Pub. 11 2021-2022 Issue 3

coloradobankers.org 28 and transparent notice of the data they collect, what they use it for and who they share it with. • Right of access, deletion, correction and portability. In addition, consumers have the right to opt out of the sale of their personal information. • Requirement to enter into contracts with third party service providers who may process personal information on the business’ behalf. • Requirement to implement reasonable security measures to protect against unauthorized use or disclosure of personal information. CCPA also includes a private right of action for individuals in the event certain sensitive personal information (for example, social security number, account information, password and passport number) is subject to a data breach. The GLBA exemption does not apply with respect to an individual’s right to bring an action against a bank or financial institution in the event such organization fails to implement appropriate security protections. The private right of action under CCPA is one of the biggest areas of concern for organizations, as it enables impacted consumers to claim statutory damages in an amount between $100 and $750 per incident. What should Colorado banks and financial institutions be doing now? In addition to their obligations under GLBA, banks and financial institutions meeting the thresholds discussed above have direct obligations under CCPA, regardless of whether they are physically located in California or not. Violation of state privacy laws could lead to regulatory investigations, fines and class action litigation. Regardless of where the bank or financial institution is located, it should consider implementing the following: • Post a clear and transparent privacy notice, explaining what personal information is collected, what it is used for, to whom it is disclosed, and for how long it is retained. • Analyze and understand which personal information is in scope for purposes of GLBA and is thus exempted from CCPA requirements, and which is not. This is particularly important when it comes to analyzing whether or not a consumer request (for example, for access to, or deletion of, personal information) needs to be complied with under CCPA. • Confirm that agreements with third party vendors include adequate privacy and security obligations, and other relevant protections. • Review security and access controls. In addition, banks and financial institutions should consider whether to adopt CCPA standards at an enterprise level, or just with respect to individuals who are resident in California. Given the variances in existing State laws, and the likely implementation of new State laws in the absence of a Federal privacy law, there is logic to applying a consistent standard to all personal information regardless of which State the individual is actually resident in. In addition to their obligations under GLBA, banks and financial institutions meeting the thresholds discussed above have direct obligations under CCPA, regardless of whether they are physically located in California or not. Violation of state privacy laws could lead to regulatory investigations, fines and class action litigation. cont inued f rom page 27