The financial services sector was carved out of the California Consumer Privacy Act (CCPA)—so CCPA is a non-issue for this industry, right?
Not so when it comes to the largest financial institutions in America. A PwC study conducted in February discovered that this sector’s by-the-book approach to compliance has been in full swing in what many view as an opening act to similar legislation expected in other states this year.
A PwC team analyzed the websites of the 500 largest publicly traded companies and 100 largest privately held corporations and evaluated their approaches to CCPA. How has the financial services industry responded to CCPA.
First of all, FS is the largest sector represented among the 600 largest companies, accounting for one-sixth of the total. And among this group, FS companies lead the pack in offering online portals for consumers to exercise their CCPA individual rights to access and delete their data. This is no small task—getting to this point required significant investments in process automation in a relatively short period of time.
Here’s the breakdown by sector of the rate of offering CCPA portals:
Among the sub-sectors within financial services, the direct-to-consumer segments more often offer these portals than the predominantly business-to-business sub-sectors:
FS firms typically take a conservative approach to regulatory compliance. They had two choices with CCPA: offer CCPA rights to only California residents, as the law requires, or offer the rights to every consumer, as many marketing professionals might prefer in order to provide the most desirable customer experience. In our study, we found that 78% of FS firms provide CCPA rights to California residents only, at this time. This stance is similar across the FS sub-sectors, indicating FS firms are taking a “wait and see” approach regarding the volume of requests before expanding rights to all US residents. The sub-sector breakdowns on this question:
Given the legacy data infrastructure of large FS firms and the inherent challenges of aggregating data for meaningful analysis and sharing, it does not come as a surprise that 80% of Fortune 500 and Forbes 100 FS firms note in their privacy notices that they do not sell personal information. This position is also similar across the FS sub-sectors:
Just 3% of FS firms provide a prominent “Do Not Sell My Personal Information” link on their main landing page, compared to 29% for the consumer markets and 29% for the technology, media, and telecom sectors. The remaining FS firms either offer an explanation regarding the sale of personal information in their privacy notice, or reference the federal law exemptions—such as GLBA and HIPAA—they are able to use to good advantage. A small number of FS firms have yet to update their privacy notice. The fact that companies across the industry are taking a similar approach reflects a somewhat consistent interpretation of the definition of “sale” under the CCPA.
We also asked privacy professionals working for companies within the scope of this study what they have experienced, in terms of the volume of consumer CCPA requests, since Jan. 1, when the law went into effect. They reported ranges of requests that were, in general, much lower than had been anticipated, and were also much lower than in the consumer markets and technology, media, and telecom sectors. Here are those year-to-date ranges: