California Consumer Privacy Act
The bank now has a comprehensive solution in place to comply with CCPA requirements.
California Consumer Privacy Act compliance (CCPA) requirements shook up many business processes. Remaining compliant with the regulatory landscape is an ongoing, non-trivial challenge. Over the last decade, there has been a significant evolution of the regulations guiding the use of consumers’ personally identifiable information (PII). Failure to comply with regulations such as the CCPA or the General Data Protection Regulation (GDPR) can result in significant penalties.
CCPA Compliance Impacts Many Businesses
The CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California in the United States. This act applies to any business, including any for-profit entity that collects consumers’ personal data, does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million
- Buys or sells the personal information of 50,000 or more consumers or households
- Earns more than half of its annual revenue from selling consumers’ PII
This includes any retail bank that operates in California.
SoHo’s client was a Californian bank that required a consumer privacy process for customers to submit to the bank’s compliance team for action. This process is needed to address the CCPA compliance requirements for consumers’ transparency rights. These rights require companies to inform consumers about all personal data collected and how it is shared. Consumers have the right not only to access this data, but also to demand that it is deleted, and to opt-out of direct marketing arising from leveraging such personal data.
CCPA Compliance Requires Excellent Data-Management Strategies
SoHo designed, built, and deployed a consumer privacy form and workflow process to allow customers to submit CCPA requests to the bank’s compliance team for approval and action.
The solution also required SoHo to work with the bank’s outside privacy counsel to design and implement an approach to identify and manage the PII data fields that concerned customers’ data privacy rights. Further, record management was configured to adhere to the bank’s new retention schedule by classifying files into Record Types, while putting automated retention tags in place to manage the content’s life cycles in compliance. These tagged submissions were applied throughout the organization. This process encompassed both identifying and managing access to sensitive data, whatever its source – customers, employees, or suppliers.
The bank is confident that it has met CCPA compliance requirements. And, it saw increases in the efficiencies of its administrative processes:
- Internal agents reduced time spent working on submissions by 20%
- Contact time with each customer was reduced
- Form completions reached 98% - a massive improvement on the original process, which often resulted in drop-offs and required contact intervention