What Financial Institutions Need to Know About the CCPA
With the close of California legislative session on Sep. 13, we now know with relative certainty what the California Consumer Privacy Act (CCPA) will look like when it goes into effect on Jan. 1, 2020, as the last five amendments went to Gov. Gavin Newsom's desk for signature.
October 04, 2019 at 11:55 AM
6 minute read
With the close of California legislative session on Sep. 13, we now know with relative certainty what the California Consumer Privacy Act (CCPA) will look like when it goes into effect on Jan. 1, 2020, as the last five amendments went to Gov. Gavin Newsom's desk for signature. So did the amendments change anything for financial institutions? To address that, let's lay out what financial institutions already knew before these amendments, what the amendments changed, and also, what they did not change as some had hoped.
Almost undoubtedly, the CCPA exclusion most pertinent for financial institutions is the Gramm-Leach-Bliley Act exclusion, stating that any personal information collected, processed, sold and disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) is exempt from CCPA coverage. Generally speaking, this means that any data collected in connection with issuance of a financial product is outside of scope of CCPA, rationale being that the CCPA protections are not necessary for data already covered by a different privacy regulation. It is worth noting that the GLBA only applies in the context of consumer financial products, which means that information about individuals obtained in the context of business financial products does not fall under the GLBA and therefore falls under the CCPA, provided no other exemption applies.
Appearance of the GLBA exemption in the original version of the act made compliance professionals breathe a modest sigh of relief, but it became quickly apparent that in implementation, for most institutions that have complex operations and multiple lines of businesses, the complexities will source from figuring out how to segment or tag CCPA data from CCPA-exempt data. Institutions will have to have a way to track how data was originally obtained, particularly since exactly the same piece of data, for example a Social Security number, could be-CCPA exempt if collected in the context of obtaining a consumer financial product or fall under CCPA protections if obtained through another channel such as a marketing list. Also, as businesses continuously evolve, making sure that institutions implement efficient processes to properly classify new data as it comes in will require continuous reassessment with heavy repercussions for mistakes.
As businesses and legal experts began to analyze the full scope and coverage of the CCPA, it became clear that the pitfalls could come in unexpected forms, particularly since we've grown accustomed to thinking of privacy coverage in relation to existing regulations, such as the GLBA, state data breach laws and even the GDPR. The CCPA breaks the traditional mold. The definition of "personal information" is notably broader than it is in other regulations and explicitly includes information such as IP addresses and internet browsing history. This likely means that if you track and record users browsing on your website, you have CCPA data, unless of course you are able to convincingly demonstrate that the browsers were obtaining a consumer financial product. If you have consumer data for marketing purposes for any consumer that has not expressed specific interest in a financial product, you have CCPA data.
Another novel aspect of the CCPA as compared to other regulations is that it encompasses information that could be reasonably linked to a household, not necessarily to a specific person. Therefore, if you have information that could be linked to an address, you may have CCPA data as arguably address could act as a proxy for household. Having the law potentially apply to households has prompted businesses to take another look at their data even if at initial blush it appears CCPA-exempt. As an interesting and perhaps unexpected example of how "household" verbiage expands the scope of application is the fact that alarm companies potentially have CCPA data even if no individual names or identities are tracked because they have data associated with specific addresses.
So did the long-awaited amendments to the CCPA make any additions or changes that could have significant impact for the financial institutions?
Perhaps the most notable amendment in that sense is a last-minute addition to Assembly Bill 1355, that added exclusion from the disclosure and deletion obligation under the CCPA any personal information about an individual that was included in a business-to-business communication, where the individual's information was disclosed solely in the context of her or him serving as a representative of an entity that is being evaluated for a product or service. While the wording is complex, it appears that this amendment would be helpful for financial products issued to businesses as information of individual business stakeholders is frequently disclosed in those transactions and would generally fall under the CCPA if not for this or another exception. As a very important caveat and likely a glimpse into behind-the-scenes negotiations around this exemption, the exemption is set to only last for one year and lapses on Jan. 1, 2021. It will be interesting to see if a more permanent exemption will be worked out during the one-year period or it lapses at the end of 2020. Bill 1355 also broadens existing exemption for Fair Credit Report Act compliance and exempts de-identified or aggregate consumer information from definition of personal information.
Other amendments that made it to governor's desk are: Assembly Bill 25 that states that the CCPA will not cover personal information collected from employees and job applicants, limited to one year, Assembly Bill 1565 requires businesses to provide two methods for consumers to request information, except for online-only businesses with direct consumer relationships that could list email address only, Assembly Bill 1146 exempts vehicle information retained for purposes of warranty or recall-related vehicle repairs, Assembly Bill 874 clarifies definition of "publicly available" information, and Assembly Bill 1202 imposes a requirement on data brokers to register with California attorney general.
While some significant lobbying efforts were put into trying to make a number of other modifications and clarifications to the act, they failed to make it into the amendments that went to the governor's desk. Some of the ones that advanced the furthest was clarification that the CCPA does not restrict financial incentive and loyalty programs and removal of the term "household" from the definition of "personal information."
Newsom has until Oct. 13 to act on the submitted amendments.
Anna Fridman is co-founder and general counsel of Spring Labs (www.springlabs.com), company behind the Spring Network, a blockchain-based network designed to allow institutions to exchange confidential data securely and efficiently. Fridman is a seasoned attorney with a focus on regulatory financial issues. Prior to Spring Labs, she served as the general counsel at Avant, managing a team of 40-plus attorneys and compliance professionals. She also served as in-house counsel at Enova and holds a J.D. from UCLA Law.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCollectible Maker Funko Wins Motion to Dismiss Securities Class Action
How Tony West Used Transparency to Reform Uber's Toxic Culture
What Paul Grewal Has Learned About Advocacy as Coinbase's Top Lawyer
7 minute readShowered With Stock, Tech GCs Incentivized to 'Knock It Out of the Park'
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250