Residential Magazine

A New California Regulation Will Raise Some Eyebrows

Data-privacy laws are changing in the nation’s most populous state

By Mike Eshelman

Technology has revolutionized the mortgage industry, making the efficient use of data a pillar for success. Big data has fueled the ability of mortgage lenders and originators to reach prospective borrowers at the right time and with the right information, improving the client experience along with acquisition and retention efforts.

With big data, however, comes big responsibility. Looming regulations require lenders and originators to balance the ability to leverage consumer data with a newfound accountability.

The California Consumer Privacy Act (CCPA) is a first-of-its-kind privacy law introduced in the U.S. Formally in effect as of Jan. 1, 2020, enforcement actions won’t begin until July 1 of this year. Mortgage professionals should be aware, however, that enforcement actions can take aim at any compliance violations as of the law’s effective date. The new regulations require businesses to be mindful of their consumer-data handling practices, and to implement new policies and practices that ensure they can meet the act’s standards. 

Essentially, the CCPA puts power in the hands of consumers. It gives California consumers the right to request access, deletion and control over the sharing capabilities of their information. It creates greater transparency for how personal information is being collected and what information is known about the consumer, and it allows the individual to control whether their information can be sold to a third party. Additionally, the consumer has the right to have their information deleted from the organization’s database if that request is not in conflict with another law. 

Although not every lender or mortgage company will have to comply, businesses that have annual gross revenues that exceed $25 million are obligated to follow the CCPA. The law also applies to businesses that buy, sell or receive information about 50,000 or more California consumers, as well as those that get at least 50% of their annual revenue by selling consumer data.

Navigating the act

Naturally, since this regulation is new, there is bound to be some confusion. There are a few aspects of the CCPA that contradict other mortgage lending regulations already in place, and these are sometimes are out of a business’s control. This forces lenders and originators to face multiple challenges. 

Identity theft. The CCPA allows consumers to request all information a business has about them. If a business has a proper paper trail and records, this shouldn’t be a problem. Mortgage companies, however, are tasked with making inquiring parties prove their identity. How can you confirm the person requesting information is who they say they are, and what are the implications if the consumer doesn’t provide proof and you don’t delete their data? In this case, businesses can easily get stuck.

Data deletion. CCPA standards state that California consumers can request deletion of any personal data a business is storing. Mortgage lenders, in particular, may find themselves in a bind when it comes to this request, as it conflicts with federal record-retention regulations that require lenders to hold consumer information for 24 months or longer. In this instance, federal record-retention regulations supersede the CCPA. 

Proof of notice. Another aspect of the law is the right to know what data is being collected, how it is being collected by a business, and how it is being used. Businesses can send e-mails and display pop-up announcements on their websites to notify consumers about their updated data and privacy policies. Proving that a business clearly and conspicuously notified a consumer, however, can be challenging. If there is an investigation, how does a business provide proof that a specific consumer was notified?

These conflicts make consumer requests a significant burden for mortgage companies to handle independently. As a result, many businesses are smart to turn to some form of outside partnership to manage these interactions. 

For mortgage lenders and originators, the main concern is likely to be whether they were transparent about how they handled consumer information.

Data-compliance partners

Even if a company has general counsel or a chief compliance officer on staff, data-as-a-service (DaaS) partners focused on compliance can offer solutions. This option is particularly helpful for a company that is large enough to fall under the law’s umbrella but not large enough to have a big-budget compliance program in place. 

DaaS partners have built-in tools to help businesses navigate complex issues as they pop up, without losing accountability. Some of these partners already have integrated compliance tools in their platforms to ensure third-party identification verification and data usage, proof of consent and consumer data records. 

These DaaS companies may be able to witness and record visitor interactions on your company’s website. They can then provide consumers with a strong and independent proof-of-data-usage and privacy notice, proof of consent under the Telephone Consumer Protection Act and additional data points regarding the website’s activity. 

These partners may be focused on data privacy and security, and can manage the workflow of consumer requests along with tracking subsequent communications through the fulfillment of these requests. It can be helpful to work with these types of compliance partners while navigating the law, as well as any future regulations in other states or from the federal government.

● ● ● 

The CCPA is the most current effort to empower consumers and reconnect them with their data, putting them in the driver’s seat for how it will be used. In turn, this is forcing companies to improve transparency. 

For mortgage lenders and originators, the main concern is likely to be whether they were transparent about how they handled consumer information and how they communicated these actions — which is where proof will become crucial. The mortgage industry can expect similar regulations from other states and at the federal level. Going forward, it will be helpful to partner with a DaaS company that is prepared to evolve in tandem with consumer data-compliance regulations. 


  • Mike Eshelman

    Mike Eshelman is a certified mortgage banker and is the head of consumer finance at Jornaya, a data-as-a-service platform that helps companies attract and retain clients using a proprietary network of more than 35,000 comparison-shopping and lead-generation sites. For more information, visit

You might also like...