exemption equally alleviated their CCPA compliance obligations on commercial account data.
As a result, fintechs and their partner banks generally needed to consider only the limited pool of personal data collected from California residents in pre-acquisition marketing and communications. Given the low volumes of data and limited consumer interest in these types of data collection, fintechs and partner banks saw relatively low rates of CCPA requests and could rely on manual processes. Most fintechs, in particular, were able to provide CCPA-compliant privacy notices and did not need to stand up the complex internal structures technology-focused businesses outside of financial services were required to implement.
Revised CCPA Coverage Thresholds
The CPRA amendments to the CCPA changed the thresholds for what entities will be subject to CCPA coverage. Beginning on January 1, 2023, California data privacy obligations will attach to any for-profit business that does business in California, collects or uses consumers’ personal information, and meets any of the following thresholds:
Has a gross annual revenue of over $25 million;
Buys, receives, or sells the personal information of 100,000 or more California residents, households, or devices; or
Derives 50% or more of its annual revenue from selling or sharing California residents’ personal information.
Meeting any one of the three thresholds will be sufficient for an entity to be subject to CCPA obligations. Fintechs working with bank partners should consider whether their customer base will independently qualify them for CCPA coverage and whether they will need to consider the partner bank’s full operations and customer base in determining whether they must comply. Even if a fintech believes that it is exempt from coverage and does not need to consider the partner bank’s customer base, the CCPA also imposes specific compliance obligations for service providers that mirror the obligations of covered entities.
Commercial Account Data Now Subject to California Data Requests
“Consumer” data related to commercial accounts will now be subject to CPRA coverage. The CPRA has an extremely broad definition of a “consumer” – giving data rights to any natural person residing in California. As a result, beginning on January 1, 2023, any employee or owner of a commercial entity-customer who provided personal data (name, telephone number, SSN, etc.) will have the following rights:
The right to know what personal data a fintech or partner bank collects about them and how it is used
The right to require a fintech or partner bank to delete their personal data
The right to opt out of a fintech or partner bank sharing their personal information
The right to opt out of certain uses and disclosures of “sensitive personal information,” which includes their Social Security number, driver’s license, precise geolocation, ad racial or ethnic origin
The right to correct inaccurate personal information in a fintech or partner bank’s records
The right to enhanced information practices transparency, including information about data retention periods
Rights related to the use of automated decision-making technologies
Given the type of personal information routinely collected from employees and owners of commercial accounts for customer identification program requirements, fintechs and partner banks will have drastically increased volumes of data covered by California’s data privacy regime.
Additional California Data Privacy Changes Under the CPRA
When the CPRA comes into effect on January 1, it will also impose new obligations on fintechs and partner banks beyond what the prior data privacy regime did, including requirements related to data retention, data minimization, and purpose limitation – all of which will apply to the personal information collected from employees and owners of commercial accountholders. The new law also mandates additional provisions that businesses must include in their contracts with service providers, contractors, and other third parties.
Finally, the CCPA already required fintechs and partner banks to provide appropriate loyalty program disclosures if they offer consumers a financial incentive in return for the use of that consumer’s personal information. Starting in 2023, however, they will be prohibited from requesting a consumer provided opt-in consent for a loyalty program for at least 12 months after the consumer last declined to provide opt-in consent for that program.
Potential Impacts on Fintechs and Their Partner Banks
Fintechs and their partner banks face increases in their California data privacy obligations on two fronts: increased data subject to coverage based on the B2B exemption’s expiration and heightened obligations and consumer rights based on the new CPRA terms. This combined change may result in the following types of impacts to address:
Specific contractual terms related to data privacy rights and obligations that must be included in all bank partnership agreements, as well as the contracts that fintechs hold with their own service providers
Increased volume of California data requests and required responses, including scaling opt-out procedures, the need to assess what personal information related to commercial accounts can be deleted, and the need to identify what automated decision-making technologies are applied to personal information associated with commercial accounts
Data minimization and purpose limitation of personal information collected for small business accounts
The need to implement more robust tracking mechanisms related to loyalty program marketing
California Data Privacy Considerations for 2023
These potential impacts leave fintechs and their partner banks with many data privacy issues to consider as the year begins. Entities should engage in a thorough self-assessment of their California data privacy preparedness, starting with the following questions:
Does our business meet any of the three threshold requirements for coverage by the CPRA?
Does our bank partnership agreement and other service provider agreements comply with the data privacy provisions required by the CPRA?
Do we know what personal data we collect from California residents when we onboard our commercial accounts?
Does our personal data collection from California residents who are employees or owners of commercial accountholders comply with the new data retention, data minimization, and purpose limitation obligations?
How many California residents have provided us with personal data through commercial accounts or vendors and can we estimate the likely number of CPRA requests that we will get from this population?
Do our loyalty programs and our marketing of them comply with new CPRA requirements?
Entities subject to the CPRA will likely need to take the following steps, to the extent that they haven’t already done so, to operationalize CPRA compliance throughout their entity for 2023 and beyond:
Revisit how they collect and map data for data minimization and purpose limitation compliance, as well as to respond to CCPA requests within regulatory timeframes
Determine what data they hold that could be subject to CCPA deletion requests and whether any exemptions to deletion requirements will apply
Develop opt out procedures or, if they already exist, review whether they can be scaled to meet new demands
Amend bank partnership agreements and other service provider contracts to ensure that California data rights obligations are being appropriately allocated
Amend loyalty program marketing to minimize requests to opt in
How We Can Help You Prepare
While the B2B exemption sunsets on December 31 and the CPRA goes into effect on January 1, CPRA enforcement doesn’t commence until July 1, 2023 and can only be brought as to violations that occur after that date. Fintechs and their bank partners still have some time left to review their programs and make meaningful changes before the California Privacy Protection Agency begins making inquiries.
Mitchell Sandler has deep expertise in financial data privacy matters and can help fintechs and their partner banks prepare for these challenges:
Assess if you are within the scope of the CPRA’s coverage
Review bank partnership and service provider agreements for data privacy considerations
Review loyalty programs to assess whether they trigger CPRA notification requirements
Prioritize which operational changes will result in the most significant regulatory impact
Please contact Chris Napier or Shelby Schwartz for further help.
About The Authors
Chris Napier is a Partner at Mitchell Sandler. His practice focuses on providing regulatory counseling, strategic advice and representation during government enforcement matters, including matters involving commercial, consumer and alternative credit products; money transmission and payments; deposit issues; and partnerships between fintech companies, depository institutions, and lenders. Learn more about Chris Napier
Shelby Schwartz is Counsel at Mitchell Sandler. Before joining the firm, Shelby worked as the compliance program manager for Promontory Financial Group, an IBM company, where she supported the chief compliance officer in the development and implementation of a global compliance program that addressed varied risks, including those related to the Foreign Corrupt Practices Act, information security and data privacy regulations, and corporate governance issues. Learn more about Shelby Schwartz
SIGN UP FOR UPDATES
Never miss our news, insights or events.
FEATURED NEWS