1. CCPA applies to where the consumer resides, not where the business is located.
This makes a big difference for businesses that work with consumers across state lines and especially when doing business online. Businesses are required to comply with CCPA regulations for all California residents, and it is the business’s responsibility to have CCPA compliance strategies in place for their California consumers.
2. GBLA does not exempt financial services companies from CCPA compliance.
CCPA compliance requirements extend well beyond the Grahm-Leach-Bliley-Act (GLBA) and the California Financial Information Privacy Act. Financial services companies doing business with California residents are required to meet CCPA compliance obligations. In practice, this means that financial institutions that collect personal data unrelated to providing financial products or services must have a process in place to identify what information is subject to the GLBA and what information they have that otherwise would be covered by the CCPA. This will require them to map their data, make sure they can identify what data they collect and for what purpose, and perhaps reassess their privacy policies and practices to account for the interaction between the GLBA and the CCPA. (Source: https://www.jdsupra.com/legalnews/does-the-ccpa-apply-to-financial-27567/)
3. What is considered personal information under CCPA?
CCPA’s definition of “personal information” is broadly defined, and includes any information that identifies, relates to, describes, could be associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. For example, it could include a consumer’s name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics. (source: https://oag.ca.gov/privacy/ccpa)
4. What information falls under the GLBA exemption, and what must comply with CCPA?
The GLBA only applies to the personal information of those seeking or obtaining a financial product or service, while the CCPA broadly applies to personal information of any California resident. As such, if a financial institution is collecting personal information about a California resident who is not applying for or obtaining a financial product or service, that personal information is potentially covered by the CCPA. This may include individuals who obtain financial products or services for non-consumer purposes (e.g., commercial, business or agricultural purposes), financial institution employees or contractors, service providers and others.
If the personal information of a California resident is collected for any purpose unrelated to obtaining a financial product or service, it may be subject to CCPA. For example, personal information collected for general marketing purposes, IP addresses, GPS data, cookies and other consumer information are likely covered by the CCPA. Thus, the data collected from California visitors to a financial institution’s website is also likely subject to the CCPA. (source: https://www.wnj.com/Publications/Financial-Institutions-and-the-CCPA)
5. Can credit reporting agencies continue giving out data even after a consumer has made a deletion request under CCPA?
The CCPA exempts “the sale of personal information to or from a consumer reporting agency” if the information is used for the purpose of generating a consumer report. This provision is known as the “FCRA exemption”.
The Fair Credit Reporting Act (FCRA) regulates the practices of consumer reporting agencies (CRAs) that collect consumer information into consumer reports for use by insurance companies, landlords, or other entities in making eligibility decisions affecting consumers. Credit reporting agencies like Equifax, Experian, and TransUnion can still collect and disclose consumer credit information, subject to regulation under the Fair Credit Reporting Act. Information included in consumer reports generally include consumers’ credit history and payment patterns, as well as demographic and identifying information and public record information (e.g., arrests, judgments, and bankruptcies).
Categories of “personal information” that would allow a CRA to rely on the FCRA exemption is narrower than CCPA’s broader definition of “personal information”. It is therefore possible for a CRA to sell personal information to a customer which is not covered by the FCRA exemption, in which case the CRA could be regulated under the CCPA just like any other business. (source: https://www.messerstrickler.com/blog/understanding-the-california-consumer-privacy-act-and-its-fcra-exemption).
6. Actionable CCPA compliance steps for financial institutions
The first order of business to get in compliance with the CCPA is to conduct a data mapping and inventory exercise to determine what personal information is not exempted by the GLBA carve-out and is therefore covered under CCPA. Institutions must map and inventory every piece of personal information that is collected, used, and sold by the institution, as well as all of the institution’s data processing practices. In doing so, institutions will need to analyze all aspects of their organization, and all points where the institution collects, utilizes, or transmits information for any purpose and in any format. From there, institutions should determine—dataset by dataset— whether the entity’s personal information is covered by the GLBA or the CFIPA, which would remove it from the scope of the CCPA.
When performing this task, financial institutions should keep in mind that application of the CCPA will depend on the context in which personal information is collected, used, and shared and, as such, some of the same data elements—including names, IP addresses, and email addresses—may be excluded from the scope of the CCPA in some scenarios, but not in others. After determining the universe of personal information that is subject to the CCPA, the next step to take to get in compliance with the CCPA is to develop systems and procedures to ensure adherence with the myriad of broad consumer rights that have been afforded to consumers under California’s new privacy law.
7. Fines under CCPA
The CCPA has two types of fines for non-compliance:
- Civil penalties brought by the state against a company – $2,500-$7,500 per violation.
- Consumer lawsuits (the “private right of action”) – $100-$750 per incident per breach, or actual damages.
8. GBLA Exemption does not apply to CCPA Private Right of Action
The GLBA exemption does not apply to the private right of action provided under the CCPA. The private right of action allows consumers to seek statutory damages if the consumer’s information “is subject to an unauthorized access, exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Accordingly, even if a financial institution’s data is exempt from the CCPA requirements of notice, choice, and access, it is still subject to potentially significant damages in the event of a data breach involving that information. (Source: https://www.jdsupra.com/legalnews/does-the-ccpa-apply-to-financial-27567/)
9. Derivative Information in software tools and analytical tools used by financial institutions are subject to CCPA compliance.
Banks and financial institutions use a host of software and analytical tools that analyze and process customer information. These may include software connected with core banking systems, processing platforms, CRM or client retention software, operations software for program managers, and other subcontractors.Analyses and computational outputs performed on these systems that use consumer data are subject to CCPA compliance.
10. More states are adopting CCPA-like privacy laws in the near future.
2021 has already seen significant movement in other states towards passage of sweeping data privacy laws similar to the CCPA. Most recently, Colorado passed the Colorado Privacy Act (CPA). For financial institutions this means navigating a patchwork of different privacy laws in state jurisdictions. Financial institutions would be prudent to implement and adopt data privacy compliance strategies that include methods for data mapping, tracking and processing consumer requests, and managing data privacy compliance processes based on where a consumer resides.