Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The California Consumer Privacy Act of 2018 (“CCPA”) exempts information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulations (the “Privacy Rule”), or the California Financial Information Privacy Act (“CFIPA”). It does not exempt financial institutions altogether from its requirements where a financial institution is processing information not subject to these regimes. In such situations, a financial institution must comply with a wide array of CCPA obligations, including requirements to make certain disclosures to consumers and to provide certain rights to consumers, such as the right to stop “sales” of their personal information and the right to access data that a business has collected about them. Determining whether information a financial institution processes is covered by the exemption or not can be challenging and is something that financial institutions will need to analyze for their operations.
This blog post provides background on the scope of the exemption and an overview of key considerations for financial institutions developing CCPA compliance programs.
The financial services industry is one of the most heavily regulated industries when it comes to protecting the privacy of personal information. At the federal level, companies that offer financial products or services must comply with the GLBA and Privacy Rule, which govern notice obligations and condition the sharing of a customer’s personal information with third parties on offering consumers an opt-out, subject to certain exceptions. The Right to Financial Privacy Act imposes restrictions on financial institutions’ disclosure of personal information to the government. In addition to the comprehensive federal framework, some states have separately enacted financial privacy laws that provide similar and even additional protections to consumers, such as California’s CFIPA.
Consequently, many financial institutions and industry groups expected that the CCPA would exempt financial institutions from complying with the CCPA. However, the CCPA as originally enacted on June 28, 2018 exempted personal information collected, processed, sold, or disclosed pursuant to the GLBA (and not the CFIPA) only if in conflict with it. Recognizing the limited utility of the original exemption given the potential for financial institutions to comply with the CCPA and the GLBA, the California legislature, through SB 1121’s passage on September 23, 2018, removed the conflict language and added the CFIPA as well. The legislature also clarified that the exemption does not apply to the data breach liability provisions of the CCPA.
While financial institutions will be largely exempt from complying with the CCPA as to personal information collected through core consumer financial services activities, such as personal banking and investment and wealth management services among many other financial activities, the CCPA does not provide a blanket exemption for financial institutions. There may be instances in which a financial institution’s collection and use of personal information fall outside the scope of the exemption. For example, it is likely that the exemption will not apply to personal information collected about individuals who are not “consumers,” as that term is defined by the GLBA/CFIPA and to personal information collected by financial institutions that is outside of the GLBA/CFIPA. As noted, in any event, the CCPA provisions regarding liability for data breaches that result from a failure to implement and maintain reasonable security procedures will apply.
A preliminary step to delineating the scope of the exemption and how it applies to financial institutions is understanding that while the CCPA and GLBA/CFIPA use similar terminology, the CCPA defines some key terms differently than the GLBA and CFIPA.
The definition of “consumer” differs between the CCPA and the GLBA/CFIPA. Under the CCPA, “consumer” is broadly defined to mean any “natural person who is a California resident.” Sec. 1798.140(g). The CCPA does not include any carve-outs. On the other hand, the GLBA and CFIPA more narrowly define “consumer” to mean “an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.” 12 C.F.R. § 1016.3(e)(1) (we have cited to the Consumer Financial Protection Bureau’s Regulation P, but GLBA regulations issued by other federal regulators are similar). The Privacy Rule provides examples of a “consumer” (12 C.F.R. § 1016.3(e)(2)):
The CCPA exemption applies to “personal information” about a consumer that is collected, processed, sold, or disclosed pursuant the GLBA or CFIPA. “Personal information” is broadly defined under the CCPA to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Sec. 1798.140(o)(1). Some of the listed examples of “personal information” under the CCPA are:
The exemption applies to “personal information” that is collected, processed, sold, or disclosed pursuant to the GLBA or CFIPA. However, the GLBA and CFIPA do not use the term “personal information,” rather, they use the terms “personally identifiable financial information” and “nonpublic personal information.” These terms, while also broadly encompassing a lot of information, are still somewhat more narrowly defined than “personal information” under the CCPA.
Nonpublic Personal Information (“NPI”) is defined as: “(i) personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available” (including for example, lists of customer names and street addresses if they were associated with account information). 12 C.F.R. § 1016.3(p)(1).
Personally Identifiable Financial Information (“PIFI”) is a subset of nonpublic personal information, which the Privacy Rule defines as: “any information: (i) a consumer provides to you to obtain a financial product or service from you; (ii) about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) you otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.” 12 C.F.R. § 1016.3(q)(1). PIFI includes:
The differences in the definitions of relevant terms could result in financial institutions being only partially exempt from CCPA compliance. Below are some examples of scenarios where the exemption might not apply:
As the examples above illustrate, prior to the CCPA’s effective date of January 1, 2020, financial institutions still need to analyze the personal information they possess, including through activities such as data mapping, to determine whether certain of their activities may be subject to the CCPA. To the extent certain activities involving the collection, use, or sharing of personal information fall outside of the CCPA exemption, financial institutions should take steps to prepare for CCPA compliance.
Click here to read the next post in the CCPA blog series.
Authored by Timothy Tobin and Roshni Patel.