Industries & Practices

Privacy & Data Protection

    Back
    California outline

    B2B lenders: What you need to know about the CCPA amendments

    Recently, the California Assembly passed a number of amendments to the California Consumer Privacy Act (CCPA), which reduces the requirements for B2B lenders operating with customers located in California. 

    Although the amendment excludes the application of certain sections of the CCPA for B2B transactions until January 1, 2021, it is important to understand that B2B lenders are not fully exempt from the law. A number of provisions of the CCPA become effective on January 1, 2020, and still apply. These include:

    • A California consumer may direct a B2B business not to sell their personal information to third parties. (This is known as the right to opt-out.)
    • A B2B business may not discriminate (e.g., offer products or services, increase prices, etc.) against a consumer that has exercised their rights under the CCPA.
    • A consumer whose nonencrypted or nonredacted personal information is subject to any unauthorized access and exfiltration, theft or disclosure as a result of a B2B business’s violation of its duty to implement and maintain reasonable security procedures and practices may institute a civil action against the B2B lender for any of the following:
      • To recover damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater
      • Injunctive or declaratory relief
      • Any other relief the court deems proper
    • The California Attorney General may bring enforcement actions against B2B lenders and businesses (but not until after July 1, 2020, which is the same for all other businesses subject to the CCPA).

    Remember, the CCPA only applies to businesses collecting “personal information” of any resident of California and those businesses that meet one of the following three thresholds:

    (A) It has annual gross revenues in excess of $25 million.

    (B) It annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices.

    (C) It derives 50 percent or more of its annual revenues from selling consumers’ personal information.

    For more information about the CCPA, read this in-depth article.

    Download PDF