Under the GLBA and California Financial Information Privacy Act (CFIPA), the California Consumer Privacy Act (CCPA) exempts information collected, processed, sold or disclosed. However, personal information pertaining to California residents outside of the scope of these laws will be subject to the CCPA. (This covers applicant and employee information, business contacts, commercial client information, marketing lead lists, and website visitors).
In cases where financial institutions process information outside these regimes, they must comply with CCPA requirements. For example, they must make certain disclosures to consumers and comply with consumer rights.
In the CCPA, Personal Information is defined as any data which identifies or relates to, or could reasonably be linked to an individual or household. For example; name, address, IP address, social security number, biometric data, online activity data, geo location data, professional or employment information, inferences derived from personal information, unique personal identifier.
In the GLBA and CFIPA, Personal Information is defined as ‘personally identifiable financial information’ and ‘non-public personal information’.
Exemptions from CCPA compliance
The differences in the above 2 definitions could result in partial exemption from CCPA compliance. Typical situations where the CCPA would apply include (but not exclusively):
- Personal Information of applicants and employees of financial institutions
- business contacts
- information collected from commercial clients