Data Aggregators at Risk Under New California Privacy Law

by | Aug 10, 2020 | Uncategorized | 0 comments

The California Consumer Privacy Act (“CCPA”), passed by California lawmakers on June 28, 2018, provides some of the most comprehensive protections for consumers over their personal information. The CCPA officially went into effect on January 1, 2020, and provides for the following, among other things:

  • Businesses that collect consumers’ personal information must disclose either “at or before the point of collection” the categories of personal information collected and the purpose for the collection. A business may not collect additional categories of information or information for a different purpose than the one disclosed;

 

  • If a consumer requests a copy of the information collected about them, the business must provide it free of charge;

 

  • A consumer can request a business delete the information collected about them;

 

  • A consumer can request certain details about the information collected from them and sold to other businesses;

 

  • Businesses that sell personal information about consumers must provide a right to opt-out; and

 

  • Business cannot discriminate against a consumer for enforcing their CCPA rights.

See Cal. Civ Code § 1798.100, et. seq. Not all businesses are required to comply with the CCPA. Rather, the CCPA only applies to: (1) businesses with at least $25 million in annual gross revenues; (2) businesses that buy, receive, sell, or share the personal information of more than 50,000 consumers annual; or (3) derive 50 percent of annual revenues from selling consumers’ personal information. See Cal. Civ Code § 1798.140(c)(1)(A)-(C).

As noted above, the CCPA provides for sweeping changes compared to laws already in existence in the United States to protect consumers’ data. As a result, many businesses did not believe they would be CCPA compliant by the January 1, 2020 enforcement deadline given the extensive changes they would need to implement to their existing business practices. For example, according to security software company Egress, 52% of businesses believed they would not be compliant with the CCPA until after the law took effect. Moreover, 13% believed they would not be compliant until after 2020 and 12% had no intention of being CCPA compliant at all.

The costs of non-compliance can be quite significant. The CCPA provides for $2,500 per each violation and $7,500 for each intentional violation. See Cal. Civ Code § 1798.155(b). Moreover, several businesses have faced class action lawsuits as a result of their non-compliance with the CCPA.

This risk is especially potent for data aggregators, who primarily earn a profit through collecting and selling consumers’ personal information. Most data aggregators collect personal information through several data points, and some do so inconspicuously. For example, data aggregator Plaid Inc. (“Plaid”), now owned by Visa, collects data on consumers’ financial transactions by partnering with third-party applications such as Venmo and Cash App. When a user connects their bank account through Venmo’s or Cash App’s instant-verification process, the user is actually interacting with Plaid, who then collects all the data available through the consumers’ bank account, including transaction records. In a class action lawsuit filed against Plaid, plaintiffs allege the company did so in direct violation of the CCPA by failing to provide necessary disclosures.

Plaid is not alone. Several other data aggregators equally engage in the same conduct, i.e., collecting data on consumers without their knowledge. Some data aggregators even partner directly with financial institutions, allowing them to collect data directly from consumers’ banking records, without providing explicit disclosures. With the enactment of the CCPA, its highly likely these businesses will continue to face increased scrutiny either through the California Attorney General or privately through class action lawsuits.

If you use a mobile payment service, such as PayPal, or online banking applications through your financial institution, your data may have been collected and sold by data aggregators without your knowledge. Please contact us via email at investigations@lowey.com or phone at (914) 733-7201 for more information.