The California Consumer Privacy Act imposes sweeping obligations on a diverse array of businesses, but financial services companies subject to the federal Gramm-Leach-Bliley Act are treated somewhat differently. The CCPA’s exception for personal information covered by the GLBA takes the edge off the CCPA for financial institutions with retail clients.
However, the CCPA does apply to some personal information that financial institutions routinely handle. So it’s important that financial institutions examine the compliance burdens they may have under the law.
The CCPA takes effect Jan. 1, 2020, and applies to any enterprise that, among other triggering criteria, does business in California and has annual gross revenues in excess of $25 million.
It is a uniquely broad U.S. privacy law for a number of reasons, primarily relating to its definitions of “personal information” and “consumer.” It imposes obligations around the handling of consumers’ personal information, including required disclosures to consumers; consumer access, deletion, and opt-out rights; and an individual private right of action relating to a failure to maintain reasonable security procedures and practices leading to a security breach.
Set against broad definitions of covered businesses, individuals, and information, is an exemption for “personal information collected, processed, sold, or disclosed pursuant to” the GLBA. Even this exemption, however, does not affect the CCPA’s private right of action arising from certain security breaches. And, perhaps more significantly, it is not an entity-level exemption but rather an exemption for personal information that is collected pursuant to the GLBA.
A financial institution’s obligations under the CCPA’s disclosure and consumer-rights provisions will likely depend on the extent to which it collects, obtains, uses, discloses, or otherwise handles information not covered by the GLBA. Since the GLBA covers a narrower scope of data than the CCPA, information that financial institutions collect could still be subject to CCPA.
Who and What Could Still Be Subject to the CCPA?
In general, it appears the CCPA applies to financial institutions with respect to information that is not collected for a GLBA purpose (i.e., not in the context of the provision of financial services primarily used for personal, family, or household purposes). To understand exactly what that includes, it’s important to consider people, activities, and information that could fall outside of the GLBA.
People Not Covered by GLBA
A number of individuals who interact with a financial institution could be deemed “consumers” under the CCPA who are not “consumers” under the GLBA.
This list could include individuals associated with service providers, suppliers, business customers and clients, customers who obtain commercial products (institutional clients), holders of corporate credit cards, company employees (as well as temporary employees, contract employees, and potential employees) and their family members (e.g., with respect to benefits provision), and visitors to company offices and facilities who are not “consumers” under the GLBA.
In some cases, amendments to the CCPA delay the applicability of the CCPA to employees and business-to-business contacts for one year.
The types of interactions with people in these categories that could trigger CCPA-related obligations are varied. They could include, for example, third parties to which a financial institution refers its clients for ancillary or related services (such as wealth management-focused financial institutions referring clients to estate lawyers or accountants).
The types of information associated with these persons could also be varied and could include, for example, information required to be collected for know-your-customer or customer due diligence purposes, as well as other anti-money laundering compliance program purposes, in connection with institutional accounts.
Activities Not Covered by the GLBA
Activities involving the collection or use of personal information outside of providing consumer financial products and services—generally not subject to the GLBA—could be subject to the CCPA.
Possible examples include when financial institutions interact with individuals (e.g., prospective customers) prior to or independent of the individual seeking a consumer financial product or service, such as, in some contexts, prospective clients, or when an individual visits the financial institution’s website or contacts the company.
Furthermore, financial products and services that are not offered to consumers (e.g., but rather to commercial or institutional customers, as referred to above) would not be subject to the GLBA.
Information Not Covered by the GLBA
Finally, certain types of information that may not be subject to the GLBA may be subject to the CCPA.
For example, under the CCPA’s broad definition of personal information, data such as IP address, cookies, other unique identifiers, and other website information collected from a website visitor, as well as geolocation information, could be subject to the CCPA, but may or may not be collected in connection with the provision of a financial product or service.
This may include information such as persistent identifiers that are collected for purposes of online behavioral advertising or other reasons, but not for a consumer’s applying for or obtaining a financial product or service.
The CCPA is a sweeping privacy law. Though the GLBA sweeps broadly as well, the nature of the CCPA exemption for financial institutions will likely not allow them to avoid considering the implications of the CCPA.
If they haven’t already, financial services companies that have personal information of individuals who reside in California should consider evaluating the personal information they collect that may be subject to the CCPA, the types of “consumers” they interact with as defined under the CCPA as a result, and what they should start preparing for the new law.
A more in-depth Bloomberg Law analysis of the points discussed above is available here.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kristen J. Mathews, a partner at Morrison & Foerster, has for more than 20 years had a practice focused on advising clients on the full spectrum of the most complex privacy and cybersecurity issues, including regulatory and compliance matters. An early leader in the privacy sphere, she has developed comprehensive knowledge and long-term perspective, cultivated a client base across a broad range of industries, and established herself as one of the top lawyers in her field.
Adam Fleisher, an associate at Morrison & Foerster, focuses his practice on nonbank financial services regulation, the federal Bank Secrecy Act and related anti-money laundering laws and rules as applied to nonbanks, and information security issues. In particular, he works with money transmitters and other payments companies to address the regulatory challenges they face, with a primary focus on navigating the 50-state U.S. money transmission licensing regime, as well as on data security, privacy, and related safety and soundness and consumer protection issues.