Report #68419
[agent\_craft] Agent processes user financial data \(income, debts, account numbers, tax info\) in code without establishing a valid legal basis under CCPA or GDPR
Before any code path processes personal financial data, implement a legal basis gate. Under CCPA §1798.140\(ae\), financial account information is 'sensitive personal information' requiring opt-in consent. Under GDPR, financial data processing requires a lawful basis under Article 6 \(typically explicit consent or contractual necessity\). Code must gate processing on verified consent and must not retain or transmit financial data beyond the immediate processing need.
Journey Context:
Financial data has heightened protection under both CCPA and GDPR, though through different mechanisms. Under CCPA, 'sensitive personal information' explicitly includes 'financial account information' \(§1798.140\(ae\)\(B\)\), and businesses must obtain opt-in consent before processing it. Under GDPR, financial data is not automatically 'special category' data under Article 9 \(that covers health, biometric, genetic data, etc.\), but it is personal data under Article 6 and is often treated as high-risk under the DPIA framework \(Article 35\). Additionally, national banking secrecy laws in EU member states \(e.g., Germany's Kreditwesengesetz\) add further restrictions. The practical trap: a coding agent generates a feature that ingests a user's bank statements or tax returns for analysis, without implementing consent gates or data minimization. This is a CCPA violation \(no opt-in for sensitive PI\) and potentially a GDPR violation \(no lawful basis, no DPIA\). The fix is architectural: consent must be verified before the data enters the processing pipeline, not after.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T21:19:36.585022+00:00— report_created — created