This post is part of our series highlighting key compliance issues under the California Consumer Privacy Act (CCPA). For a broader look at the CCPA, please see prior posts from members of Squire Patton Boggs’ Data Privacy and Cybersecurity group regarding applicability, gap assessments, and the recent amendments, Stay tuned for further posts in this series.
Since the CCPA was enacted in June 2018, financial institutions have been considering whether and how the new law will apply to them. The CCPA provisions include certain exemptions for personal information (“PI”) that is regulated pursuant to the Gramm-Leach-Bliley Act (“GLBA”) , the California Financial Information Privacy Act (“CalFIPA”)  or the Fair Credit Reporting Act (“FCRA”). These exemptions are not absolute, however, and almost all financial institutions collect and use various types of PI that is not regulated by GLBA, CalFIPA or the FCRA. Financial institutions should therefore carefully consider their exposure to the CCPA. This post provides an overview of the recent amendments to the CCPA that bear on financial services and examines the overall impact.
Does the CCPA apply to financial institutions?
As a general rule, the CCPA applies to financial institutions in the same way it applies to other businesses. The CCPA does not provide a blanket exemption for financial institutions (i.e., organizations that are “significantly engaged in ‘financial activities,’”as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). However, the CCPA does include limited exemptions for Personal Information “PI” that is subject to GLBA, CalFIPA, and the FCRA. It is important to note that these exemptions do not apply with respect to the CCPA’s private right of action for damages arising from data breaches.
The GLBA and CalFIPA exemptions apply only to the extent that the PI in question is collected, processed, sold, or disclosed pursuant to those laws. As a general rule, both GLBA and CalFIPA regulate the sharing of nonpublic PI, defined to include virtually any information received from or about individuals who seek to obtain a financial product or service used primarily for personal, family, or household purposes. The GLBA/CalFIPA exemption generally applies to PI:
- that a consumer provides to obtain a financial product or service;
- about a consumer resulting from any transaction involving a financial product or service with a consumer; or
- that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.
The FCRA was enacted to promote the accuracy, fairness, and privacy of consumer information used for certain sensitive purposes such as credit granting, insurance underwriting, and employment screening, and regulates the collection, dissemination, and use of this information. Accordingly, the CCPA exempts the collection, maintenance, disclosure, sale, communication, or use of any PI bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, by a furnisher of information who provides information for use in a consumer report, and by a user of a consumer report.
Not all PI subject to the CCPA and held by financial institutions is regulated by the GLBA, CalFIPA, or the FCRA. The GLBA and CalFIPA do not apply to PI regarding consumers who obtain financial products or services for business, commercial, or agricultural purposes, or to PI gathered from consumers who do not have and are not seeking a financial product or service. In addition, there are areas where PI that is subject to GLBA/CalFIPA may be gathered in combination with PI that is not subject to those frameworks. For example, PI gathered online through a financial institution’s website may commingle the PI of consumers subject to GLBA, the PI of consumers not subject to GLBA (e.g., investors downloading the financial institution’s annual report), and PI gathered in connection with marketing activities (such as marketing lead lists). In such cases, it may not be feasible to separate out the GLBA/CalFIPA PI from PI that falls out the scope of those laws and therefore qualifies for CCPA exemption. Similar issues may also arise in regard to PI that is derived from combined exempt/non-exempt data sets.
As a result, most, if not all, financial institutions will need to comply with applicable notice, disclosure, opt-out, and other obligations under GLBA/CalFIPA and FCRA, as well as under the CCPA with respect to different types of PI that they collect and process. Furthermore, financial institutions should keep in mind that they are subject to liability under the private right of action under the CCPA for certain types of data breaches, regardless of whether the types of PI involved in the data breach is regulated by the GLBA, CalFIPA, or FCRA.
What Do Financial Institutions Need to Do Now?
Most financial institutions will already have good data governance structures in place and may have had to consider some of the issues raised by the CCPA in the context of complying with the EU General Data Protection Regulation. To minimize regulatory risk (and potentially significant financial penalties) in relation to CCPA compliance and successfully navigate the complex web of privacy compliance obligations that apply to the financial services sector, entities subject to the GLBA/CalFIPA or the FCRA should carry out the following steps prior to January 1, 2020:
- Know your PI and identify data sets that fall within the GLBA/CalFIPA or the FCRA: The basic CCPA requirements are predicated on how you collect, use, and share PI. In order to comply with the CCPA, you will therefore need to take stock of your data practices and conduct or update your data inventory and mapping records. If the PI that you collect has already been mapped for compliance with other laws, you may be able to leverage those efforts for CCPA compliance purposes. For CCPA purposes, financial institutions should identify what categories of PI that they collect fall within the scope of the GLBA/CalFIPA or the FCRA. Take time to reconsider whether any current policies and practices attempting to carve out PI from those frameworks should be re-visited. All PI that does not fall within the scope of GLBA/CalFIPA or FCRA should be deemed potentially subject to the CCPA and carefully assessed.
- Understand how CCPA applies to you: Assuming that your financial institution meets the definition of a “business” under the CCPA, any PI that it collects, sells, or discloses that falls outside of the scope of GLBA/CalFIPA and FCRA will likely be subject to CCPA, although the CCPA does contain certain other exemptions that may be applicable and should be considered.
- Be prepared to provide CCPA rights: The CCPA provides four separate rights that individuals may exercise: the rights to know, to delete, and to opt-out, and the right against discrimination. Financial institutions will have to consider how they will comply with these new obligations for PI that is subject to the CCPA, in coordination with their existing obligations under sector-specific regulations, such as the Bank Secrecy Act, the Federal Right to Financial Privacy Act and the California Right to Financial Privacy Act. This will include operationalizing new CCPA procedures and policies, including the identity verification requirements of the CCPA, as supplemented by the proposed CCPA Regulations published by the California Attorney General.
- Reasonable security: Review existing security procedures and ensure that “reasonable” security measures are in place to protect all PI, including CCPA-covered PI, from data breaches, which will help defend against private rights of action under the CCPA involving PI and will help minimize the risk of statutory damages awards of up to $750 per violation (or actual damages, whichever is higher).
- Review record retention policies and practices: Evaluate policies and practices to identify the delta between how long you are required to retain PI and how long you actually keep it. Limiting retention to the extent possible will significantly lessen the burden of full compliance with applicable CCPA rights in 2020 and beyond, and also further mitigates risk in the event of security breaches.
- Review contracts with vendors: Identify and review contracts with vendors that process PI that is subject to the CCPA framework. Although the CCPA does not technically require adding specific language to such contracts, there are important safe harbors for organizations that do. Additionally, operationalizing CCPA rights (such as access or deletion), will require the cooperation of your vendors and it is advisable to formalize your expectations via contract.
Do you need help or more information?
Our Data Privacy & Cybersecurity practice group, working together with our Financial Services practice group, can help you determine whether, and to what extent, the CCPA will impact your business and your data practices, in particular how the CCPA interacts with other financial privacy laws. We can also assist you in your overall CCPA compliance efforts and help develop integrated compliance policies that can be administered effectively and efficiently. Finally, working together with our Public Policy Practice Group, we can assist organizations that wish to propose clarifying amendments to the proposed CCPA Regulations that are currently being considered for adoption (the deadline for comments is December 6, 2019.)