With the close of California legislative session on Sep. 13, we now know with relative certainty what the California Consumer Privacy Act (CCPA) will look like when it goes into effect on Jan. 1, 2020, as the last five amendments went to Gov. Gavin Newsom's desk for signature. So did the amendments change anything for financial institutions? To address that, let's lay out what financial institutions already knew before these amendments, what the amendments changed, and also, what they did not change as some had hoped.

Almost undoubtedly, the CCPA exclusion most pertinent for financial institutions is the Gramm-Leach-Bliley Act exclusion, stating that any personal information collected, processed, sold and disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) is exempt from CCPA coverage. Generally speaking, this means that any data collected in connection with issuance of a financial product is outside of scope of CCPA, rationale being that the CCPA protections are not necessary for data already covered by a different privacy regulation. It is worth noting that the GLBA only applies in the context of consumer financial products, which means that information about individuals obtained in the context of business financial products does not fall under the GLBA and therefore falls under the CCPA, provided no other exemption applies.

Appearance of the GLBA exemption in the original version of the act made compliance professionals breathe a modest sigh of relief, but it became quickly apparent that in implementation, for most institutions that have complex operations and multiple lines of businesses, the complexities will source from figuring out how to segment or tag CCPA data from CCPA-exempt data. Institutions will have to have a way to track how data was originally obtained, particularly since exactly the same piece of data, for example a Social Security number, could be-CCPA exempt if collected in the context of obtaining a consumer financial product or fall under CCPA protections if obtained through another channel such as a marketing list. Also, as businesses continuously evolve, making sure that institutions implement efficient processes to properly classify new data as it comes in will require continuous reassessment with heavy repercussions for mistakes.

As businesses and legal experts began to analyze the full scope and coverage of the CCPA, it became clear that the pitfalls could come in unexpected forms, particularly since we've grown accustomed to thinking of privacy coverage in relation to existing regulations, such as the GLBA, state data breach laws and even the GDPR. The CCPA breaks the traditional mold. The definition of "personal information" is notably broader than it is in other regulations and explicitly includes information such as IP addresses and internet browsing history. This likely means that if you track and record users browsing on your website, you have CCPA data, unless of course you are able to convincingly demonstrate that the browsers were obtaining a consumer financial product. If you have consumer data for marketing purposes for any consumer that has not expressed specific interest in a financial product, you have CCPA data.

Another novel aspect of the CCPA as compared to other regulations is that it encompasses information that could be reasonably linked to a household, not necessarily to a specific person. Therefore, if you have information that could be linked to an address, you may have CCPA data as arguably address could act as a proxy for household. Having the law potentially apply to households has prompted businesses to take another look at their data even if at initial blush it appears CCPA-exempt. As an interesting and perhaps unexpected example of how "household" verbiage expands the scope of application is the fact that alarm companies potentially have CCPA data even if no individual names or identities are tracked because they have data associated with specific addresses.

So did the long-awaited amendments to the CCPA make any additions or changes that could have significant impact for the financial institutions?

Perhaps the most notable amendment in that sense is a last-minute addition to Assembly Bill 1355, that added exclusion from the disclosure and deletion obligation under the CCPA any personal information about an individual that was included in a business-to-business communication, where the individual's information was disclosed solely in the context of her or him serving as a representative of an entity that is being evaluated for a product or service. While the wording is complex, it appears that this amendment would be helpful for financial products issued to businesses as information of individual business stakeholders is frequently disclosed in those transactions and would generally fall under the CCPA if not for this or another exception. As a very important caveat and likely a glimpse into behind-the-scenes negotiations around this exemption, the exemption is set to only last for one year and lapses on Jan. 1, 2021. It will be interesting to see if a more permanent exemption will be worked out during the one-year period or it lapses at the end of 2020. Bill 1355 also broadens existing exemption for Fair Credit Report Act compliance and exempts de-identified or aggregate consumer information from definition of personal information.

Other amendments that made it to governor's desk are: Assembly Bill 25 that states that the CCPA will not cover personal information collected from employees and job applicants, limited to one year, Assembly Bill 1565 requires businesses to provide two methods for consumers to request information, except for online-only businesses with direct consumer relationships that could list email address only, Assembly Bill 1146 exempts vehicle information retained for purposes of warranty or recall-related vehicle repairs, Assembly Bill 874 clarifies definition of "publicly available" information, and Assembly Bill 1202 imposes a requirement on data brokers to register with California attorney general.

While some significant lobbying efforts were put into trying to make a number of other modifications and clarifications to the act, they failed to make it into the amendments that went to the governor's desk. Some of the ones that advanced the furthest was clarification that the CCPA does not restrict financial incentive and loyalty programs and removal of the term "household" from the definition of "personal information."

Newsom has until Oct. 13 to act on the submitted amendments.

Anna Fridman is co-founder and general counsel of Spring Labs (www.springlabs.com), company behind the Spring Network, a blockchain-based network designed to allow institutions to exchange confidential data securely and efficiently. Fridman is a seasoned attorney with a focus on regulatory financial issues. Prior to Spring Labs, she served as the general counsel at Avant, managing a team of 40-plus attorneys and compliance professionals. She also served as in-house counsel at Enova and holds a J.D. from UCLA Law.