Know Your Data Privacy Acronyms: GLBA and CPRA

Practice Management

Accounting services revolve around client data, and much of that data is sensitive and confidential financial and personal information. Tax professionals are prime targets for identity theft. Clients’ information – bank and investment accounts, Social Security numbers, health insurance records and more – are of high value to hackers. All companies – including accounting firms – are responsible for managing the data they collect. 

A 2020 survey by McKinsey & Company revealed a very low level of trust – a less than 50% trust rating for any industry – among consumers asked about their comfort level in sharing personal information. That lack of trust is understandable given the increasing number of high-profile consumer data breaches. Importantly, even consumers who were not directly affected by these breaches paid attention to the way companies responded to them. 

What is the takeaway for accounting firms? Understand data privacy regulations, and have in place a clear privacy policy. Doing so conveys to clients and prospective clients that your firm takes privacy and security seriously and they can be comfortable that their data is safe with you.

An important first step is to proactively reduce the risks for data breach or theft. Get important tips on cybersecurity for your firm in our post Addressing Accounting Cybersecurity Challenges in 2022.

Just as important is data privacy. Consumer awareness of the threat of their sensitive data being shared, sold or breached has heightened expectations for protection. Most of us are now familiar with cookie consent – the banners on most websites that request permission to collect cookies. If that’s missing from your site, a visitor may question your commitment to privacy. 

Privacy regulations in the accounting industry

Data privacy regulations focus on how data should be collected, stored, managed and shared with any third parties. While the United States does not have in place any overarching federal regulations on privacy, it does have a federal law for financial institutions. And many states have existing regulations or initiatives underway to guide organizations in the handling of data in a manner that protects consumer privacy rights.

Two of the most important regulations affecting accounting firms are the Gramm-Leach-Bliley Act and the California Privacy Rights Act. 

Establishing a privacy policy is an important baseline for every business, even smaller firms that are not technically subject to data privacy laws. Supporting privacy can help you to avoid liabilities and potentially hefty fines, while also showing your customers that your business is committed to protecting their data. 

The Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act was enacted by the U.S. Congress to protect consumers’ private financial information and govern the collection and disclosure of clients’ financial information primarily by financial institutions and other entities, including by CPAs, accountants and tax preparers.

Many accounting firms don’t realize they are required to comply with the GLBA because they consider it to only affect large banks or financial institutions. However, the GLBA is applicable to accounting firms of all sizes. If firms neglect to properly protect their clients’ data under the GLBA, they risk an investigation or fines by the Federal Trade Commission.

One important step toward compliance is to use secure methods to exchange sensitive documents with clients. Attaching unencrypted tax returns or 1099, K1 or financial reports in an email, for example, violates the GLBA provisions of protecting against unauthorized access to private information.

Listen in to learn more about Secure Document Transfer in OfficeTools.

The California Privacy Rights Act (CPRA)

California is the first state to adopt a privacy initiative, and that law, the California Consumer Privacy Act (CCPA), is considered the most stringent of the more than 40 existing state laws. An updated version of CCPA, called the California Privacy Rights Act became law in September 2020 and will go into effect in January 2023. The CPRA updates, expands, clarifies and amends California’s previous data privacy law. 

Important: Located outside of California? CPRA is still important, as companies both inside and outside of California may be subject to its requirements. 

Any firm doing business or collecting data (think newsletter subscribers, marketing leads) from residents of California must comply with CPRA, if they meet the revenue or data handling limits outlined below. Even if your firm is not legally subject to the law, it’s important at a high level to understand the consumer rights granted by California’s data privacy law:

  • It gives consumers a right to know about how their data is being used, a right to access, a right to request “do not sell my data” and a right to request that their personal information be deleted.
  • Businesses have to inform consumers about categories of information that will be collected and the purpose for which they are being collected. This information should be clearly communicated on the company website.
  • Consumer notification is required within 30 days of breach detection.
  • Civil financial penalties of up to $7,500 per instance of noncompliance may be incurred.
  • Individuals have the right to bring private right of action suits against a company when their personal information is breached. Consumers do not have to prove that they incurred actual financial loss from the data loss, but only to show the company violated the law.

Is Your Firm Subject to the CPRA?

The CPRA applies to for-profit entities that both collect and process the personal information of California residents and do business in the state of California. Organizations that do any of the following are obliged to comply with CPRA:

  • Earn gross revenue in excess of $25 million
  • Collect personal information of more than 50,000 customers (100,000 or more under the CPRA) or 
  • Derive more than 50% of their annual revenue from selling California resident information (This includes data brokers and marketing organizations.)

Firms with revenues below $25 million may conclude that they are not obligated to comply with CPRA. At the $25 million revenue level, the law likely impacts roughly the top 300 largest accounting firms in the United States. However, smaller firms that are on a growth path or that want to compete with top 300 firms to win large clients would be wise to understand privacy law, establish a privacy policy and put processes in place that allow prospects or clients to have control over their information. This will engender greater trust and loyalty in today’s cautious culture. 

Choose a secure practice management system

The practice management system you choose should help your firm keep client data secure and support data privacy rights. OfficeTools is an all-in-one workspace that allows accounting firms to work collaboratively and efficiently manage documents and client information, all in a secure platform.

Is your practice management system secure? Download the Accounting Firm Technology Checklist for tips on reducing risk and securing client data.