Major Changes in Privacy Law: What Lenders Must Do to be Compliant with the CCPA
Stay Updated
Subscribe to our Geraci Law Firm Newsletter to receive upcoming webinar announcements straight to your inbox.
California Consumer Privacy Act became law on January 1, 2020 and fundamentally reshaped what companies can do with private data. Even though this act only applies to data received from California residents, companies nationwide should be concerned as this law appears to have national ramifications. During this presentation, expert real estate attorneys discussed:
- Summary of CCPA and major changes in consumer privacy because of its passage.
- Who does CCPA apply to?
- If you are a covered company, how do you comply?
- Even for those that do not have to comply, what practices should you consider implementing now as there appears to be significant momentum in Congress and in other states for similar regulations.
Nema Daghbandan:
All right. Good morning everyone. This is Nema Daghbandan here with Geraci LLP. Thank you for being here with us for our webinar today regarding the California Consumer Privacy Act. A couple of housekeeping matters that we want to make sure everyone is aware of. We'll probably repeat this a few times throughout the process just so all of you understand how the process works. So the first thing is that this webinar is being recorded. The live recording with the slides will be delivered to people shortly after the webinar. So in case you wanted a copy of this to distribute later on, we will be distributing this. The second thing is we will also be distributing the slides themselves. If you wanted those for your records, they will be getting delivered to you. The next thing is for all of you that are on here, there is a few boxes at the bottom of your screen.
So there's a chat box and a Q&A box. What I want all of you to do during this is I want you to use the Q&A box. Feel free to ask questions anytime you want. At the very end of this webinar, we will go ahead and answer the questions that are in that Q&A box. You can ask the questions anonymously or you can put your name in, whatever your preference is, but we will be answering questions at the very end of the webinar. But feel free to type those questions in at any given time.
So first, my name is Nema. Talked about that a little bit earlier. I am the partner which manages our banking and finance practice. Practically speaking, that just means that our group really prepares loan documents and provides compliance advice. We also manage the firm's foreclosure practice. So right now, as you can imagine, we're spending a lot of time really just dealing with loss mitigation issues, modifications, forbearances, that kind of stuff, and just providing advice to our clients about how to manage this really unprecedented time with covid related defaults and kind of managing that aspect of the business. Additionally, Tom Hajda is on the call with me as well. Tom is our leading guru relating to institutional lending. He is very well versed in just all kind of nationwide compliance issues, both consumer and commercial and nature, and he'll be really spearheading most of the webinar today.
A quick thank you to our partners, American Association of Private Lenders. They will be having an emergency meeting on Monday that's going to be at 12 o'clock Pacific, two o'clock central and three o'clock eastern on Monday. There will be a registration link that will be forwarded to everyone after this webinar about how you can attend the meeting. It is a free meeting to attend to and everyone is welcome to attend. We have a excellent lineup of speakers in broad level of disciplines from accounting and legal. We have brokers on there, just really providing the state of the market. We've got warehouse line of credit providers, really the whole gamut of just providing a state of the market and just giving people an opportunity to speak their minds and really come together during this time of uncertainty. And last but not least, we also have our dear friends over at CU Business Group. We have Dexter De Mesa on the line here with us as well. Dexter, tell us a little bit about what's going on at CUBG right now, and Dexter, I can't hear you, so not sure if you are trying to speak there.
Dexter De Mesa:
Nema, can you hear me now?
Nema Daghbandan:
I can hear you now. Perfect.
Dexter De Mesa:
Okay, perfect. Thank you. Thank you. And good morning everyone. I hope everyone's doing well and staying healthy. I hope everyone's adjusting to this new world of telecommuting, zoom, and homeschooling all at once. As I shared with Nema earlier, the new common law rule now is to keep the new unmute button is the new reply all. So I hope we're all adjusting well to that and being mindful about it. Anyways, just a quick background about CUBG. We are the largest business services CUSO - Credit Union Service Organization - in the industry. We've been established for over 17 years. We serve about 585 credit unions in 48 states. We're headquartered in Portland and with remote offices across the states. At this point in time, we are also inundated with many 90 day deferral requests from our lead lenders, from the borrowers. With that said, CUBG is on a mission to bring valuable information to the credit unions we serve. And although I'm certain that many of us are, many of our activities are likely centered on this COVID-19 situation, we firmly believe that the information Geraci will share is valuable and will bring awareness, potential risk, and provide solutions that will help mitigate them.
As I mentioned, the core of our activity right now is really centered upon SBA, the payroll protection program, 90 day deferral request, and really facilitating all that between the different member credit unions that we serve.
Nema Daghbandan:
Great. Thank you so much sir Dexter. Alright, and without further ado, we'll go ahead and kick it off over to Tom, so you can lead us here. I noticed there was a pretty significant spike in attendees from when we started this webinar. So I'll do one more housekeeping reminder, which is that this webinar is being recorded. You will get a copy for those that want to see a copy of the webinar, including the slides. We'll be delivered after the webinar. The slides themselves will also be delivered as a standalone delivery. And then lastly is there is a Q&A box at the bottom. Please use that versus raising your hand or any of the other options at the bottom of your zoom screen here. So please do enter questions whenever they come up. And at the very end of the webinar we will be answering your questions. Go ahead Tom.
Tom Hajda:
Thank you Nema, and good morning everyone. I'd like to thank all of you for taking time out of your busy schedules to join our webinar today. And as Nema mentioned, the topic of our webinar is the California Consumer Privacy Act, which is now the most comprehensive privacy law in America. So today I'm going to discuss how the CCPA became law, and I'll also discuss the new privacy protections under the CCPA and which businesses are covered and which persons are protected by the CCPA. I'll then give you some compliance tips and then we'll take a quick look at the new privacy initiatives in other states. And finally we'll see where we go from here.
So how it all began. As you know, privacy is a big concern among Americans and recent abuses have only caused these concerns to grow. For example, Cambridge Analytica gathered the personal data in millions of Facebook profiles without their owner's consent and used it for political advertising. And we all know about the security breach at the credit bureau, Equifax, where criminals accessed the financial information of more than half of all adults in the United States. Now, on a more personal level, you might be surprised to know that there are now electronic billboards that can actually pick up the ID numbers from your cell phone. This allows the billboards to identify you, your age, your gender, your race, and even your buying habits. This information then triggers the billboard to show an advertisement that is specifically targeted to you and your kids as you walk or drive by.
So these incidents caught the attention of Alistair McTaggert, who's a wealthy real estate developer in California, and the founder and chair of the Californians for Consumer Privacy. Two years ago, he brought a privacy ballot initiative before the California voters. He actually spent more than $3 million of his own money and paid more than 600,000 signatures, which was twice as many as he needed to put the matter to a referendum. So this strong show of support forced state legislators, tech companies and privacy advocates to broker a compromise on legislation, which is now known as the California Consumer Privacy Act.
So we'll start with discussing the new privacy protections under the law. And there are four pillars to protections under the CCPA. There's the right to know, the right to delete, the right to opt out, and the right to know discrimination. So let's start with the right to know California residents now have the right to ask you to provide them with the categories of their personal information that your business has collected in the last 12 months. And this includes the categories of the sources of the personal information purposes for which your business collected, the personal information, the categories of third parties, to whom that personal information was shared and the categories of personal information that were sold, excuse me, or disclosed in the proceeding 12 months. Most importantly, your customers have the right to ask you to provide them with the specific personal information that you've collected during the last 12 months. And this is significant when you think about it. You probably collected a considerable amount of information about your borrowers and your borrower's, owners principles and guarantors. This information could be located in your loan origination systems, in your servicing systems, or in paper files, and you're going to need to collect all of this data, put it into one place so you can retrieve it and provide it to your customers when they request it.
California residents now have the right to direct you to delete the personal information that you've collected in your systems and in your files, and you're going to be required to identify your service providers and direct them to delete that person's personal information that the service provider has in its possession. Now it's important to note that if you need the personal information to continue providing a financial product or service to that customer, you're not required to delete that information. So for example, if you're servicing a mortgage loan and you need the personal information to collect the mortgage payments, you're not required to delete that personal information right to opt out. So California residents can now direct you to stop selling their personal information to a third party and they can opt out at any time. Now, it's important to note that the right to opt out does not apply to information that you're sharing with your service providers who provide operational services for you. And this applies as long as you direct the service provider not to sell that information to any other third party.
There are now new privacy protections for children in California, and this brings to mind an article that I just read yesterday in the New York Times. As a result of the Coronavirus Pandemic, public schools are now teaching students through virtual classrooms. Zoom is now the most popular free video conferencing application in the United States that's used to host to these classes. The New York Times reported that software inside the Zoom application is sending user data to Facebook, including the user data of the school Children. Well under the CCPA businesses can no longer sell the personal information of children between the ages of 13 and 16 unless the child affirmatively opts in and says that the business can sell that child's personal information. With respect to children under the age of 13, a business can no longer sell the personal information of that child unless the parent or guardian of that child affirmatively opts in and says that the business can sell the personal information.
Finally, we have the right to know discrimination. And what does this mean? Well, if a California resident exercises its right to delete or right to opt out, a covered business cannot discriminate against that person. However, it may offer a financial incentive or a price or service difference if it's directly related to the value of that consumer data. So what does this mean? I'm going to use Facebook as an example. Now everyone's familiar with the basic Facebook business model. Facebook provides the Facebook platform for free. So how does Facebook get paid? Well, they get paid when they sell your personal information to advertisers. So if a California resident exercised the right to delete or opt out, Facebook could not deny that person's access to Facebook and it couldn't start charging fees and charges to that California resident. However, Facebook could, for example, create a financial incentive program where it would say, you can use our Facebook platform for free, but if you want any additional services or additional bells and whistles, we're going to start charging everyone an additional fee. However, if you allow us to keep your information and to sell that information to an advertiser will provide you a discounted fee or will waive the fee entirely. Facebook could do this, but only if it documents in writing the specific value of the consumer data that they keep and sell and how that's related to the discounted pricing.
Alright, let's talk about the categories of information. As you can see from this, the CCPA has identified 11 separate categories of personal information. This is important because a covered business will need to work with its IT professionals to create data inventories to determine which categories of personal information have been collected, the categories of sources of that personal information, the purposes for which the personal information is used, and the categories of personal information that have been shared and sold to third parties. Now it's important to remember that this process has to be completed for each California resident. This is a time consuming task and it requires significant resources. And based on my experience, this is one of the most difficult requirements of the law to comply with.
Now, not all information is considered to be protected personal information. The CCPA deletes from the definition of protected personal information. Three categories, publicly available information, information that's not associated with any specific person and aggregated information. Alright, so this is the most important question that we're going to ask and answer today is your business covered by the CCPA. If your business triggers any of the following three thresholds, the CCPA will apply to your business. So let's go through them. If your annual gross revenue is greater than 25 million, you're covered by the CCPA. If you annually collect and share the personal information of 50,000 or more California residents, you're covered by the CCPA. And finally, if your company makes 50% or more of its annual revenues from selling Californian's personal information, your business is covered by the CCPA. Now, there are a couple of provisions within the law where the CCPA could apply to your business even if you do not trigger any of these three thresholds.
So it's important to take a look at it. The first is a provision that deals with affiliates that share common branding. So how does that work? The CCPA applies to a company that controls or is controlled by a covered business and shares common branding. So what does this mean? Let's take Bank of America as an example. Bank of America clearly is covered by the CCPA and it has several subsidiaries that share the Bank of America branding. So each of these subsidiaries would be covered by the CCPA, even if that subsidiary does not trigger any of these three thresholds. Why? Because the subsidiary is controlled by Bank of America, which is a covered business and it shares common branding. Now the CCPA applies at least in part to service providers. And this is important in the event that your companies are deemed to be a service provider on behalf of a covered business.
So what's a service provider? It's a company that receives and processes personal information on behalf of a business. So each covered business has to enter into a written contract with each of its service providers that contains three main provisions. The service provider may not sell the personal information of any California resident service provider may not keep use or share any personal information of a California resident for any purpose other than performing the contract services. And finally, each service provider has to sign a written certification that it understands these restrictions and will comply with it. And finally, service providers are subject to the data protection provisions of the CCPA and if they fail to maintain appropriate security protections, they're liable for any data breaches.
Alright, so who's protected by the CCPA? And the general rule is any human being who's a resident of California is subject to the protections of this law. Now you have to protect the personal information of a California resident even if that resident may not be one of your customers. So for example, if a California resident browses your website and you collect there are cookies or IEP address, that's information that's protected under the CCPA. If you notice the name of this law is the California Consumer Privacy Act, but this is by no means a consumer law. The personal information of California residents who obtain business purpose mortgage loans and business purpose financial products and services from your company are protected under this law. One of the things I'd like to point out is that a lot of my clients really haven't focused on the fact that the CCPA protects the personal information of California residents who are job applicants, employees, officers, directors, and owners of a covered business.
So if your business is covered by the CCPA and you have a job applicant that's submitting an application to your business for employment, before you can accept that job application, you have to provide a special notice to that job applicant. So all employees, job applicants, directors, owners of your business also can exercise the right to delete and they're also protected under the data breach provisions of the CCPA beginning in January of 2021. All of the protections of the CCPA will apply to your job. Applicant's, employees, officers, records, and owners. Now beginning in January of 2021, the CCPA will also apply to business to business transactions and this is something that few people are really focusing on. So if you're a private lender and you engage in a transaction with another business, the personal information of any California residents that you collect who are employees or officers or directors of the other company are subject to the same protections as your own customers.
Alright, well now we're going to give you some compliance tips and we're going to start with notices and disclosures. And believe me, there are a lot of them and we're going to start with what I call a collection notice. So assume you have a loan originator who's on the phone taking an application from a borrower before the loan originator can collect any information, the loan originator has to give a special collection notice to the borrower. Now this notice is fairly straightforward, so you have to disclose the categories of personal information that your business will collect, the purposes for which your business will use that personal information. Then you need to give an internet privacy policy link and you need to give a link to the optout page in your website where the California resident can go and opt out of your selling their personal information.
Talk about opt-out notices. This is only required if your business sells personal information of California residents. If you do, you have to post a prominent link on the homepage of your website and the download page of any mobile apps that your company may have. The link has to use the words, do not sell my personal information. Then when the user clicks on that link, it needs to take them to the opt-out notice and to an opt-out page where the California resident can exercise their right to tell you not to sell their personal information. If you offer a financial incentive program like the example that I spoke about with Facebook, you have to describe that program, identify how your customers can opt in to the financial incentive program, inform them that they have the right to withdraw at any time, and then identify how the financial incentives relate to the value of the personal data that you want to retain and sell.
So if you're covered by the law, you have to create and post on your website a specific California privacy policy. And as you can see it's fairly detailed. You need to disclose all of the four rights that we talked about the right to know, to delete, to opt out, and the right to know discrimination. Then you're going to have to disclose the categories of personal information that your business has collected from all of its customers during the prior 12 months. And that includes the categories of sources of the information, the purposes for which you collected and sold the information, the categories of the personal information that your business sold or shared during the prior 12 months, and finally the categories of third parties to whom that personal information was sold or shared. Now you need to update this information every year and you need to post the date when your privacy policy was last updated.
Alright? You're going to get a lot of requests if you're covered and we're going to talk about responding to these requests. So whether you receive a request to know or a request to delete or request to opt out, you always have to give a California resident at least two methods for them to submit that request to you. If it's a request to know, at a minimum, you have to provide them with an intranet web form that they can complete and sent to you and a toll-free number. Now as you can see from this slide, there are specific time periods by which you need to confirm to the person making the request that you received the request, and then you also have to respond and provide answers to the request within specific time periods.
Now, I want to point out that when the CCPA was being drafted, there was a concern on the part of the business community that California consumers would start bombarding lenders with requests to know and requests to delete. It takes a lot of time to respond to these things, especially if you don't have very sophisticated systems that can automatically respond. And lenders were really concerned that they just wouldn't have the staff to be able to comply. So the lawmakers came up with a compromise and you're no longer required to respond more than twice in any 12 month period to a request to know or a request to delete to any single California resident. So this means that a California resident does not have the right to submit more than two requests to know or two requests to delete to your company. And if you can track the requests that come in from each of your customers, then you can simply send out a form denial letter and letting them know why. When the law was being drafted, the lawmakers were very concerned that imposters would take advantage of the request to know to try to get at the sensitive information of California residents such as a social security number, a security password, credit card numbers, and the like. So the CCPA specifically prohibits you from providing any of the sensitive information on this slide to a person that submits a request to know.
Now I'm not going to spend any time discussing this slide because the requirements for responding to a request to delete are really the same as the requirements for responding to a request to know. I will point out that when you get an opt-out request, you have to stop selling the personal information to the person making the OPTOUT request within 15 business days. Now, if you sell the personal information after you get the optout request, but before the end of the 15 business days, that's not a violation, but you have to send a written notice to each business to whom you sold that information and tell them that the customers opted out and they can't sell that information.
About halfway through the slide you'll see an entry for third party notices where it says that you need to send notice to third parties to whom you sold the personal information in the last 90 days. The California Attorney General who's responsible for drafting the regulations under this act still has only a draft regulation outstanding and they've issued two amendments to the first draft regulation and the other day they just deleted this requirement. And I wanted to point that out to you. I didn't have a chance to delete it, the slide before I posted it to the website. If a child or a guardian requests to opt in so that you can sell the child's information's two step opt-in process. So the child or guardian first has to make the opt-in request and then you have to set up verification procedures to ensure that the child or the guardian really intended to opt in. And once the child is opted in, you immediately have to send a written notice reminding them that they can opt out at any time.
Okay, so there are very detailed identification procedures that you need to employ, and I'm only going to cover some of the highlights here, but I'd point out that if your business maintains a password protected account with a California resident, you may verify the person's identity through your existing authentication procedures. However, if you don't maintain a password protected account, you'll be required to follow the verification requirements shown on this slide. So how does it work? The verification procedures vary depending on the type of request that you receive. So if you receive a request to know categories of personal information, then you have to match at least two data points provided by the person making the request with the personal information that you already have in your systems. On the other hand, if you receive a request to know specific pieces of personal information, you have to match at least three data points provided by the person making the request with the personal information that you have in your systems. You also have to require the person making the request to sign a declaration under penalty of perjury that that person is who they say they are. Now, if you receive a request to delete, the verification procedures will vary depending on the sensitivity of the personal information and the risk of harm to the consumer. So you'll want to use stricter verification procedures if you receive a request to delete some very important loan documents. But you could employ more lax procedures if you receive a request to delete, for example, a browsing history of the person.
I can't stress enough how long a runway it takes to create data inventories so you can comply with this law and you're going to have to work long hours if you haven't already done so with your IP professionals. This is probably the most difficult part of complying with this law is when you get a request, you have to respond and if you don't have the systems, you simply won't be able to do so. Alright, there are a number of exemptions from the CCPA and by far the most important of which is the Graham Leach Bliley exemption. And this is a big one. So personal information that's protected under the GLB Federal Privacy Rule is exempt from the CCPA. So the GLB Federal Privacy Rule protects all personal information that's collected from a consumer who applies for or obtains a consumer purpose financial product or service from a financial institution.
So what does this mean? It means that the following three categories of personal information are exempt from the CCPA. So it includes all of the personal information that a consumer gives a lender when applying for a consumer purpose mortgage and all of the personal information that a lender collects when making a consumer purpose mortgage loan. Finally, the personal information that a lender or servicer collects when servicing, modifying or foreclosing a consumer purpose mortgage. So I have a client who owns two separate mortgage companies. First mortgage company originates and services consumer mortgage loans, and the second business originates and services business purpose mortgages. So substantially all of the personal information that's collected and used and shared by the consumer mortgage lender is exempt from the CCPA. So it's a big deal. So if you make both consumer purpose mortgage loans and business purpose mortgage loans, you're going to have to comply with the CCPA if you're a covered business with respect to all of the personal information relating to the California residents who have a business purpose mortgage loan or other financial product or service.
But if you receive a request from a consumer who has a consumer mortgage loan, you can simply send them a letter saying, sorry, this information is not protected under the CCPA. There's one other exemption I want to talk about briefly. If you obtain a credit report on a borrower or a guarantor or a principal of one of your borrowers, that information is exempt from the CCPA and then any of the borrower information that you report to a credit bureau, that's also exempt as long as you comply with the requirements of the Fair Credit Reporting Act.
Alright, let's talk enforcement. The business community won a big battle here and the business community when the CCPA was being drafted was very concerned that California residents do not have a private right of action to sue businesses for each and every violation of the CCPA. And as we've discussed, this law is complicated. I only covered at a very high level what some of these requirements are and it takes an extensive amount of resources and time to comply with this. So it's a huge deal that the only private right of action that a California resident has is if there's a data breach because you did not adequately protect the data of a California resident. The California Attorney General has been charged with enforcing the CCPA and as I mentioned earlier, the attorney general is responsible for drafting regulations so we can all figure out how to comply with this act.
So there has since been three turns of the regulation that are still not final and the Attorney General has stated that the Attorney General's office will not bring enforcement actions until they finalize the regulations, which is kind of nice because no one knows how to comply at this point. If you do violate the CTPA, the attorney General will notify you and it can impose civil penalties of upwards of $2,500 for each unintentional violation and $7,500 for each intentional violation. There's actually a nice provision in the law that provides that if you cure a violation within 30 days of the attorney general notifying you that it thinks you've committed a violation, you won't be responsible for that violation. However, excuse me, many violations just really aren't subject to a cure. So if you didn't provide notice within the required time period or you didn't require, you didn't provide a notice at all, you didn't respond to a request, those violations simply aren't subject to a cure. So as you can see, there are a ton of responsibilities that you have under this act, and if you're a covered business, it's not farfetched to say that you could have hundreds of individual violations of the courts of the year and that could get quite expensive. So if you are a covered business, you really should have some very robust compliance programs in place.
I've been asked by a number of clients if there are any other states that have privacy initiatives and unfortunately there are a handful and they're identified on this slide. As you can see, Nevada just passed a new privacy law, which became effective in January of 2020. Alright, well, where do we go from here? As you can see, it's going to take a lot of effort and resources to build a reliable compliance program for the CCPA and just when you accomplish this goal, it's likely that California will have a brand new privacy law to contend with. Now, you would assume that Mr. McTaggart would be satisfied with his landmark legislation and unprecedented protections for California residents. However, Mr. McTaggart is concerned that the compromises that formed the CCPA resulted in a watered down privacy law. So as a result of these concerns, Mr. McTaggart filed a new ballot measure to enact what would be called the California Privacy Rights and Enforcement Act of 2020. This act would greatly expand the protections under the CCPA, and most importantly it would create a new California Privacy Protection Agency. And this would have the power to enforce the new act and to bring enforcement actions against businesses that violate the act. Now experts expect that Mr. McTaggart will be successful in bringing this legislation on the voting ballot and that California voters will approve the new law, which would be effective on January 1st, 2023. So stay tuned and we'll update you with any new developments.
Nema Daghbandan:
Alright, thank you for that, Tom. And right now we're going to go ahead and open up the floor for any questions. Again, at the bottom of everyone's screen, there is a Q&A box. So feel free to insert a question, happy to answer any that people have here. Please do not insert it into a chat box, but instead actually use the Q&A box as it's a little bit more challenging to navigate that chat box versus the Q&A. All right,
Tom Hajda:
So I don't see any open questions now.
Nema Daghbandan:
No. Perfect. Yeah, so we'll give it another minute here for anyone that's got any questions. Otherwise we can conclude. And just a friendly reminder, we will be sending out an email shortly after this presentation. It will give you access to this webinar, which will be available for anyone. Alright, we did have a few questions hop in, so go ahead and feel free to pick apart there, Tom.
Tom Hajda:
Alright, so let's see here. Is this all about California law? If I understand the question, this is a specific California law and it protects California residents if you are a covered business. Now, there are other states who have enacted and they're starting to enact new privacy legislation. Many of them are similar to this law and once they finalize those bills and pass them, we'll jump on it and we'll give you some answers there. Okay. Can you clarify if the law applies to business purpose loans? The answer is yes. And as I just discussed, if you make consumer purpose mortgage loans, you have responsibilities under the Graham Leach Bliley Federal Privacy Rule. But the personal information of California residents who have consumer mortgage loans, that is not covered by the CCPA, but if you make a business purpose mortgage loan to a California resident, then that business purpose mortgage loan is covered by the CCPA if your business is covered.
Let's see. Any idea about Miami, Florida? I'm not sure what this question. If your business is based in Miami and you have California residents who are business purpose mortgage loan borrowers and your business is covered by the CCPA, then you would in fact have to comply with it. So it doesn't matter where your business is located, if you exceed or trigger any of the three thresholds that we talked about, then you would be subject to the CCPA with respect to any California resident who's a customer. Please describe the data security components of the CCPA. Alright, the law doesn't say much. It simply says that you have to establish reasonable security procedures to protect the private data of California residents. And if you're negligent in setting up an appropriate security process and someone hacks into and obtains the personal information of a California resident, then you are subject to not only penalties from the California Attorney General, but California residents can sue you individually. Any idea about Miami Florida law? To the best of my knowledge, Florida has not enacted any new privacy legislation in the last year.
There are questions about if I'm not a covered broker and we don't sell information, how does this apply to me? So if you're not covered, then generally the CCPA will not apply to you at all. But remember, if you're deemed to be a service provider to a covered business and you provide operational services for another business, then you can only use the information about California residents that you receive for purposes of providing those contract services and you're not permitted to sell any of the personal information of California resident. Here's the question, is your email marketing list a part of this as email was considered personal information? That's correct. If you're a covered business and you have the email address of your California residents who are customers, that's deemed to be protected personal information.
Okay? You make a business purpose loan to an LLC and the principal guarantees the loan, is the privacy act triggered because the principal is guaranteeing the loan personally? Alright, so let's assume that your business is a covered business because you've exceeded one of the three thresholds. And let's say that when you're making a loan to an entity and the principal guarantees the loan, if the principal is a California resident, then all of the specific personal information and all of the categories of personal information that you collect and use and share and sell are protected by the law.
So I have less than 25 million in sales. We broker QM loans and do private business purpose loans with investors. Does this apply to our business? So if you have gross revenues that are less than 25 million, then you don't meet that threshold. If you don't collect or share the personal information of 50,000 or more California residents, then I think you're clear. And the California Consumer Privacy Act would not apply to you. Do we need to clear our databases so that we don't have more than 50,000 leads? So if these leads relate only to California residents, that's a great question. So if you're collecting the personal information, which includes some lead information or 50,000 or more California residents, that applies on an annual basis, right? So it talks about if you collect or share the personal information of 50,000 or more California residents a year. So if this is cumulative, you really need to look at how much information you're collecting and using and sharing on an annual basis. If you do clear your database and then you get 50,000 new leads from California residents, then it would again apply to you that next year.
What if your marketing list is mainly other brokers and their info on the web anyway? That's a great question. So in 2020, if the personal information about California residents is mainly business partners, that personal information won't be protected by the CCPA until 2021. Alright? But if you otherwise are a covered business, then the personal information about California residents who are your customers would be protected. So you're asking what if the information is on the web anyway? Under this version of the CCPA, public information is information that you can lawfully use that's generally available. And so there's a really good argument there that this information is publicly available and it's not otherwise subject to protections under the CCPA. Ok, I think that's it!
Nema Daghbandan:
Alright everyone, well thank you for attending here. Just looking forward to - hoping that all of you are safe and that your families are safe and your businesses are doing well despite the crazy world around us. Alright, take care everyone.