The Changing Rules of Data Privacy

The changing landscape of data privacy—and how your firm can keep pace.

Aug 7, 2020 - Over the past few years, financial service firms have dramatically expanded the amount of data they collect, relying on customer information as a way to identify new opportunities and grow. While leveraging technology, there is theoretically no limit to the amount of personal data that can be accessed, stored, and even shared. But just as that information is valuable to helping businesses grow, it is also valuable to cyber-thieves. And this vulnerability is potentially greater for some firms due to COVID-19, which has forced many financial professionals to work from home, where cybersecurity processes may not be as stringent as in the office.¹

A data breach can not only lead to stress and financial hardship for your clients, it can also cause them to lose trust in your firm and even discontinue their relationship with you. (See a previous blog on this topic.) As a result, a new wave of data privacy laws has emerged to establish limits on the personal data that businesses collect while giving individuals more control over how their personal data is used.

An Evolving Data Privacy Landscape

In May 2018, the European Union (EU) released the General Data Protection Regulation (GDPR), aimed at protecting consumer and personal data across EU nations. The GDPR created strong penalties for non-compliance, including for U.S. companies operating in the EU. In addition, some U.S. states have introduced their own data privacy regulations.² Most notably, the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, creating new consumer rights related to the access, deletion, and sharing of personal information collected by businesses. The CCPA also imposed new requirements that businesses “establish procedures to facilitate consumers’ new rights.”³ The CCPA’s requirements overlap with many of the other state privacy laws, often making it confusing to navigate your clients’ data privacy rights and expectations. (As of early 2020, more than half the states in the U.S. have some form of data privacy legislation underway.)

Here are several key takeaways about the new regulations. Some of these factors will likely be addressed at the firm level, but all financial professionals should understand the key principles.

1. The New Rules of Data Privacy

Data privacy regulations increase transparency in terms of how a business collects personally identifiable information (PII), and they give consumers more control over that information. In general, the definition of PII continues to expand, and it now includes anything that is reasonably linked to an individual, either directly or indirectly. For example, if your clients visit your firm’s website, their computers’ internet protocol addresses are considered PII. If you keep a file with a clients’ birthdays, anniversaries, or children’s names, that’s PII. It is important to understand the expanded definition of PII and the rights it encompasses, because the rights of your clients and your firm’s obligations are tied to those rights.

New regulations also create new data privacy rights for individuals. For example, under the CCPA, Californians have the right to know which of their personal data a business has collected, shared, or sold. They also have the right to request that a business stop selling their personal data—and even delete it. If your client exercises any of those rights, you'll have to respond within a time-sensitive deadline that, when missed, can hold harsh violations. Consider that certain violations under the CCPA are enforceable through civil penalties of $2,500 per violation, or up to $7,500 per intentional violation.⁴ For that reason, many firms are now creating an inventory of personal data to help quickly respond to requests.

2. Rethinking Physical and Electronic Security

Data privacy laws also impose new obligations in terms of the physical and electronic security of personal data. Under new data privacy laws, businesses need to determine whether their security is reasonable for the nature of the information protected and, whether some additional personal data collected now falls within the new definition of personal data, such as client anniversaries, interests, and hobbies. Do not forget, data protection violations are also severe. Under the CCPA, a data breach could subject a firm to significant monetary damages, some calculated on a per-record, per-incident basis.⁴

3. Preparing for Client Questions—Before They Come In

Expect your clients to ask questions about their data privacy rights and be prepared to talk through your firm’s privacy practices. Discussions with your clients about the privacy of their personal data will absolutely impact their trust in you and your firm. Being able to talk about your clients’ data privacy rights and your firm’s privacy policy signals to your clients that their personal data is in good hands—and less likely to be in the next headline.

We live in an increasingly digital world. Personal data creates new opportunities for firms to better serve their clients, and it also creates new vulnerabilities. Staying on top of changing regulations regarding data privacy and taking proactive steps to protect clients will help firms differentiate themselves. As with all the financial services you offer, data protection is one more way to help your clients sleep better at night.

The information provided on this website does not, and is not intended to, constitute financial or legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.

¹ Karen Demasters, “Cybersecurity Breaches Threaten Advisors Who Work from Home,” Financial Advisor, April 1, 2020.
² “2019 Consumer Data Privacy Legislation,” NCSL.com, Jan. 3, 2020.
³ “California Consumer Privacy Act (CCPA),” OAG.CA.gov, accessed June 22, 2020.
⁴ “California Consumer Privacy Act of 2018 [1798.100 - 1798.199],” California Legislative Information, Leginfo.legislature.ca.gov, accessed June 22, 2020.

CSC-0622-2227174-INV-E