Banking Compliance: Adapting to the California Data Privacy Law - Identity Review | Global Tech Think Tank - Identity Review | Global Tech Think Tank

The last several decades have given rise to an era of rapid digital evolution, and at the very epicenter of this is the California Data Privacy Law – the regulations for the home state of Silicon Valley. While the technological advancement spanning from the Valley has awarded us unprecedented access to valuable and personalized resources that have made daily life more efficient, it has also given rise to major concerns surrounding the security of the same personal data we give to be awarded such personalized experiences. California has responded to this mounting public concern by taking active steps toward safeguarding the privacy of its residents through the California Data Privacy Law (CCPA).

The CCPA was enacted in 2018 by the former California Governor, Jerry Brown, to protect consumer data and grant individuals greater control over their personal information. At the start of this year, 2023, the California Privacy Rights Act (CPRA) has taken the previous legislation to the next level, setting the standard for the strongest privacy law in the United States to date. For banking institutions, compliance with this law remains instrumental in maintaining trust, safeguarding customer data, and adapting to an ever-evolving regulatory landscape.

What is the California Data Privacy Law?

The California Consumer Privacy Act, which came into effect on January 1, 2020, is a comprehensive data privacy law that establishes new rights and obligations for businesses that handle consumer data. This legislation gives California residents the right to know what personal information is being collected about them, to access and request deletion of their data, and to opt out of the sale of their information under any circumstances.

For banks and financial institutions, compliance with the CCPA requires proactive measures to maintain and ensure the privacy and security of customer data. In fact, this law requires banks to disclose their data collection practices, the purpose for which the data is used, and any third parties with whom the data is shared. In addition, they must allow customers the ability to exercise their rights and comply with any requests for data access or deletion.

An Overview of the California Privacy Rights Act (CPRA)

Dubbed as “CCPA 2.0”, the CPRA was established on January 1, 2023. The CPRA amends and expands the CCPA, giving Californians even more control over their data by giving Californians the following rights (presented along with implications on the financial sector):

  1. Right to correct their own information as necessary
  2. Right to limit sensitive personal information: Accordingly, customers of financial organizations and other businesses have the right to limit the use of SPIs to a narrow set of purposes that have been prescribed in the regulations.
  3. Right to access information about and opt-out of automated decision-making: Regulations provide consumers with the opportunity to request comprehensive information about the decision-making processes within an organization. In the growing age of AI, there is also an amendment to opt out of any decisions being made without any human intervention.
  4. Right to opt out of sharing: The CPRA expands on the CCPA’s right to opt out of selling or sharing consumers’ personal information (including with a third party for cross-context behavioral advertising).
  5. Right to delete: It is crucial for businesses operating in the finance sector to acknowledge the substantial consumer right to request the deletion of their personal data. Furthermore, these companies are obligated to inform any third parties with whom they have shared personal information about the consumer’s request for data deletion. Moreover, financial organizations are required to provide their customers with clear information regarding the retention period for their personal data. Once this designated duration has passed, the organizations must securely dispose of the data in question.

While the CCPA primarily focuses on businesses that handle consumer data, including banks. In certain circumstances, the CPRA also provides exemptions for financial institutions. These exemptions apply to certain types of personal information collected and processed by financial institutions for specific purposes related to their core functions, such as providing financial services, conducting credit checks, and preventing fraud. However, these exemptions are not absolute, and financial institutions are still subject to various privacy and data protection obligations under federal laws like GLBA. As technologies continue to evolve, so will data protection law, meaning it is crucial for banks to review specific provisions and consult legal counsel to maintain compliance with both federal and state data privacy laws. 

The Cruciality of Bank Compliance with the California Data Privacy Law

Banks control personal and financial data of the most sensitive nature. Financial institutions that do not comply with the California Data Privacy Law requirements will be subject to penalties, with intentional or willful violations carrying fines of up to $7,500. In cases where violations are unintentional, the organization may face fines of $2,500. Additionally, consumers have the right to seek compensation for damages, with fees ranging from a minimum of $100 to a maximum of $750 per consumer per incident. 

The potential impact on the finance sector resulting from a prominent financial institution being charged with non-compliance underscores the significance of prioritizing adherence to the California Data Privacy Law. It is imperative for financial institutions to prioritize compliance with these regulations to maintain the integrity and reputation of the sector.

Banking Best Practices for the California Data Privacy Law

In order to uphold the requirements of the California Data Privacy Law, banking institutions must proactively safeguard their customers and adopt best practices in data protection protocol. Here are some key considerations for adapting banking operations:

1. Data Mapping and Inventory

Banks need to conduct a comprehensive assessment of the personal data they collect, where it is stored, how it is used, and who has access to it. Creating a data inventory and maintaining accurate records can help streamline compliance efforts and facilitate data access and deletion requests.

2. Privacy Notices and Consent

Transparency is paramount under the CCPA. Banks must update their privacy policies to provide clear and concise information about the types of data collected, the purposes of processing, and the rights of consumers. Consent mechanisms should be implemented to ensure customers have a choice in how their data is used and shared.

3. Data Protection Measures

Implementing robust security measures is crucial to safeguard customer information. Banks should adopt industry-standard encryption protocols, secure data storage systems, and access controls to prevent unauthorized access to sensitive data. Regular security audits and employee training programs can help maintain a culture of data protection within the organization.

4. Third-Party Vendors

It is common for banks to work with third-party vendors to provide various services. This means due diligence when selecting vendors and establishing contractual agreements that address data privacy and security obligations. Banks should also monitor vendor compliance and ensure that appropriate safeguards are in place to protect customer data.

5. Incident Response and Breach Notification

Despite robust security measures, data breaches can occur. Banks must develop and enforce incident response plans to mitigate the impact of any data breach. In addition, prompt notification of affected individuals and relevant authorities is a critical step in managing these data breaches and complying with the CCPA.


Identity Review is a digital think tank dedicated to working with governments, financial institutions and technology leaders on advancing digital transformation, with a focus on privacy, identity, and security. Want to learn more about Identity Review’s work in digital transformation? Please message us at Find us on Twitter.


Get Involved with
Identity Review

Connect with us

Keep up with the digital identity landscape.

Apply to the Consortium

Bringing together key partners, platforms and providers to build the future of identity.

Submit a Press Release

Be a Guest Writer

Want to write as a guest writer for Identity Review? Send us your pitch or article.

Picking an Identity Solution?

Picking an Identity Solution?

Make an informed decision on the right provider from in-depth reviews and feature comparisons.