Are Credit Unions Covered By The CCPA?

Husch Blackwell LLP
Contact

Those who have spent time critically thinking about the California Consumer Privacy Act (CCPA), can undoubtedly identify a number of ambiguities and uncertainties. Some of those may be resolved through the current legislative amendment process or the forthcoming Attorney General interpretive regulations. However, notwithstanding those efforts, there likely will be many unresolved issues when the CCPA becomes effective.

This post analyzes one such ambiguity – namely, whether the CCPA applies to credit unions. As discussed below, this uncertainty appears to have arisen out of the premise that the CCPA does not apply to non-profits. However, based on an analysis of the CCPA’s definition of “business” in the context of the unique nature of credit unions as well as industry guidance, the CCPA likely does apply to credit unions.

For those interested in a further discussion of the CCPA, Husch Blackwell’s privacy and data security practice group will be hosting a webinar on the CCPA on June 5. Click here for more information and to register.

Background

Credit unions are not-for-profit organizations that, like banks, accept deposits, make loans and provide other financial services. As explained by the World Council of Credit Unions, Inc., a “credit union is a customer/member owned financial cooperative, democratically controlled by its members, and operated for the purpose of maximizing the economic benefit of its members by providing financial services at competitive and fair rates.”

In turn, the CCPA applies to “businesses,” which is defined in § 1798.140(c) as a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California,” and that: (1) has annual gross revenues in excess of $25,000,000; (2) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Because credit unions are not-for-profits there is a line of thinking that they do not qualify as businesses. However, that interpretation does not take into account the unique nature of credit unions and the fact that they are operated “for the profit or financial benefits of [their] owners.”

Industry Guidance – The California Credit Union League

The California Credit Union League (CCUL) is the trade association for more than 265 California credit unions. Notably, the CCUL was actively involved in lobbying for passage of the CCPA’s revised GLBA carve-out language, which the California legislature did through passage of SB 1121 (the now-current version of the CCPA). This year, the CCUL has pushed for passage of AB 1416, which would specify that the CCPA does not prevent a business from using personal information to protect or prevent illegal or malicious activity. (See also here.)

We contacted the CCUL and confirmed that the CCUL’s understanding is that the CCPA does cover credit unions based on the phrase “operated for the profit or financial benefit of its shareholders or owners” in the CCPA’s definition of business.

Amendment/Regulatory Process

Although the CCPA is subject to further amendment and interpretative regulations, our review of the proposed amendments and guidance published by the Attorney General’s office does not lead us to believe that this issue will be addressed in that process. In particular, none of the proposed bills that we have reviewed to date would modify the CCPA’s definition of business. Likewise, the Attorney General’s list of rulemaking topics does not identify the CCPA’s definition of business as a topic for regulations.

The GLBA Carve-Out

Assuming that the CCPA does apply to credit unions, such entities will be able to take advantage of the GLBA carve-out language in § 1798.145(e), which provides:

This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.

However, it must be emphasized that that language does not provide a full exemption. Rather, GLBA-regulated entities will remain subject to the provisions and requirements of the CCPA if they engage in activities falling outside of the GLBA—which credit unions almost certainly do.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Husch Blackwell LLP | Attorney Advertising

Written by:

Husch Blackwell LLP
Contact
more
less

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.