Despite the global pandemic, the California Attorney General will begin enforcing the California Consumer Privacy Act on July 1 as planned, so even in this new work-from-home environment, businesses must continue to work towards compliance and resolve any open issues. One question we’ve been asked is whether the CCPA provides a complete exemption for financial institutions. We address that question below.
The CCPA imposes new requirements on businesses that collect and maintain the personal information of California consumers. It is meant to apply broadly to nearly every type of business that meets certain thresholds, even those, such as financial institutions, that are already regulated by federal privacy law. The Gramm-Leach-Bliley Act regulates the collection and disclosure of much of the same type of personal information that is regulated by the CCPA, and imposes strict requirements on financial institutions to protect customer data and provide notice to customers about the information they collect and maintain. Under the GLBA, financial institutions are required to assess and implement controls for risks to customer information, with a focus on areas that are particularly important to information security, including employee training and management, information systems, and preventing and responding to attacks and system failures.
In light of the obligations already placed on financial institutions by the GLBA (as well as the California Financial Information Privacy Act), the California Legislature sought to ease some of the burden placed on them by the CCPA by creating a carve-out. However, CCPA does not fully exempt financial institutions from its requirements. Rather, the CCPA exempts the data that is covered by the GLBA, not the institutions themselves. Specifically, the CCPA exempts “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations . . . .”
What does this mean for businesses? The CCPA covers a wider range of information than does the GLBA, and financial institutions are likely to possess such data. The CCPA covers “personal information” which is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” By contrast, the GLBA applies to a narrower category of “personally identifiable financial information,” which is defined as any information that a consumer provides to a financial institution “to obtain a financial product or service” or “about a consumer resulting from any transaction involving a financial product or service” between the company and a consumer or that the financial institution otherwise “obtains about a consumer in connection with providing a financial product or service to that consumer.” This may include information on an insurance application, account information, and information from an internet cookie or other digital record, where that information is collected in connection with providing a financial product. Given that it is covered by the GLBA, the CCPA exempts such information from its requirements.
In other words, the financial institution does not have to provide customers with the various rights with respect to “personally identifiable financial information” that must otherwise be provided under the CCPA. However, where the financial institution collects information for some purpose other than providing a financial product or service, such as when it collects information for marketing purposes, it must meet the requirements of the CCPA. Notably, the CCPA’s definition also includes any “inferences drawn” from any personal information that is used “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” Thus, certain activities such as targeted online advertising, tracking web page visitors, collecting geolocation data, and obtaining information from visitors to the site who are not necessarily (and may never become) customers, may involve the collection of information that falls outside the scope of the GLBA but within the scope of the CCPA.
In practice, this means that financial institutions that collect personal data unrelated to providing financial products or services must have a process in place to identify what information is subject to the GLBA and what information they have that otherwise would be covered by the CCPA. This will require them to map their data, make sure they can identify what data they collect and for what purpose, and perhaps reassess their privacy policies and practices to account for the interaction between the GLBA and the CCPA. It is possible that, in certain situations, the same data may be regulated differently depending on how and why it was collected. For instance, an internet cookie or IP address may be subject to the GLBA (and thus exempt from the CCPA) if collected to provide a financial service; but if the same data was collected solely for marketing purposes, but never culminated in the provision of a service, it is likely to be covered by the CCPA.
Finally, regardless of the type of information collected, the GLBA exemption does not apply to the private right of action provided under the CCPA. The private right of action allows consumers to seek statutory damages if the consumer’s information “is subject to an unauthorized access, exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Accordingly, even if a financial institution’s data is exempt from the CCPA requirements of notice, choice, and access, it is still subject to potentially significant damages in the event of a data breach involving that information.
As stated above, the Attorney General will not begin enforcing the CCPA until July 1 and it remains to be seen how this exemption will be interpreted. In the interim, it is incumbent on all financial institutions to ensure that their privacy policies are updated to account for the fact that certain information in their possession may be subject to the CCPA and to be prepared to respond to consumer requests for information.