A survey by PwC predicts that only 58% of all US financial service firms that have to comply with California's Consumer Privacy Act 2018 - the foremost US version of the European Union's General Data Protection Regulation - expect to do so by the starting date of 2020.

The Act will bestow hefty powers on Californian citizens that will allow them to manage data that banks and other financial institutions hold on them. It will allow them to know what information the banks are collecting about them, why they are collecting it and who they are sharing it with. They are able to tell the banks to delete data in some circumstances and can also opt out from a bank's terms of service without losing access to its offerings.

Discrimination

The Act also states that no business can discriminate against a consumer because the consumer exercised any of his rights under the Act. In this context it cannot deny him services; charge him different prices or rates for services, perhaps through the use of discounts or penalties; providing him with a different level of service; or suggest that it will do so. However, a business may offer him financial incentives for the collection/sale/deletion of his personal information and may also offer him a different price or quality of service if that price or difference is "reasonably related to the value provided to the consumer by the consumer’s data." Nobody knows what this last phrase means, and it almost certainly represents a loophole for banks. The whole reason for the Act's appearence in its present form is the fact that California allows the electorate to pass its own laws by ballot and the state's government is therefore often to be seen frantically trying to passing pre-emptive laws that are similar enough to render the popular laws irrelevant but also full of safeguards for politically powerful special interests such as banks. The Act started out as a so-called 'ballot initiative' but was swallowed up by the usual process, with the initiative being withdrawn.

The value of preparation

Since Californian business takes up a large part of practically every nationally-active private bank's portfolio, nearly all are expected to have to comply. More than three-quarters of all respondents to PwC's survey (from all business sectors, not just finance) said that they held data on residents of California.

As in the UK before the GDPR became operational in May, financial service firms are the best prepared for 'D Day.' Confidence in meeting the deadline only stands at 56% for the IT sector, 47% for health, 44% for industry and 46% for retail.

PwC states: "The law goes into effect on 1 January 2020. Six months later — after the state attorney general clarifies certain outstanding issues — enforcement is scheduled to begin. That does not amount to a grace period, however, because the state is not prohibited from later bringing enforcement actions from instances of non-compliance during those first six months.

"In addition to the possibility of enforcement actions, [the] CCPA includes a separate private right of action which also goes in to effect at the same time. The law requires that consumers provide written notice to a business within 30 days of a violation before they can take legal action; companies have 30 days to 'cure' the issue. The law doesn’t define what a 'cure' would entail, however, and that has become a source of anxiety for [by far the most] companies."

Non-extraterritoriality

Unlike its more famous European counterpart, California's Act (known as 'GDPR lite') exempts all businesses from its terms if every aspect of their relevant commercial conduct takes place "wholly outside of California." This happens if the firm in question collects the information while the consumer is outside California, as long as no part of the sale of the consumer’s personal information occurs in California and no personal information collected while the consumer was in California is sold.

Personal information

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a particular consumer or household. It includes; identifiers such as a real name, alias, postal address, email address, account name, social security number, driver’s license number or passport number; records of personal property, products or services that the person has obtained, or "other purchasing or consuming histories or tendencies"; biometric information (this also mentioned in Europe's GDPR); Internet information including browsing history; geolocation data; audio, electronic, visual, thermal, olfactory, or similar information; employment-related information; educational information; and inferences drawn from any of the above to create a profile about a consumer that describes his preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.

Other terms

The 'collection' of personal data consists of buying, renting, gathering, obtaining, receiving, or accessing it by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behaviour.

Another loophole for banks beckons with the definition of 'sell,' 'selling,' 'sale,' or 'sold,' which means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary "or other valuable consideration." Nobody knows what this last phrase means, which poses a threat to the consumer's opt-out rights because they now depend on the courts' interpretation of the word 'sale.'

Cambridge Analytica

In March 2018, it came to light that tens of millions of Americans had had their personal data misused by a data-mining firm called Cambridge Analytica. A series of congressional hearings revealed, if any further proof were needed, how vulnerable their personal information was to misuse when shared on the Internet. This is what seems to have spurred on California's legislative process on this subject.