Does your company handle data analytics to target California consumers? If so, it is imperative that you pay close attention to the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA goes well beyond the General Data Protection Regulation (GDPR); however, if you’ve achieved compliance with the GDPR, you are well on your way to achieving CCPA compliance.
Once in effect, the CCPA will require businesses processing the personal information (PI) of 50,000 or more California consumers (defined as California residents) to comply with new regulations governing the processing of their PI. Businesses will have to respond to eight (8) specific consumer rights, observe restrictions on data monetization business models, and update their privacy notices to provide detailed disclosures about their data collection, sales and business disclosures.
The CCPA expands the definition of PI beyond the GDPR and well beyond current US privacy law. It defines PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (emphasis added). The definition also includes personal identifiers, IP addresses, commercial information, records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; Internet or other electronic network activity information, professional or employment-related information; or any consumer profile.
Issue for Financial Institutions Under the New California Consumer Privacy Protection Act
The CCPA was first enacted in June and recently amended as of Sunday, September 23, 2018. The law contains two (2) exemptions that apply to financial institutions, but the scope of the exemptions are not absolute.
First, section 1798.145(e) of the CCPA exempts processing of personal data that is “pursuant to” the Gramm-Leach-Bliley Act (GLBA). The contours of the word “pursuant” are ambiguous in this context. Additionally, section 1798.145(d) of the CCPA exempts the “sale of personal information to or from a consumer reporting agency if that information is to be reported in or used to generate a consumer report” under the Fair Credit Reporting Act (“FCRA”). Some financial institutions voluntarily “furnish” information for consumer reports and do not “sell” that data. Other financial institutions share information for fraud prevention/FCRA purposes that are never ultimately included in a consumer report.
Accordingly, some financial institutions under the GLBA have determined that the CCPA will involve them because they collect information from persons who are not governed by the GLBA (e.g., not customers or consumers of the financial institutions, such as visitors to a website where cookies are collected). Yet, this is an issue that is actively being debated amongst financial institutions.
The California Better Business Bureau, California Credit Union League, California Community Banking Network, California Bankers Association, Cellular Telecommunications Industry Association (among other business groups) penned a letter on August 6, 2018 pushing for language to clarify the GLBA exception. See Letter at p. 12. They called for a change in the GLBA exemption to the CCPA to read that the CCPA exempted processing “subject to” the CCPA (not “pursuant to”). They also pushed for removal of language in the original law that limited the GLBA exemption to situations where the CCPA is “in conflict with” the GLBA.
The provisions enacted on September 23, 2018 in SB 1121 (Cal. Civ. Code Section 1798.145(e)) incorporated some, but not all, of the business community’s clarifying language. For example, the legislature eliminated the language regarding “conflict” with the GLBA, however, it did not broaden the GLBA exemption to processing “subject” to the GLBA rather than “pursuant to” the GLBA.
Note also that none of the business community’s recommendations for the FCRA exemption to the CCPA (1798.145 (d)) were adopted. Thus, this leaves exposures for disclosures of data that will not be in a consumer report or for data that is not “sold” to a consumer reporting agency.
Steps to Consider for Financial Institutions Under the New California Consumer Privacy Protection Act
- Consider how to obtain clarification of the GLBA and FCRA exemptions through consultations with the California AG’s office.
- Determine whether your company collects PI as defined broadly under the CCPA statute or from persons who are not governed by the GLBA (e.g., visitors to a website where cookies are collected who are not customers or consumers of the financial institutions).
- Consider how you can identify sales or disclosures of California consumers’ PI.
- Consider how to implement a substantially compliant program. Perkins Coie has a very detailed business implementation model that we are happy to discuss with you.