Banks that are warily eyeing Europe’s new data privacy rules may also want to pay attention to what’s happening at the ballot box in California.
A first-in-the-nation proposal that is expected to go to before California voters in November would give the state’s 39 million residents greater control over the dissemination of their personal data.
Tech companies and telecommunications firms have joined banks and credit unions in opposition to the measure, which they argue would hurt the state’s business climate. Meanwhile, supporters of the ballot initiative hope to tap into the popular backlash against Facebook and other Silicon Valley firms that rely financially on the sale of personal data.
“We believe that there’s a lot of anger and unhappiness toward the abuse of our private information,” said Robert Holober, executive director of the Consumer Federation of California.
The California proposal has drawn comparisons to the European Union’s General Data Protection Regulation, since both schemes seek to regulate the use of consumer data.
The ballot initiative could have national implications, since California has a reputation as a trendsetter in the area of consumer privacy. California was the first U.S. state to pass a law requiring companies to notify their customers about security breaches, and 16 years later, every state has a data breach law.
The proposal under consideration this year would allow Californians to opt out of the sale of their personal information by specific firms. It would also enable the state’s residents to sue businesses under certain circumstances — if, for example, a company failed to implement reasonable security procedures and subsequently suffered a data breach — and to collect $1,000 per violation.
Additionally, the ballot initiative, dubbed the California Consumer Privacy Act, would give consumers the right to know when a business sells or discloses their information for a business purpose.
The proposal includes an exemption for banks and other small businesses that collect less than $50 million in annual revenue and meet certain under standards. Many smaller banks and credit unions with less than $1 billion of assets would probably qualify for the exemption, but nearly all banks above that threshold surpassed $50 million of revenue last year, according to a review of Federal Deposit Insurance Corp. data.
Whether the measure would pose a major headache for affected businesses, or a smaller challenge, will be the subject of a fierce campaign debate over the next several months.
“I think it could create a massive compliance burden,” argued Nate Taylor, a lawyer at Morrison & Foerster who advises companies on cybersecurity issues.
Taylor said that if the proposal becomes law, affected banks will have to compile a tally of every company to whom they disclose information about a California customer for business purposes.
“That list is likely to be significant in number and detail, including because the list would have to include the name and contact information for each recipient,” he said.
Banks that operate in California would either have to create a separate process for handling the personal data of the state’s residents, who make up about 12% of the U.S. population, or apply the Golden State standards nationwide.
The initiative’s supporters argue that businesses have an incentive to exaggerate the size of the potential compliance burden.
Holober said that banks offered similarly dire warnings about the consequences of the California Financial Information Privacy Act of 2003, which requires financial institutions to obtain written consent prior to sharing a consumer’s information with outside entities. “We hear the same Chicken Little, the-sky-is-falling argument every time,” he said.
Californians for Consumer Privacy, the group that is spearheading the ballot measure, says that it has submitted 625,000 signatures to state officials, more than enough to qualify for the Nov. 6 ballot. The measure is expected to be certified by the secretary of state’s office next month.
Richard Arney, a financial industry executive, is one of the organizers of Californians for Consumer Privacy. He is the father of three children, and said that he wants to prevent his kids’ personal data from falling into the wrong hands online.
Arney argued that the law would impose only a minor burden on banks and other affected companies.
“I’m a business person,” said Arney, a former executive at Barclays and BlackRock who currently serves as independent chairman of the governing board for LendingClub Asset Management. “I think this is just a very commonsense way to approach a serious problem.”
Arney also contended that by enacting stronger privacy standards, companies stand to reap benefits with consumers. “Frankly, it’s probably good business to do it,” he said.
That argument may be a tough sell with banks, which already operate under stricter data-security rules than many other businesses, including retailers. “We do have very high standards, some of the highest for any industry,” said Beth Mills, a spokeswoman for the California Bankers Association.
The California Bankers Association, the California Community Banking Network and the California Credit Union League are all part of a business coalition that is fighting the ballot measure. Other members of the group include Google, AT&T and Comcast.