By Marci V. Kawski, Tobias Moon, and David M. Stauss
Starting Jan. 1, 2020, privacy law in the United States will substantially change when the California Consumer Privacy Act comes into effect. The CCPA will require entities doing business in California to provide California residents with a number of privacy-related rights. It also will expose such entities to statutory damages for data breaches. As discussed below, the CCPA grants financial institutions subject to the Gramm-Leach-Bliley Act an exemption. That exemption, however, is not entity-wide, and GLBA-regulated entities will need to ensure that their non-GLBA-subject operations are compliant with the CCPA’s requirements.
What is the CCPA?
In July 2018, the California legislature hastily enacted the CCPA in response to a ballot measure that would have allowed state residents to vote on an even stricter privacy law. In a nutshell, the CCPA requires covered entities to provide California residents with a number of privacy-related rights, including the right to: (1) know what personal information an entity collects and how it shares that information with others, (2) request that an entity provide the specific pieces of personal information it has collected to the individual, (3) demand that an entity delete the individual’s personal information, and (4) opt out of an entity’s “sales” of personal information to third parties.
The CCPA applies to “businesses,” which is defined as for-profit legal entities doing business in California that collect the personal information of California residents and that: (1) have annual gross revenues in excess of $25,000,000, (2) alone, or in combination, annually buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (3) derive 50 percent or more of their annual revenue from selling consumers’ personal information.
The CCPA defines “personal information” incredibly broadly. It includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Some of the categories of personal information identified in the statute are names, aliases, IP addresses, email addresses, social security numbers, geolocation data, unique personal identifiers (e.g., cookies), accounts names, bank account numbers, credit or debit card numbers or any other financial information.
Understanding the CCPA’s GLBA exemption
Financial institutions subject to the GLBA will, of course, immediately recognize that the CCPA has substantial cross-over with the GLBA. To address this issue, the initial version of the CCPA stated that it “shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.”
That language created a number of questions. For example, no one could explain when the CCPA and GLBA would be “in conflict.” Also, personal information really is not collected, processed, sold or disclosed “pursuant” to the GLBA—which does not require that personal information be collected, processed, sold or disclosed—but instead is more accurately “subject to” the GLBA.
Almost immediately after the CCPA was enacted, the California legislature passed Senate Bill 1121. That bill made a number of non-substantive amendments to the CCPA such as fixing drafting errors that were caused by the CCPA’s hasty enactment. Senate Bill 1121 also changed the GLBA carveout language to the following:
This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.
The revised language removed the “in conflict with” requirement, added a reference to the California Financial Information Privacy Act, and carved out section 1798.150, which is the provision of the CCPA authorizing statutory damages for data breaches. Although the California legislature is currently considering a number of bills that would amend the CCPA prior to its effective date, none of those bills seek to modify this provision.
An important takeaway from the CCPA’s GLBA exemption is that it does not provide GLBA-regulated entities with a complete carveout from the CCPA’s requirements. The GLBA exemption carves out only the personal information covered by the GLBA. The challenge for GLBA-regulated financial institutions is to identify what personal information in their possession is subject to the GLBA (and exempt from the CCPA) and what personal information in their possession is not subject to the GLBA (and potentially covered by the CCPA).
A brief review of GLBA’s relevant definitions
The GLBA regulates financial institution’s use and treatment of “nonpublic personal information.” Subject to certain exceptions, the GLBA and its implementing regulations define nonpublic personal information to mean personally identifiable financial information (1) provided by a consumer to a financial institution to obtain a financial product or service, (2) resulting from any transaction involving a financial product or service between a financial institution and a consumer, or (3) otherwise obtained by the financial institution in connection with providing a financial product or service to that consumer.
The GLBA’s implementing regulations define “consumer” as “an individual who obtains or has obtained a financial product or service from [a financial institution] that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.”
Examples of personally identifiable financial information provided in the regulation include (1) information on an application, (2) account balance information, (3) payment history, (4) credit/debit card purchase information, (5) the fact that individual is/was a customer, (6) any information in connection with collecting on, or servicing, a loan or credit account, and (7) any information that is collected through an internet cookie.
Potential gaps between the CCPA and GLBA
Although the CCPA’s GLBA exemption will cover many types of personal information collected by GLBA-regulated entities, there are still gaps that financial institutions will need to address to ensure CCPA compliance.
Marketing activities. A financial institution’s marketing activities focused on attracting new customers (as opposed to selling additional products to existing customers) may create compliance challenges. For example, if a prospective customer provides a financial institution with personal information in connection with generally inquiring about a particular financial product but does not submit an application, the financial institution will need to determine whether the GLBA applies and, if not, whether the information is subject to the CCPA. To do this, it will need to determine whether the information (1) was provided by the prospective customer to it to obtain a financial product or service, (2) resulted from any transaction involving a financial product or service between it and the prospective customer, or (3) was otherwise obtained by it in connection with providing a financial product or service to that prospective customer. A question that a financial institution might ask itself is whether it would currently consider information provided to it by the prospective customer GLBA data (and then would properly comply with the GLBA).
If financial institutions use third-party advertising cookies to attract customers, they will need to analyze whether those cookies are subject to the CCPA’s right to opt-out of sales or the GLBA, using the same analysis. Under the implementing regulations of the GLBA, depending on why the cookie was obtained, a cookie could be an example of personally identifiable financial information. Similarly, the CCPA’s definition of personal information includes cookies. As noted above, the CCPA will require businesses to allow California residents to opt out of the sale of personal information from businesses to any third parties. The CCPA defines “sale” to mean any transfer of personal information to third parties for “monetary or other valuable consideration.” A financial institution’s use of third-party advertising cookies for non-consumers will likely qualify as a “sale” under the CCPA and be subject to the CCPA’s opt-out requirement. If, however, the cookie was obtained in connection with providing a financial product or service, the cookie is GLBA data and not subject to the CCPA.
Beyond third-party advertising cookies, financial institutions will need to analyze whether they are collecting personal information of California residents that does not fall within the definition of non-public personal information through their webpages. Again, the CCPA covers email addresses, IP addresses, browsing history, and records of products considered (to name a few categories of covered information). If a financial institution is collecting that information that does not fall within the definition of non-public personal information, it will need to analyze whether that information is subject to the CCPA’s requirements.
Commercial and business-purpose loans. The GLBA does not apply to commercial and business-purpose loans. On the other hand, the CCPA currently applies to personal information of California residents collected not only in their individual capacities but also in their business capacities. Financial institutions will need to consider whether they will have exposure through any commercial and business purpose loan operations.
Employee information. At the time of writing this article, the CCPA applies to employee information. That may change in the next few months as the California legislature is currently considering a bill that would exclude employee information from the CCPA’s coverage. Financial institutions with California employees should monitor the progress of that legislation.
Data breaches. The CCPA’s GLBA carveout does not apply to section 1798.150. As of Jan. 1, 2020, that section will allow California residents to seek statutory damages of between $100 and $750 per consumer, per incident if their personal information is compromised in a data breach caused by a business’s failure to implement and maintain reasonable security procedures. Notably, the CCPA limits that provision to the types of personal information covered by California’s data breach notification statute and not the broader definition of personal information contained in the CCPA.
What should banks do?
Financial institutions subject to the CCPA should begin their compliance efforts by inventorying the personal information that they collect. This should include identifying how the personal information is collected, from whom, the business/commercial purpose for that collection, and whether that information is transferred to third parties. Financial institutions should then determine whether that personal information is subject to the GLBA or the CCPA and comply accordingly.
Marci V. Kawski, Tobias Moon and David M. Stauss are partners at the law firm Husch Blackwell.