California’s new privacy statute imposes a number of new requirements on businesses that touch the personal information of California consumers. Its reach includes banks and financial services companies.
But the California Consumer Privacy Act of 2018 (CCPA) recognizes what financial institutions know all too well — those institutions are already regulated at the federal level. In recognition of this, the CCPA exempts certain types of personal financial information that is subject to federal regulation. However, because the exemption is designed for types of data, not types of companies, financial institutions are not fully exempt from the law and should attend to its details.
The key federal law is the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, which impose substantial requirements on financial institutions to protect customer data. 15 U.S.C. § 6801–6809; 16 C.F.R. § 314.1–5. In general, “financial institutions” are companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance. 15 U.S.C. § 6801(a), 6809(3); 12 U.S.C. § 1843(k). This definition covers most banks, securities brokers, and insurance companies.
The GLBA requires these companies to assess and implement controls for risks to customer information, with a focus on areas that are particularly important to information security, including: (1) employee training and management; (2) information systems (including network and software design and information processing and storage); and (3) detecting, preventing, and responding to attacks and system failures. 16 C.F.R. § 314.4(b). These are meaningful obligations; noncompliance can lead to enforcement action by the SEC, the FTC, or state regulators, and companies and consumers alike have litigated its provisions for years.
Into this regime comes the CCPA, which becomes effective January 1, 2020, and upends in many ways the default state data breach notification and privacy protection laws, in ways that we have discussed in several other places. Critically for financial institutions, the CCPA exempts “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations. …” Cal. Civ. Code § 1798.145(e).
The key question is the extent of the exemption. The exemption does not do much for financial institutions as a category, as it would had it exempted all “financial institutions” under the GLBA. Instead, it exempts the information that the GLBA covers. In effect, the CCPA declares that it begins where the GLBA ends.
The trouble is that the CCPA covers a wider range of information than does the GLBA, and financial institutions are likely to possess such data. The CCPA covers “personal information” through an open-ended, default definition that focuses not on how the information was gathered but on its ability to identify its subject: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1).
By contrast, the GLBA, when coupled with its implementing regulations, applies to the narrower category of “personally identifiable financial information.” That term is defined as “any information”:
-
(i) A consumer provides to you to obtain a financial product or service from you;
-
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
-
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
12 C.F.R. § 1016.3(q)(1). Examples include information on a loan application, account balance information, and information from an internet “cookie.” Id. § 1016.3(q)(2)(i).
Accordingly, because it is covered by the GLBA, the CCPA likely exempts transaction or account information, as well as information collected to provide a customer with financial products or services. Such information can include IP Addresses when they are obtained in connection with the provision of a financial product or service. The CCPA likely does not exempt personal information, including an IP address that is collected from marketing activities or a financial institution’s website, when the collection is not connected to the actual provision of a product or service. Likewise, because the GLBA does not apply to information shared with an institution’s affiliate when that affiliate is not providing a joint product or service with the institution, the CCPA is unlikely to exempt such data.
It will be a complex task to sort through, in any given set of facts, what information is gathered in a way that means it is covered by the GLBA versus what information a financial institution holds that otherwise would be subject to the default, CCPA definition.
The upshot is that financial institutions should review their data inventories and reassess their privacy practices to account for this interaction between the GLBA and the CCPA. Depending on how and why a data element is collected, the same element, such as an IP address, could receive different treatment in different instances. If it had been collected in connection with the provision of a financial service it would likely be exempt from the CCPA, but if it had been collected through general marketing efforts that never led to the provision of any service it would likely be covered by the CCPA. Financial institutions will have to get in the weeds and make fine distinctions.
