On January 1, 2020, the California Consumer Privacy Act (CCPA) became effective and has been described as one of the most comprehensive consumer privacy initiatives ever to be codified into law. Because of its wide implications for businesses throughout the state of California, a panel of legal representatives explained how it could impact the reverse mortgage business during the National Reverse Mortgage Lenders Association (NRMLA) Annual Meeting in Nashville, Tenn.
Though the law was originally passed in June of 2018 under the administration of the last governor, Jerry Brown, the law only recently went into effect and has some major implications due to its large scope. Because California stands as a major source of reverse mortgage business, the implications of the new law will affect large numbers of individuals and entities in the industry who conduct business within the state.
Brief history
Intended to give California consumers more general say over how much of their personal data is collected and used by businesses operating in the state, the CCPA provides further enforcement to language found in the California state constitution, which describes privacy as an “inalienable” right for Californians. During their presentation at the NRMLA Annual Meeting, attorneys Soroush Shahin of Weiner, Brodsky, Kider and Jay Wright of Bradley Arant Boult Cummings LLP described the law as the “broadest and most comprehensive privacy law in the United States to date.”
According to the language of the bill introduced to the California State Assembly in February of 2018, some of the specific intentions of the law are to let consumers know what personal data is being collected about them and if sold, to whom; allow them to decline the sale of personal data; to give them access to their personal data; allow them to request a business to delete personal information that a business may have collected about them; and to not be discriminated against for exercising rights to privacy.
While its scope is broad, the CCPA does not universally apply to all business operating within California. Instead, a company has to meet one of these three requirements in order to require compliance with the new law: it has annual gross revenues in excess of $25 million; buys or sells the personal information of 50,000 or more consumers and/or households; or earns more than half of its annual revenue from selling the personal information of its consumers.
According to Shahin and Wright, the California legislature passed CCPA in quick succession in order to avert a proposed ballot initiative which would’ve sought even more stringent privacy requirements on the state’s businesses, and that rush to pass the law ultimately led to a degree of ambiguity and uncertainty in terms of how it will apply now that it is in effect.
How the law could impact the reverse mortgage business
Among some issues that have specific relevance to the reverse mortgage industry, one reverse mortgage professional in attendance at the event asked the lawyers whether or not there are any specific verification processes that can be used to properly vet a borrower based on identifiable attributes such as Social Security number.
“Masked data is permissible,” Wright says, referring to using only a partial Social Security number for borrower identification purposes. “You’re certainly prohibited from getting the entire Social Security number from a borrower through fear of potentially releasing other customer data as a part of that [inquiry]. You may need to tweak your policies and procedures to ensure they comply with CCPA.”
Another attendee who is not employed by a lending entity asked if the application of the law would extend to institutions other than lenders, and the broadness of the law clearly illustrates that it does, Shahin explains.
“If you’re a for-profit entity and you collect more than 50,000 pieces of personal information from consumers or devices, it’s extremely broad,” he says. “It’s not just limited to lenders. Any entity that meets those thresholds will be subject to CCPA.”
In general, the scope which qualifies as “personal information” is similarly broad, the attorneys say. It counts as, “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Examples of what does not qualify as personal information under the letter of the law includes publicly available information, aggregate consumer information or “deidentified information” which has had personally-identifiable elements removed before being released.
Lender responses
Several reverse mortgage lenders have taken recommended actions in terms of providing disclosures and policies specifically for California residents in light of CCPA’s passage. In terms of the disclosures, several major reverse mortgage lenders have created California-specific portals and web pages in order to comply with the requirements of the new law.
For instance, 1st Reverse Mortgage USA specifies on its dedicated CCPA web notice the policies and practices inherent in its various uses of consumer information, along with details concerning what information is collected, how that information is gathered, and how that information is used in the regular course of 1st Reverse’s business.
Also included is a notice about how personal information collected by 1st Reverse is not sold, but is shared among some third-party partners in order to accomplish certain business requirements.
Open Mortgage features both a CCPA notice and a CCPA-bolstered privacy policy, but also informs consumers that much of the data it collects does not necessarily fall under the jurisdiction of the new law.
“[I]t is important to note that CCPA provides exemptions to companies that have consumer data that is necessary to carry out their business. A majority of the data that Open Mortgage collects is exempt from CCPA as it falls under federal privacy laws set out by the Gramm Leach Bliley Act (GLBA) and cannot, as a result, be part of the [law’s required] Opt-Out request,” the Open Mortgage notice reads. “We are GLBA compliant and protect your data to our fullest capability. So, Open Mortgage will receive your Opt-Out request via the option you select, and will work to remove any data that is not exempt.”
Similarly, Champion Mortgage details its own exemptions from the CCPA under the same principles, due to compliance with GLBA.
“The personal information (PI) that we collect, process or share in connection with the reverse mortgage loans we service is safeguarded under federal requirements and is exempt from the CCPA,” the Champion notice reads.
Activity of other states
While there aren’t necessarily other laws with the scope of CCPA being deliberated in other states, there is momentum in other jurisdictions for further protection of consumer information, Wright says.
“Maine and Nevada have passed state laws pertaining to privacy issues, and there are a number of states that have had consumer data privacy statutes that have been introduced and may be passed in the upcoming legislative sessions,” he says. “There’s movement in 11 or 12 other states. Obviously California is the most significant, and to date the toughest rules with which we’re going to have to contend.”
Still, regulations can change, and the reverse mortgage industry is still in a state of flux concerning compliance with these new privacy requirements. The significance of the topic is immense, and businesses in general are expected to spend billions of dollars in legal or regulatory compliance costs over the upcoming year, Wright says.
Anyone subject to upcoming privacy rules should have active conversations internally, and potentially with counsel to make sure that compliance with existing or upcoming privacy rules is maintained, Wright adds.