CCPA in Financial Services: Early operational benchmarks

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

The financial services sector was carved out of the California Consumer Privacy Act (CCPA)—so CCPA is a non-issue for this industry, right?

Not so when it comes to the largest financial institutions in America. A PwC study conducted in February discovered that this sector’s by-the-book approach to compliance has been in full swing in what many view as an opening act to similar legislation expected in other states this year.

A PwC team analyzed the websites of the 500 largest publicly traded companies and 100 largest privately held corporations and evaluated their approaches to CCPA. How has the financial services industry responded to CCPA.

How has the financial services industry responded to CCPA?

First of all, FS is the largest sector represented among the 600 largest companies, accounting for one-sixth of the total. And among this group, FS companies lead the pack in offering online portals for consumers to exercise their CCPA individual rights to access and delete their data. This is no small task—getting to this point required significant investments in process automation in a relatively short period of time.

Here’s the breakdown by sector of the rate of offering CCPA portals:

  • Financial services: 57%
  • Consumer markets: 49%
  • Technology, media, and telecom: 43%
  • Health industries: 39%
  • Industrial products and services: 19%

Among the sub-sectors within financial services, the direct-to-consumer segments more often offer these portals than the predominantly business-to-business sub-sectors:

  • Insurance: 68%
  • Banking and capital markets: 59%
  • Financial data services: 43%
  • Asset and wealth management: 22%

FS firms typically take a conservative approach to regulatory compliance. They had two choices with CCPA: offer CCPA rights to only California residents, as the law requires, or offer the rights to every consumer, as many marketing professionals might prefer in order to provide the most desirable customer experience. In our study, we found that 78% of FS firms provide CCPA rights to California residents only, at this time. This stance is similar across the FS sub-sectors, indicating FS firms are taking a “wait and see” approach regarding the volume of requests before expanding rights to all US residents. The sub-sector breakdowns on this question:

  • Insurance: 80%
  • Banking & capital markets: 76%
  • Financial data services:71%
  • Asset & wealth management: 78%

Given the legacy data infrastructure of large FS firms and the inherent challenges of aggregating data for meaningful analysis and sharing, it does not come as a surprise that 80% of Fortune 500 and Forbes 100 FS firms note in their privacy notices that they do not sell personal information. This position is also similar across the FS sub-sectors:

  • Insurance: 82%
  • Banking & capital markets: 79%
  • Financial data services: 71%
  • Asset & wealth management: 78%

Just 3% of FS firms provide a prominent “Do Not Sell My Personal Information” link on their main landing page, compared to 29% for the consumer markets and 29% for the technology, media, and telecom sectors. The remaining FS firms either offer an explanation regarding the sale of personal information in their privacy notice, or reference the federal law exemptions—such as GLBA and HIPAA—they are able to use to good advantage. A small number of FS firms have yet to update their privacy notice. The fact that companies across the industry are taking a similar approach reflects a somewhat consistent interpretation of the definition of “sale” under the CCPA.

We also asked privacy professionals working for companies within the scope of this study what they have experienced, in terms of the volume of consumer CCPA requests, since Jan. 1, when the law went into effect. They reported ranges of requests that were, in general, much lower than had been anticipated, and were also much lower than in the consumer markets and technology, media, and telecom sectors. Here are those year-to-date ranges:

  • Highest range of requests: ~150 to 300+
  • Moderate range of requests: 20 to 100
  • Smallest range of requests: None to a handful

What do these results mean for financial companies and the future of privacy capabilities for this sector? We see three takeaways:

  • Those who launched their portals on time should declare victory internally for being ready for any similar state-level laws that may be passed this year, even if their current CCPA request volumes are lower than expected.
  • With request volumes relatively low across the industry, now may be the time to differentiate and extend CCPA rights to all Americans.
  • And while the individual-rights portals are designed to be compliant with the regulations, they can be confusing to consumers. FS privacy leaders could engage their marketing, digital and data teams to review these portals from the perspective of customer experience and journey.

Contact us

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Sean  Joyce

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Joseph Nocera

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Follow us