Over the past few years, consumer privacy and protection has been a prevalent issue on the global stage. With the passage of the General Data Protection Regulation (GDPR) in Europe, several states in the U.S. are looking to pass their own forms of privacy legislation. Most notable of these efforts is the California Consumer Protection Act (CCPA), which became effective January 1, 2020. Although the CCPA is already in effect, it’s important to note that the law is still being modified via Revised Proposed Regulations.
The CCPA defines “personal information” broadly and provides California consumers with specific rights related to their personal information. Many businesses spanning multiple industries are required to abide by the CCPA and may need to make significant changes to their processes to ensure they comply with the law. The mortgage industry will be no different.
If you’re an individual contributor in your organization, you might think this is an issue for middle or upper management. However, understanding the CCPA’s requirements and how to comply with them should be a group effort across every mortgage company to fully understand how the company collects data, what the data sources are, how the data is shared or sold, how it’s stored, and more. This is also a great opportunity for you to partner with your legal counsel or compliance officer to help your business align with the requirements of the CCPA. It takes time to know exactly all your data sources and uses.
In this post, we’ll discuss the CCPA, its impact on the mortgage industry, and some questions you might want to consider if you do business in California or in a state that’s developing its own set of consumer privacy laws.
What Is the CCPA?
The California Consumer Protection Act provides California consumers with several rights regarding their personal information. The CCPA applies to businesses that sell, collect and disclose personal information of California residents for a business or commercial purpose and that meet certain other requirements related to their revenues.
The CCPA provides four basic consumer rights:
- The right to know what personal information businesses are collecting, where they got that information, what the information is used for, and whether it’s being disclosed or sold to others and to whom.
- The right to opt out of a business selling an individual’s information.
- The right to request that a business delete an individual’s personal information.
- The right to receive equal pricing and service from a business should an individual choose to exercise their privacy rights.
Essentially, consumers have the right to obtain information from businesses about the kind of information companies hold on them and if that information is being sold, the right to ask a business to delete their information if they so request, and the right not to receive discriminatory pricing for exercising those rights.
To Whom Does the CCPA Apply?
This law applies to most businesses which are domiciled and/or do business in California. But this doesn’t necessarily apply to your small mom and pop ice cream shops.
To fall under the provisions of the CCPA, businesses must meet one of these three parameters:
- Earn $25 million or more in annual gross revenue,
- Earn more than half of its annual income from selling the personal information of consumers,
- Or be in possession of the personal information of 50,000+ consumers, households, or devices.
As you can imagine, it is relatively easy for many mortgage lenders to meet at least one of these parameters and therefore be subject to the CCPA.
What Particular Challenges Does the Mortgage Industry Face?
The CCPA may present challenges for the mortgage industry given the amount of consumer data required to complete a mortgage transaction, as well as the third-party consumer data that lenders tend to leverage.
Consider it – as a loan officer, you might purchase a list of leads, all of which contain some type of personal information. As the purchaser of that list, you may want to start considering how that lead information was collected and with whom else you’ve shared that information.
Since FCRA and GBLA cover much of the borrower data in a mortgage transaction, what’s left for the CCPA to cover in day-to-day mortgage operations? Areas you may want to think about include:
- Users of your website, including those who request a mortgage quote through a POS
- Marketing leads collected through your website or purchased from other sources
- Individuals who fill out an application but do not submit with you
You should evaluate whether any information collected for sales, marketing, and customer service activities potentially falls under the CCPA. If you’re performing any marketing or sales activities that involve customer data derived from social media or your company’s website, you’ll want to be aware of the types of disclosures that need to be made to those customers.
As we mentioned before, the CCPA creates a broad definition of personal information, informs how it’s collected and used, and provides ways for California consumers to assert control over how their data is being used by companies. We should not expect data privacy efforts to stop with the CCPA – more and more states are considering laws like this, and it will take a cross-functional effort in every organization to address those laws and stay compliant.
The good news is as consumers become more aware of their rights and begin to exercise them, businesses who are upfront about how they collect and use personal data may be seen as more transparent. This can help create a better impression for customers and lead to a more satisfied customer base and better customer experience.