The Silent but Significant Shift that CCPA Has Created for the Small-dollar Lending Space

In case you are confused, CCPA took effect on Jan 1, 2020, with enforcement starting on July 1, 2020. On June 1, 2020, a number clarifications were published, and we have 60-90 days before we know if the changes will be filed and become enforceable by law.

The proposed changes elevate the data privacy bar in the small-dollar lending space, and Chief Compliance Officers need to take notice. Simply put, it calls for Compliance to build a stronger relationship with Product Managers, Software Development, Data Analytics, Call Center, and Information Security teams.

At a high level, these are the major areas that Chief Compliance Officers of small-dollar lenders need to be paying attention to:

1. Customer-facing disclosures on the website and loan application
2. Specific onboarding and monitoring due diligence requirements with lead providers
3. Consumer-facing disclosures needing to be accessible to consumers with disabilities
4. Clearer messaging on how your company will be processing consumer requests
5. Annual tracking of customer records volume and consumer requests reporting
6. Expansion of your CMS, to update required corporate record-keeping and monitoring and testing of your CCPA compliance program
7. Adjustment of data gathering processes for data test trials with data vendors

Let’s dive one level deeper for each of these major areas:

Customer-facing disclosures on the website and loan application

The customer-facing disclosures on the website and loan application are in place to provide consumers with information about your data management practices before they start to complete the loan application. This won’t be satisfied by simply dropping a link to your Privacy Notice. This requires revisiting the customer loan application flow and messaging on your Privacy Notice. The messaging requirements explicitly require that disclosures use “plain, straightforward language and avoid technical or legal jargon”. This requirement places Chief Compliance Officers in a very uncomfortable position, because the norm so far has been to create a bullet-proof Privacy Notice that has so much legal jargon, that consumers oftentimes do not read because it is difficult to understand.

Specific onboarding and monitoring due diligence requirements with lead providers

The new 3rd party vendor onboarding and monitoring due diligence requirements have been elevated, with special attention needing to be placed on lead providers. The CCPA has very specific requirements around customer-facing disclosures, online consumer request intake capabilities, and prohibits the collection, use, or disclosure of consumer personal information if specific marks are not being met. For the lender, this means that the new vendor due diligence questionnaires and response assessment needs to be refreshed with specific check-point items. The ongoing monitoring for lead providers will also need to be refreshed, to ensure that requirements continue to be met during the partnership. Inevitably, a comprehensive review of your agreements with lead providers will need to be undertaken; a painful, but necessary measure to meet your obligations under California law. If your Vendor Management Program is already messy and slowing down the contract negotiation process, it needs to be optimized and refreshed in 2020. The nature of the check-point items for lenders and lead providers are “PUBLIC-FACING” on the web, and any actions against a lead provider may invite scrutiny to the lender.

Consumer-facing disclosures needing to be accessible to consumers with disabilities

Consumer-facing disclosures need to be accessible to consumers with disabilities. This calls for a review of your customer-facing web properties, to make sure that specific notices are reasonably accessible to consumers with disabilities.

Clearer messaging on how you will be processing consumer requests

Clearer messaging needs to be provided to consumers as soon as they submit a consumer request. These consumer requests include the right to know, the right to delete, the right to data sell opt-outs, and the right to non-discrimination. Requests to know, requests to delete, and requests to a data sell opt-out need to return specific messaging to the consumer on what they can expect to happen next. Long are the days where an online lender can return a generic “We are processing your request.” CCPA requires that the submission of a consumer request be followed with a description of the lender’s consumer verification process and when they can expect a response. When a consumer verification fails, additional messaging needs to be provided to communicate this to the consumer, and in some cases, provide additional disclosures. And if a request to delete cannot be honored (i.e. record-keeping requirements), the lender needs to communicate that, along with the reason for the denial.

Annual tracking of customer records volume and consumer requests reporting

Online lenders will need to formally track the volume of customer records they hold and in some cases, publish specific metrics on their Privacy Policy on an annual basis. These metrics include volume on the number of consumer requests received by the business, denied, and the mean (or median) number of days that it took the lender to process the consumer requests.

Expansion of your CMS, to update required corporate record-keeping and monitoring and testing of your CCPA compliance programs

Online lenders will need to expand existing CMS Monitoring and Testing Programs to ensure that the CCPA disclosures and business processes remain intact at all times. This means added test cases for front end testing, ongoing monitoring to ensure that the consumer request intake and processing mechanisms remain functional, and that required record-keeping be retained on compliance files.

Adjustment of data gathering processes for data test trials with data vendors

The data analytic teams powering these online lenders will need to update their data vendor testing processes, to ensure that consumers that exercised their rights are excluded from data test trials with data vendors. The online lenders are able to provide innovative financial products to consumers because of their top notch data analytics teams that are diligently optimizing credit models. Credit models are optimized with traditional consumer reports and non-traditional consumer data reporting. This appetite for improved predictability capabilities has unlocked services for the everyday consumer, and also expanded the data vendor market. The data vendors and online lenders have an incentive to work together and perform data tests to determine if a partnership will lead to enhanced predictability and fraud control. This means that consumer data shared during these data testing trials needs to be scrubbed to exclude consumer records where a data deletion or data sell opt out request has been processed by the lender.

The CCPA has created a significant shift for the small-dollar lending space. The COVID-19 pandemic has eliminated traditional gatherings where Chief Compliance Officer’s can gather and better understand these CCPA changes. If any of these points caught you by surprise, please spend 30 minutes to think through how you want to handle this for your company. Don’t panic if you don’t have a robust plan to address these CCPA changes. Instead, notify your executive team that CCPA compliance needs to be added to the 2020 roadmap. The CyberSecurityBase team is providing small-dollar online lenders with a complimentary CCPA Regulatory Action Exposure Assessment. If you are interested in learning more, please get in touch with a member of the team.