Any organization that has business dealings in California will be aware that the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. From that date businesses have six months to ensure they comply with the new law. This ‘grace period’ means California’s Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020.
Despite the current Covid-19 pandemic the enforcement date stands. Consequently, as increasing numbers of employees are working from home where possible, businesses must use the remaining time — a little over two months — to continue working towards compliance and resolve any open issues.
For financial institutions however, one question keeps popping up….
“Does the CCPA provide exemptions for financial institutions?”
The simple answer, despite protestations from a few members of the financial sector that the CCPA’s requirements are vague and somewhat broad, the Act applies to almost every type of business that meets certain thresholds — and yes, this includes financial institutions that are already regulated by federal privacy laws.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, regulates the collection and disclosure of the same types of personal information that is regulated by the CCPA.
The GLBA requires financial institutions to protect consumers’ personal information and notify consumers about the information being collected and processed. Moreover, the GLBA requires financial institutions to implement effective controls to mitigate risks to consumers’ personal information, with a particular focus on information systems, employee training, and the prevention and response to cyber-attacks and system failures.
In recognition of the existing obligations the GLBA places on financial institutions, in addition to the CCPA, the California Legislature has looked for ways to ease some of the CCPA’s obligations placed on them by creating a carve-out. That said, the CCPA in no way provides total exemption from its requirements. Instead of exempting the financial institutions themselves, the CCPA exempts the data that is already covered by the GLBA. To be specific, the CCPA exempts “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations…”
So, what does this mean for financial institutions?
Upon studying the two Acts, it is clearly evident that the CCPA covers a much wider spectrum of information than is covered by the GLBA. The CCPA covers “personal information” which is defined as:
“information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
However, the GLBA covers a comparatively narrower category of “personally identifiable financial information,” which is defined as any information that a consumer provides to a financial institution “to obtain a financial product or service” or “about a consumer resulting from any transaction involving a financial product or service” between the company and a consumer or that the financial institution otherwise “obtains about a consumer in connection with providing a financial product or service to that consumer.”
This could include account information, information on an insurance application, or information gained via a cookie or other digital record, where information has been collected when providing a financial product. Since this information is already covered by the GLBA, it is exempted from CCPA requirements.
To put it simply, the financial institution is under no obligation to provide consumers with the various rights with respect to “personally identifiable financial information” that must otherwise be provided under the CCPA.
However, there is an important caveat. If a financial institution collects information for any other purpose than to provide a financial product or service, such as for marketing purposes, it is required to comply with the CCPA.
It is important to note that the CCPA definition includes any “inferences drawn” from any personal information being used “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
This means that certain business activities such as targeted marketing, website visitor tracking, collection of geolocation data, and obtaining information from website visitors who are not customers, may be deemed to be within the scope of the CCPA, but outside the scope of the GLBA.
Practices and Processes
When a financial institution collects personal information that is unrelated to the provision of financial products and services, it must implement a process to identify a) what information is covered by the GLBA and b) what information comes under the requirements of the CCPA. A data map is therefore required, in order to clearly identify what data is being collected and for what specific purpose.
It may also be necessary to reassess privacy notices, policies and practices, in order to account for the interaction between the GLBA and the CCPA. In some scenarios it is possible that the same information may be regulated differently depending on how and why the data was collected. For example, an IP address or cookie might be subject to the GLBA — therefore exempt from the CCPA — if collected for the purpose of providing a financial product. However, if the same information was collected purely for marketing purposes, but never resulted in the sale of a product, it is likely to be covered by the CCPA.
Irrespective of the type of data being collected, the exemption provided under the GLBA does not apply to the private right of action provided under the CCPA. The CCPA’s private right of action allows consumers to pursue seek statutory damages if the consumer’s personal information “is subject to an unauthorized access, ex-filtration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”
Even in cases where a financial institution’s data is exempt from the CCPA requirements of notice, choice, and access, it is still subject to potentially large damages in the event of a data breach.
From July 1 of this year California’s Attorney General will have the power to bring enforcement action under the CCPA. It will be interesting to see how this exemption will be interpreted.
In the meantime, financial institutions would do well to use the time left to ensure that their privacy notices, policies and practices are fully up to date, to account for any information they hold which is likely to be covered by the CCPA and to be fully prepared to respond in a timely fashion to consumer access requests.