This is the ninth installment in Hogan Lovells’ series on the California Consumer Privacy Act.
The California Consumer Privacy Act of 2018 (“CCPA”) exempts information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulations (the “Privacy Rule”), or the California Financial Information Privacy Act (“CFIPA”). It does not exempt financial institutions altogether from its requirements where a financial institution is processing information not subject to these regimes. In such situations, a financial institution must comply with a wide array of CCPA obligations, including requirements to make certain disclosures to consumers and to provide certain rights to consumers, such as the right to stop “sales” of their personal information and the right to access data that a business has collected about them. Determining whether information a financial institution processes is covered by the exemption or not can be challenging and is something that financial institutions will need to analyze for their operations.
This blog post provides background on the scope of the exemption and an overview of key considerations for financial institutions developing CCPA compliance programs.
The financial services industry is one of the most heavily regulated industries when it comes to protecting the privacy of personal information. At the federal level, companies that offer financial products or services must comply with the GLBA and Privacy Rule, which govern notice obligations and condition the sharing of a customer’s personal information with third parties on offering consumers an opt-out, subject to certain exceptions. The Right to Financial Privacy Act imposes restrictions on financial institutions’ disclosure of personal information to the government. In addition to the comprehensive federal framework, some states have separately enacted financial privacy laws that provide similar and even additional protections to consumers, such as California’s CFIPA.
Consequently, many financial institutions and industry groups expected that the CCPA would exempt financial institutions from complying with the CCPA. However, the CCPA as originally enacted on June 28, 2018 exempted personal information collected, processed, sold, or disclosed pursuant to the GLBA (and not the CFIPA) only if in conflict with it. Recognizing the limited utility of the original exemption given the potential for financial institutions to comply with the CCPA and the GLBA, the California legislature, through SB 1121’s passage on September 23, 2018, removed the conflict language and added the CFIPA as well. The legislature also clarified that the exemption does not apply to the data breach liability provisions of the CCPA.
While financial institutions will be largely exempt from complying with the CCPA as to personal information collected through core consumer financial services activities, such as personal banking and investment and wealth management services among many other financial activities, the CCPA does not provide a blanket exemption for financial institutions. There may be instances in which a financial institution’s collection and use of personal information fall outside the scope of the exemption. For example, it is likely that the exemption will not apply to personal information collected about individuals who are not “consumers,” as that term is defined by the GLBA/CFIPA and to personal information collected by financial institutions that is outside of the GLBA/CFIPA. As noted, in any event, the CCPA provisions regarding liability for data breaches that result from a failure to implement and maintain reasonable security procedures will apply.
The Scope of the Exemption Is Based on Definitional Differences between the CCPA and the GLBA/CFIPA
A preliminary step to delineating the scope of the exemption and how it applies to financial institutions is understanding that while the CCPA and GLBA/CFIPA use similar terminology, the CCPA defines some key terms differently than the GLBA and CFIPA.
The definition of “consumer” differs between the CCPA and the GLBA/CFIPA. Under the CCPA, “consumer” is broadly defined to mean any “natural person who is a California resident.” Sec. 1798.140(g). The CCPA does not include any carve-outs. On the other hand, the GLBA and CFIPA more narrowly define “consumer” to mean “an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.” 12 C.F.R. § 1016.3(e)(1) (we have cited to the Consumer Financial Protection Bureau’s Regulation P, but GLBA regulations issued by other federal regulators are similar). The Privacy Rule provides examples of a “consumer” (12 C.F.R. § 1016.3(e)(2)):
- An individual who applies to a financial institution for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended.
- An individual who provides nonpublic personal information to a financial institution in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended.
- An individual who provides nonpublic personal information to a financial institution in connection with obtaining or seeking to obtain financial, investment, or economic advisory services is a consumer, regardless of whether the bank establishes a continuing advisory relationship.
2. Personal Information
The CCPA exemption applies to “personal information” about a consumer that is collected, processed, sold, or disclosed pursuant the GLBA or CFIPA. “Personal information” is broadly defined under the CCPA to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Sec. 1798.140(o)(1). Some of the listed examples of “personal information” under the CCPA are:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Biometric information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information; and
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The exemption applies to “personal information” that is collected, processed, sold, or disclosed pursuant to the GLBA or CFIPA. However, the GLBA and CFIPA do not use the term “personal information,” rather, they use the terms “personally identifiable financial information” and “nonpublic personal information.” These terms, while also broadly encompassing a lot of information, are still somewhat more narrowly defined than “personal information” under the CCPA.
Nonpublic Personal Information (“NPI”) is defined as: “(i) personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available” (including for example, lists of customer names and street addresses if they were associated with account information). 12 C.F.R. § 1016.3(p)(1).
Personally Identifiable Financial Information (“PIFI”) is a subset of nonpublic personal information, which the Privacy Rule defines as: “any information: (i) a consumer provides to you to obtain a financial product or service from you; (ii) about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) you otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.” 12 C.F.R. § 1016.3(q)(1). PIFI includes:
- Any information a consumer provides to a financial institution on an application to obtain a loan, a credit card, a credit union membership, or other financial product or service;
- Account balance information, payment history, overdraft history, and credit or debit card purchase information;
- The fact that an individual is or has been the financial institution’s customer or has obtained a financial product or service from the financial institution;
- Any information about a financial institution’s consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution’s consumer;
- Any information that a consumer provides to a financial institution or that the financial institution or its agent otherwise obtains in connection with collecting on, or servicing, a loan or a credit account;
- Any information a financial institution collects through an Internet “cookie” (i.e., an information collecting device from a Web server); and
- Information from a consumer report.
The differences in the definitions of relevant terms could result in financial institutions being only partially exempt from CCPA compliance. Below are some examples of scenarios where the exemption might not apply:
- Employees of Financial Institutions and Applicants for Employment: The plain language definition of consumer under the CCPA applies to all California residents, including a business’s employees and job applicants. As further discussed in our previous post, the California legislature may not have intended such a broad reading and it may be they were intending it to cover consumers in the traditional sense of the word (i.e., individuals who purchase goods or services for personal use). However, unless and until legislative amendments to the CCPA, Attorney General regulations, guidance, or stated enforcement approach clarifies that the CCPA does not apply to employees or applicants for employment, it is prudent for businesses to treat the personal information of employees, applicants for employment, and other individuals (e.g. independent contractors) as covered under the CCPA. As this personal information would not be PIFI or NPI subject to the GLBA/CFIPA (absent providing a financial service to an employee), the exemption does not apply to such personal information.
- Business Contacts: Similarly, business contacts, such as employees of vendors or other business partners, are likely CCPA consumers. Any information that a financial institution collects about its business contacts, such as contact information, would not be subject to the GLBA/CFIPA, so the exemption does not apply.
- Commercial Customers: The GLBA does not apply to information collected from commercial clients, including sole proprietorships or individuals seeking a product or service for a business purpose. The CCPA, however, does not appear to have such a limitation so likely applies to any personal information collected from commercial clients.
- Customer Prospects and Leads: Another situation in which the exemption may not apply is when a financial institution obtains a list of leads for marketing activities or where it collects information about an individual who is interested in obtaining a product or service from a financial institution, but has not reached the threshold of becoming a GLBA consumer. The Privacy Rule provides some examples of when an individual who has not yet obtained a financial product or service from a financial institution becomes a GLBA consumer. A person becomes a GLBA consumer when applying for a financial product or service or providing NPI to determine eligibility for a loan or to seek to obtain a financial, investment or economic advisory service. Accordingly, to the extent that a financial institution collects and maintains personal information of individuals who it does not have a relationship with or who merely inquire about, but do not apply for a financial product or service, those individuals would likely be CCPA consumers but not GLBA consumers, and their personal information would not fall under the exemption.
- Website Visitors: The definition of PIFI under the GLBA includes information collected through Internet cookies, 12 C.F.R. 40.3(q)(2)(i)(F); however, the Privacy Rule provides this online data collection example in the context of an individual that is already a GLBA consumer, i.e., customers that have online accounts. Therefore, if a financial institution automatically collects certain information from an individual account holder that that is visiting its website (e.g., IP address, browsing history, search history), the information is likely subject to the exemption. On the other hand, if such information is collected from a California resident that is visiting the website but not a GLBA consumer, the information collected would arguably be subject to the CCPA’s requirements.
As the examples above illustrate, prior to the CCPA’s effective date of January 1, 2020, financial institutions still need to analyze the personal information they possess, including through activities such as data mapping, to determine whether certain of their activities may be subject to the CCPA. To the extent certain activities involving the collection, use, or sharing of personal information fall outside of the CCPA exemption, financial institutions should take steps to prepare for CCPA compliance.