skip to main content

California Consumer Protection Act (CCPA) and its impact for Financial Services companies. Are you prepared?

Created at August 12th, 2019

California Consumer Protection Act (CCPA) and its impact for Financial Services companies. Are you prepared?

Data governance remains key to continued responsible use of data and to engender trust in your brand. This trust has been a differentiator for Financial Services companies and is more important than ever.

With less than five months before CCPA goes into effect, Acxiom is actively engaging with our Financial Services clients to help them prepare, or at a minimum, ensure they have a plan to be ready by the January 2020 deadline.  As we get closer to the deadline, we see Financial Services companies at various stages in their preparation. However, even the most prepared organizations still have a lot of work to be ready by January.   And pending regulations from the attorney general, as well as the outcome of various amendments, may impact plans and timelines.  

Financial Services companies have many questions related to the pending regulation and what steps they need to take. While this short list is not all-inclusive, some of the key questions we have received include:

  • FCRA Exemption – while most data contained in a consumer report is covered under the exemption, some header data, and any demographic data that may come along with the report, may not be exempt.  Also, if you receive de-identified credit data from a bureau or a third party working as an agent of the bureau for purposes of analysis or audience selection, an obligation to report may be triggered when the final audience is selected and personally identifiable information (PII) is provided.  In both cases, it might be worth doing another review to make sure the exemption is being appropriately applied in your organization. 
  • Anonymous/pseudonymous data – just because data has been de-identified does not necessarily exclude it from being reported under CCPA.  There is an expectation that de-identified data cannot be reasonably re-identified.  This expectation can easily shift into a highly technical conversation about infrastructure and access.  This is another area where it might make sense to do some further analysis and discussion.  
  • Identity authentication when a consumer makes a request – CCPA requires verification and authentication of consumers before providing access to their individual data.  Does your organization have a reliable way to verify and authenticate a consumer during the access request process?
  • Fulfilling a consumer request – most clients are in the process of building a portal to handle consumer requests.  Many are facing the challenge of consolidating a consumer’s information across multiple data platforms.  As an example, a client may house its CRM system internally but outsource its prospect database.  In some cases, consumers may be identified differently depending on where the data is stored.   As an example, the CRM database may use an identity graph that assigns a unique consumer identifier and the prospect database may be name and postal based.  In your plans for aggregating data across platforms, be sure to include a step to resolving these potential differences.

Granted, everyone is waiting for the regulations to be issued by the California attorney general and for the amendment process to run its course.  While these regulations and amendments may alter some implementation specifics, the overall requirements to identify and organize your data is not expected to change.  Given the sheer amount of planning and work that needs be done, it is important to take action now. 

The good news?  Regardless of which stage of planning your organization might fall, Acxiom is here to help.  Acxiom has developed a series of CCPA solutions that provide Financial Services companies with critical insight and services designed to ensure they are prepared to comply with upcoming new regulations.  These services range from briefing sessions to compliance workshops to in-depth regulatory impact assessments, and more.

To learn more about Acxiom’s view on CCPA and solutions designed specifically for Financial Services clients, visit