BPI Comments on California Privacy Protection Agency Implementation of the California Consumer Privacy Act

To Whom it May Concern:

The Bank Policy Institute[1] appreciates the opportunity to submit comments to the California Privacy Protection Agency on proposed regulations implementing the California Consumer Privacy Act, as amended by the California Privacy Rights Act.[2]

Executive Summary

BPI members are committed to promoting robust privacy protections for California consumers within the parameters set out by the CCPA. BPI’s members are financial institutions that have invested significant time and resources into building data protection and information security compliance systems that align with federal and state financial privacy laws.

Drawing on the experience of its members operationalizing privacy and security safeguards for their customers, BPI has carefully considered the Proposed Regulations, which reflect nearly 70-pages of detailed requirements that build on, and in some cases impose new requirements that go beyond, statutory protections.

While we support aspects of the Proposed Regulations, we recommend through this letter certain amendments, including to ensure consistency with the statutory text and other federal and state privacy and consumer protection frameworks. We also have identified several areas of the Proposed Regulations where prescriptive requirements limit flexibility for businesses that are subject to multiple privacy frameworks, which may lead to consumer confusion rather than provide consumers greater clarity, as we presume was intended. The Proposed Regulations should focus on incentivizing businesses to better protect consumers, without detailed technical requirements with no tangible consumer benefit that could serve to distract businesses from focusing on core protections. In addition, we identify proposed requirements that potentially undermine the privacy aims of the statutory framework by requiring businesses to obtain and maintain more information about consumers than they otherwise would or by making it more challenging for businesses to safeguard consumers against identity theft and other data security risks.

To read the full comment letter, click here, or click on the download button below.

[1] BPI is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s bank originated small business loans and are an engine for financial innovation and economic growth.

[2] Cal. Civ. Code § 1798.100 et seq.