Online Lenders: Have Your Compliance Team Run These CCPA Front-End Checks Before the July 1 Enforcement Date
The California Attorney General has authority to enforce the CCPA starting on July 1, 2020. As the Chief Compliance Officer, it’s very likely that CCPA was top of mind Oct ‘19-Jan ‘20. The turn of the year shifted your attention to other matters and COVID certainly disrupted things. In the next 30 days, we urge you to carve out half a day with your team to perform sanity checks of your website, and tighten up any loose ends that can invite scrutiny for enforcement action.
CCPA is a little different, because it calls for several changes that would be “visible” to the public. The front-end changes alone are available online and a 3 min scan of your website will reveal potential CCPA compliance issues. Any regulator, privacy-minded consumer, or auditor can spot this before engaging with your company on a possible CCPA violation.
Below is a list of the 3 CCPA front-end checks that your team must perform before July. Keep in mind that this is not a comprehensive list. A correct CCPA implementation needs collaboration across Legal, Compliance, Operations, Software Development, and Security. However, this is a good baseline for online lenders lending to consumers.
Top 3 CCPA Front End Checks to Perform Before July 1:
- The Do Not Sell My Data Banner is available from the homepage. This link should be present and functional. Of course, if you don’t sell or share data, your Legal Counsel may have determined that this requirement does not apply, and therefore not necessary.
- CCPA disclosures need to be available to California consumers. This means that they need to be embedded into your loan application screen flow, Privacy Policy, and/or Terms and Conditions.
- The online form to accept verifiable consumer requests is available from your website. This online form should be available, accessible, and functional.
Take 15-30 minutes to check that these 3 items are satisfied in production. Should these not be in place, any regulator, privacy-minded consumer, or auditor may make a reasonable assumption that you are not complying with the CCPA.
Keep an eye out for our next post, which will cover the list of checks for handling verifiable consumer requests.