California Consumer Privacy Act (CCPA). Why Is It as Important for Financial Companies as GDPR? Is There a Conflict with AML Rules?

The California Consumer Privacy Act (CCPA) was signed on June 28, 2018, and came into legal effect on January 1, 2020. 

What companies does it apply to?

CCPA applies to every company, irrespective of jurisdiction, that:
  • Does business in the state of California or with the Californian residents.
  • Generates over $25 million per year.
  • Buys/receives/sells the personal information of more than 50,000 or more California residents or derives more than 50% of their annual revenue from selling California residents’ personal information.

What are the possible implications?

The companies violating the CCPA rules will face fines of up to $7,500 per breach. According to a CNBC article, by rough estimates, companies with less than 20 employees have to pay $50,000 for compliance. Large companies having more than 500 employees will have to pay an average amount of $42 million.

CCPA created serious implications for the companies across the world. They were made to manage AML and data protection requirements with regard to the California residents. Moreover, if the companies use third-party KYC verification services, they should ensure that the KYC services providers are also compliant with the CCPA. 

What should the companies keep in mind?

CCPA provides the following rights to the California residents:
  • To know what personal data is being collected.
  • To know if their personal data is sold or disclosed to other businesses and deny to sell it to third parties.
  • To access their personal data upon request.
  • To be treated without prejudice for exercising their right to data privacy.
  • To request deleting their personal data.

Much like in the case of GDPR, the companies are responsible to update privacy policies with CCPA information and protect the customers’ personal data as follows:
  • Ensuring obtaining the consent of parents in case of collecting data of minors under 13 years old and obtaining affirmative consent of minors between 13 and 16 years old.
  • Implementing a “Do Not Sell My Personal Information” provision on their website homepage.
  • Avoiding requesting opt-in consent for 12 months after a customer has opted out.
  • Facilitating customer data requests via a toll-free number and other appropriate means.

Are there any conflicts with AML-related data preservation requirements? 

Similar to GDPR rules, one of the keystones of CCPA is the right of California residents to have their data erased. At first sight, it seems that Californian residents should have the right to request erasing their AML-related data. However, similar to Article 17 of GDPR, CCPA includes an exemption with regard to such type of data (information collected for identity verification and fraud-detection purposes). Therefore, the company will be required to erase all data, except for the AML-related data collected for identity verification and fraud detection purposes.

Here at ZeroTolerance, we can assist you with adopting your Data Protection Policies, AML Policies and Procedures in compliance with the California Consumer Privacy Act and GDPR requirements. Should you need our assistance or require more information please contact us at